Who is responsible for security of the cloud according to the shared responsibility model

Security and compliance are priorities for companies in the cloud. However, cloud security and compliance is not the responsibility of any single entity alone and determining the demarcation line can lead to confusion. Security and compliance in the cloud is a shared responsibility between the cloud service providers (CSP) and their customers.

Under the Shared Responsibility Model, the CSP is responsible for “security of the cloud” which includes the hardware, software, networking, and facilities that run the cloud services. Organizations (the CSP’s customers), on the other hand, are responsible for “security in the cloud” which includes how they configure and use the resources provided by the CSP.

The rapid adoption of computing architecture like serverless, containers, and S3 buckets may leave security and operations teams scrambling to understand their roles and responsibilities in this dynamic environment. How do they effectively address and secure their cloud environment and assets before they are compromised?

Here’s what today’s organizations need to know in order to continue to leverage all the benefits that the cloud has to offer while not compromising on security.

1. Configuration is the responsibility of the customer. How you configure and use cloud resources are your responsibility. A good rule of thumb is that the CSP’s API is the unofficial demarcation line between what organizations are responsible for and what the CSP is responsible for.
2. Focus on permissions and access control. Under the Shared Responsibility Model, the CSP is responsible for the security of the cloud. However, the reality is that organizations need to have the right controls in place. Having the proper access restriction and controls in place can go a long way to increase your security in the cloud. For example, not having adequate restrictions or safeguards to prevent unauthorized access to your infrastructure can put your organizations at risk. Access control lets organizations enforce rules and policies that are relevant to their business.
3. Ensure visibility across the cloud. Lastly, the most important change you can make to fully embrace your responsibility for cloud security is to have full visibility into your cloud. You can’t ensure the security and compliance of infrastructure you can’t see. Perform frequent scans of your cloud to take inventory of your assets and verify compliance.

Understanding where you fit within the model is a first step to improving your security and compliance posture.

When an organization runs its own on-premise data centers, control over security is pretty straightforward: it falls solely on the shoulders of internal teams. They are the ones responsible for keeping servers secure, as well as the data stored within them.

In a hybrid or cloud environment, the conversation around security inevitably shifts as a cloud service provider (CSP) enters the picture. While the CSP is responsible for some aspects of security, there is a tendency for customers to "over trust" cloud providers when it comes to securing their data.

Per a recent McAfee report, 69% of CISOs trust their cloud providers to keep their data secure, and 12% believe cloud service providers are solely responsible for securing data.

The truth of the matter is that cloud security is a shared responsibility. In an effort to educate cloud customers on what's required of them, CSPs like Amazon Web Services (AWS) and Microsoft Azure have created the cloud shared responsibility model (SRM).

In its simplest terms, the cloud shared responsibility model denotes that CSPs are responsible for the security of the cloud and customers are responsible for securing the data they put in the cloud. Depending on the type of deployment—IaaS, PaaS, or SaaS—customer responsibilities will be determined.

Infrastructure-as-a-Service (IaaS)

Designed to provide the highest degree of flexibility and management control to customers, IaaS services also place more security responsibilities on customers. Let's use Amazon Elastic Compute Cloud (Amazon EC2) as an example.

When customers deploy an instance of Amazon EC2, the customer is the one who manages the guest operating system, any applications they install on these instances and the configuration of provided firewalls on these instances. They are also responsible for overseeing data, classifying assets, and implementing the proper permissions for identity and access management.

While IaaS customers retain a lot of control, they can lean on CSPs to manage security from a physical, infrastructure, network, and virtualization standpoint.

Platform-as-a-Service (PaaS)

In PaaS, more of the heavy lifting is passed over to CSPs. While customers focus on deploying and managing applications (as well as managing data, assets, and permissions), CSPs take control of operating the underlying infrastructure, including guest operating systems.

From an efficiency standpoint, PaaS offers clear benefits. Without having to worry about patching or other updates to operating systems, security and IT teams recoup time that can be allocated to other pressing matters.

Software-as-a-Service (SaaS)

Of the three deployment options, SaaS places the most responsibility on the CSP. With the CSP managing the entire infrastructure as well as the applications, customers are only responsible for managing data, as well as user access/identity permissions. In other words, the service provider will manage and maintain the piece of software—customers just need to decide how they want to use it.

How to Uphold Your End of the Shared Responsibility Model

Through 2022, it's estimated that at least 95% of cloud security failures will be caused by missteps on the part of customers. That's why it's more important than ever before to clear up confusion around the cloud shared responsibility model and set customers up for success.

While there are clear differences in responsibilities based on deployment types, a common thread remains: it's imperative that businesses can visualize conversations between devices, detect potential security threats in real-time and easily investigate and remediate issues. No dark space and faster response times mean greater security in your cloud investment.

Defend Critical Cloud Assets: ExtraHop Reveal(x) 360 for AWS

Who is responsible for security in the cloud?

What is shared responsibility model in cloud security?

What is the customer's responsibility under the shared responsibility model?

Who's responsibility is data security in the azure shared responsibility model?