Who is responsible for security of the cloud according to the shared responsibility model?
As more and more organizations migrate to the cloud, it drives cloud service customers to consider how the cloud will impact their privacy, security, and compliance. First, cloud service customers must understand how their cloud service provider delivers a secure solution. Second, cloud service customers must consider their new role in cloud security. Some cloud service customers mistakenly believe that when they migrate to the cloud, their cloud security responsibilities also shift. Who’s responsible for cloud security? Why do you even need security in the cloud? Let’s discuss the shared responsibility model and help you understand which elements of cloud security that customers are responsible for and which fall under the responsibility of the provider. Show
What is the Shared Responsibility Model?The shared responsibility model is a method for determining which roles cloud service providers and cloud service customers play in cloud security. In general, the shared responsibility model outlines that providers are responsible for the security of the cloud, and customers are responsible for security in the cloud. Cloud service providers and customers must work together to meet cloud security objectives. To understand the shared responsibility model, let’s think about security requirements as a spectrum. Cloud service customers add together all of the regulatory, industry, and business requirements (GDPR, PCI DSS, contracts, etc.) that apply to their organization and the sum equals all of that organization’s specific security requirements. These security requirements will help ensure that data is confidential, has integrity, and is available. On one end of the security requirement spectrum is cloud service providers and on the other is cloud service customers. The provider is responsible for some of these security requirements, and the customer is responsible for the rest, but some should be met by both parties. Cloud service providers and cloud service customers both have an obligation to protect data. Microsoft Azure’s guidance on the shared responsibility model states, “The importance of understanding this shared responsibility model is essential for customers who are moving to the cloud. Cloud service providers offer considerable advantages for security and compliance efforts, but these advantages do not absolve the customer from protecting their users, applications, and service offerings.” Shared Responsibility Model Across Service ModelsWhen choosing which service model (IaaS, PaaS, or SaaS) your organization needs, you should consider which security responsibilities will apply to you. Technology stacks are a great way to see the shared responsibility model across service model types.
Cloud service providers and cloud customers both have a responsibility to protect data. It’s also important to note that the execution of individual security management tasks can be outsourced, but accountability cannot. The responsibility to verify that security requirements are being met always lies with the customer. Physical Security in the CloudPhysical security in the cloud sounds like an oxymoron, right? Isn’t less management of a physical environment a major benefit of migrating to the cloud? We often hear this case from organizations who haven’t or don’t want to implement cloud security best practices. But…not everything is in the cloud. Everything can’t possibly be in the cloud. Office locations, employees, servers, heating and cooling systems, power regulation, device management—these things don’t exist in the cloud. That’s why physical security must be a major aspect of cloud security. What is the Shared Responsibility Model?The model varies with the provider and the service being offered. Cloud service providers use a shared responsibility model. What this means is the cloud service provider takes responsibility for specific elements of the security related to the storage and physical security of the servers, and the customer takes responsibility for other specific elements. The line between who has responsibility for the different elements is dependent on the provider and the services being used. Best Practices for Managing the Shared Responsibility ModelIf you’re a cloud service provider, we believe these best practices will help you better manage the shared responsibility model:
If you’re a cloud customer, consider these best practices:
Who’s responsible for cloud security? Does your organization understand the security requirements of your cloud provider? Do you understand what your own role is in cloud security? For more information on how to secure the cloud, contact us today. More Cloud Security Resources Cloud Security: The Good, The Bad, and The Ugly 12 Risks You Need to Know to Secure Your Cloud Environment AWS Shared Responsibility Model Azure Shared Responsibility Model Who is responsible for cloud security?A number of different teams within an organization could be responsible for cloud security: the network team, security team, apps team, compliance team or the infrastructure team. However, cloud security is also a shared responsibility between the broader organization and its cloud vendor.
What is shared responsibility model in cloud security?In its simplest terms, the Shared Responsibility Model dictates that the cloud provider—such as Amazon Web Service (AWS), Microsoft Azure, or Google Cloud Platform (GCP)—must monitor and respond to security threats related to the cloud itself and its underlying infrastructure.
Who's responsibility is data security in the azure shared responsibility model?Azure customers are responsible for the security “in their own cloud, or more simply put, everything that they instantiate, build and/or use. .
Who is accountable for security and compliance under the AWS shared responsibility model?The shared model provides constructive mechanisms to illustrate the separation of tasks between AWS and the customer. AWS is responsible for the security and compliance of the Cloud, where the customer is responsible for security and compliance in the Cloud.
|