Cloud Security: The Shared Responsibility Model

Cloud computing is a hot topic, and so is cloud security. Companies, small and large, are rapidly adopting the cloud due to a wide range of benefits: cost savings, accessibility, ease to use, agility, resiliency, and security. The primary key driver for cloud computing is the shift from capital expenditures (CapEx), where organizations had to invest large sums of money to (OpEx), pay-per-use model (using Public Cloud). While cloud adoption has many advantages and benefits, businesses should also evaluate the security implications of moving to the cloud.

Security is a barrier to entry

Companies may face significant security challenges moving from a traditional on-premises environment to a public cloud service provider (e.g., IBM Cloud, AWS, Azure, and Google Cloud Platform). Cloud computing represents a fundamental shift from the conventional infrastructure environment. Despite the countless benefits, the cloud could also create an organizational change. The traditional way of governance, risk management, and deploying current security controls on-premises may require significant revisions and redesigns in the cloud. Those architectural changes and technological components will vary depending on the Cloud services (e.g., SaaS, PaaS, or IaaS) and deployment models you choose from and their ability to alter or amend its overall security posture before, during, and after migrating to the cloud.

What are the cloud security concerns?

Organizations are moving to the cloud (e.g., due to COVID-19, connecting remotely, etc..), but security is a concern. Many organizations think moving to the cloud is a greater risk. The truth is that the cloud may be more secure or less secure than your organization’s environment, depending on the cloud provider and your organization’s security approach. The primary concern is organizations no longer have complete control over protecting their data and applications once it’s in the cloud, depending on the cloud deployment model (e.g., Hybrid Cloud, Private Cloud, or Public Cloud) and cloud services they choose. The level of security control will vary.

Cloud customers are ultimately responsible for protecting their data

In many instances, cloud service providers (CSPs) may become customer data custodians. As a result, organizations have to defend a broader attack surface than ever before. Security teams have to consider a wide range of security controls and capabilities to protect their cloud data and applications. In this case, companies should not entirely trust providers with their data and rely on them to safeguard corporate-owned data and assets.

Ultimately, organizations are responsible for protecting their data. But how can organizations protect their data in the cloud without complete control and ensure that security is in place? The answer, cloud security becomes a shared responsibility between the cloud service provider (CSP) and the organization. The most significant concern should have a focus on public cloud deployment due to multitenancy.

What is the Shared Responsibility Model?

What is the shared responsibilities model? Most public clouds use this common term to describe the relationship (who’s responsible for what) between the cloud customer and the cloud service provider (CSP). It determines where the demarcation of responsibilities and the shared responsibilities between CSPs and cloud customers. The lines are drawn and shared between the two, depending on the cloud service (SaaS, PaaS, or IaaS).

• Software-as-a-Service (SaaS) – Is mostly the cloud service provider’s responsibility
• Platform-as-a-Service (PaaS) – The CSP and cloud customer share most of this responsibility
• Infrastructure-as-a-Service (IaaS) – Is mostly the cloud customer’s responsibility

Cloud Security is Risk Management

It’s all about security and risk management practices when the shared responsibilities model is used as a tool. It’s essential to know the security responsibilities of the CSP and cloud customers. It’s crucial from a customer’s perspective because it may be the difference between a significant security breach or not. It’s vital from a CSP’s perspective because it may take legal action against them. When the cloud service provider shares the security responsibilities, they can help reduce the attack surface’s risk for cloud customers.

Best Practices: Getting started to use the Shared Responsibility Model

As a cloud customer, you can leverage the shared responsibility model tool. Here are some recommendations on how to use it.

• Identify Requirements – What are the business and security requirements (e.g., PCI-DSS, GDPR, CCPA, existing security policies that you need to comply with, etc.)?
• Assess the CSP’s capabilities – Evaluate the CSP’s cloud-native capabilities and identify the different services they offer.
• Define the security architecture – Assess the actual security controls: cloud-native capabilities vs. third-party tools, customized tools, and vendor security tools that you as a customer add to the available cloud.
• Identify security gaps – Decide between what cloud-native tools and the third-party tools to bridge coverage gaps.
• Design and implement security controls – Layer in the proposed architecture and implement the appropriate security controls that meet business requirements.
• Change Management Process – Keeping things compliant. All of this has to be managed with my requirements over (change management) over time.

Use the shared responsibility model with the best practices as a guide when architecting your cloud security solutions. It’s a useful tool to address cloud security concerns for public cloud computing.