The shared responsibility model or shared security responsibility model is a security and compliance framework that describes the responsibilities of Cloud Service Providers (CSPs) and customers for keeping the cloud network secure. This includes hardware, infrastructure, endpoints, data, configuration, network controls, access etc.
In simple terms, the shared responsibility model must ensure that cloud service provider must monitor and manage any security threats related to the cloud and infrastructure. The end users are responsible for protecting data and assets that are stored in the cloud.
However, it is essential to understand the division of responsibilities before opting for a public cloud service. Cloud service providers are not responsible for everything in a shared responsibility model. Security and tasks are divided among both parties. Having said that, the workload responsibilities may vary depending upon the cloud service model – SaaS, IaaS & PaaS.
Let’s have a look at the shared responsibility across three main cloud service models:
- Software as a Service (SaaS)
- Infrastructure as a Service (IaaS)
- Platform as a Service (PaaS)
Software as a Service: In a SaaS model, the cloud service provider provides a subscription to a centrally hosted application. Thus, the provider is only responsible for application security and its maintenance plus management.
Infrastructure as a Service: In an IaaS model, the cloud service provider provides a varied range of services ranging from virtualized servers, storage, network equipment over the cloud etc. Thus, the service provider is responsible for everything that they own or install on the cloud, including the OS (operating system), middleware, containers, workloads, data, and code.
Platform as a Service: In a PaaS model, the cloud service provider provides both hardware and software used by the client for application development. Thus, the service provider is only responsible for the security of the platform and its infra.
Now comes the question who is responsible for what?
A client or customer needs to take care of configurations and settings that are under their control, including:
- Data – Proper creation and upload of data in the cloud system is the user’s responsibility. This also includes the creation of data access authorisations and their encryption.
- Applications: The user is entirely responsible for every workload in a cloud VM. The user also needs to properly secure all integrations, connections and updates of local databases, workloads etc of all connected systems.
- Credentials: IAM environments including login mechanisms, single sign-on, certificates, encryption keys, passwords and any multifactor authentication items are controlled by the user.
- Configurations: Users are completely responsible for maintaining significant security through proper configuration system tools and options of a cloud environment.
- Outside interference: A user is solely responsible for anything that connects to the cloud to the outside world such as local data infra and applications.
Owing to the vast and complex nature of public cloud infrastructure, the service provider needs to take care of the security, management, and maintenance of several components, including:
- Physical layer: Maintaining and protecting the elements of physical infra such as servers, storage, network gear and other hardware or facilities is the vendor’s responsibility. It also includes backup, restoration, and disaster recovery management.
- Virtualization layer: Public clouds are widely popular for their flexibility and customization that makes user’s life simpler. But such flexibility demands extreme virtualization, automation, and orchestration whose responsibility lies with the cloud service provider.
- Provider services: Security and maintenance of pre-installed services such as databases, caches, firewalls, serverless computing, machine learning and big data processing lie with the service provider. They are also responsible for the maintenance of the operating system and application.
Are there any best practices for shared responsibility cloud security?
A public cloud system is a complex system that generally requires security intervention from both sides, i.e., cloud providers & users. There are no set rules to follow, but there are a few best practices that can help enrich better security. It includes:
- SLAs: As the user responsibility is different for each cloud service model and provider, users need to understand & refer to the SLAs they have with their cloud vendors. This helps in reducing redundancies, assumptions and misunderstandings that might present security threats.
- Data: The user is completely responsible for every data in the system thus they need to place proper data security policies. Classification & categorization for data along with creating proper authorization for each data set at every level enhances security.
- Credentials: Who can access what is completely user responsibility. So, defining and securing accessibility via credentials is important.
- Communications: It is vital to pay proper attention to the communications and updates from the vendor as it helps users keep up with system security and updates.
- Tools: Tools to distil complex cloud environments into easy-to-use interfaces can help users maintain security without regular human intervention by blocking unauthorised access and creating security alerts.
Though a shared security model is complex and requires a careful assessment before adoption, if implemented correctly offers efficiency, enhanced protection, and expertise to the users. Hence, choose carefully.
Still unclear about whether or not to opt for shared responsibility and need more information, connect with Rapyder Experts today.