Understanding the Shared Responsibility Model
Hosting applications and data in public clouds is a proven way for enterprises to be nimbler with network operations, improve the customer experience and reduce costs. As more data transitions to the cloud with the adoption of contactless payments and remote work initiatives, organizations are increasingly relying on cloud service providers (CSPs) to not only host but also secure their data. About one-third of companies say they rely on CSPs to secure their digital assets, according to Radware research.
The issue with that approach is that every public cloud provider utilizes different hardware and software security policies, methods and mechanisms, creating a challenge for enterprises to maintain standard policies and configurations across all infrastructures. Plus, CSPs generally only meet basic security standards for their platforms because they want to standardize how they monitor and mitigate threats across their entire customer base.
CSPs subscribe to the shared responsibility model: a practice where the service provider is responsible for securing the cloud infrastructure and the associated environment, leaving the aspects of securing application, workloads and data hosted on the cloud to the customer. The failure of customers to fully understand and adhere to the shared responsibility model is responsible for the majority of public cloud data breaches. According to Gartner, “through 2022, at least 95% of cloud security failures will be the
Many customers fail to realize that the responsibility of protecting their applications and customer data in the cloud is a shared responsibility. In its simplest terms, the cloud shared responsibility model denotes that CSPs are responsible for the security and availability of the cloud and customers are responsible for securing the data they put in the cloud. Depending on the type of deployment—IaaS, PaaS, or SaaS—customer responsibilities will be determined.
[You may also like: Understanding the Security Risks of Cloud Environments]
Infrastructure-as-a-Service (IaaS): Designed to provide the highest degree of flexibility and management control to customers, IaaS services also place more security responsibilities on customers. For example, when customers deploy an instance of Amazon EC2, the customer is the one who manages the guest operating system, any applications they install on these instances and the configuration of provided firewalls on these instances. They are also responsible for overseeing data, classifying assets, and implementing the proper permissions for identity and access management.
Platform-as-a-Service (PaaS). In PaaS, more of the heavy lifting is passed over to CSPs. While customers focus on deploying and managing applications (as well as managing data, assets, and permissions), CSPs take control of operating the underlying infrastructure, including guest operating systems.
How to Uphold Your End of the Bargain
Before diving into the granular details, assess your organization’s overall cyber hygiene. Measure your organization’s cloud security posture against industry benchmarks and best practices, such as the Center for Internet Security. In addition, take guidance from your CSP. Cloud vendors such as Amazon and Microsoft provide detailed guidelines of security responsibilities for customers.
[You may also like: Application Security in Today’s Multi-Cloud World]
Keep one critical detail in mind: understanding these responsibilities is an evolutionary process because CSPs are constantly evolving. CSPs add new services that come with new configuration and security tools to manage those services. While native security tools can be convenient, they typically don’t provide enterprise-grade security that covers all your organization’s configuration needs.
To overcome these platform-specific limitations, consider implementing third-party cloud security services, workload protection and access management solutions to provide your organization with holistic, 360-degree visibility and protection of your cloud-based assets.