The shared responsibility or shared security responsibility model is a security and compliance framework that describes the responsibilities of Cloud Service Providers (CSPs) and customers to keep the cloud network secure. This includes hardware, infrastructure, endpoints, data, configuration, network controls, access, etc.
In simple terms, the shared responsibility model must ensure that cloud service providers monitor and manage any security threats related to the cloud and infrastructure. The end users are responsible for protecting data and assets stored in the cloud.
However, it is essential to understand the division of responsibilities before opting for a public cloud service. Cloud service providers are not responsible for everything in a shared responsibility model. Security and tasks are divided among both parties. The workload responsibilities may vary depending upon the cloud service model – SaaS, IaaS & PaaS.
Let’s have a look at the shared responsibility across three main cloud service models:
- Software as a Service (SaaS)
- Infrastructure as a Service (IaaS)
- Platform as a Service (PaaS)
Software as a Service: In a SaaS model, the cloud service provider provides a subscription to a centrally hosted application. Thus, the provider is only responsible for application security, maintenance, and management.
Infrastructure as a Service: In an IaaS model, the cloud service provider provides various services ranging from virtualized servers, storage, network equipment over the cloud, etc. Thus, the service provider is responsible for everything they own or install on the cloud, including the OS (operating system), middleware, containers, workloads, data, and code.
In a PaaS model, the cloud service provider provides hardware and software the client uses for application development. Thus, the service provider is only responsible for the security of the platform and its infra.
Now comes the question of who is responsible for what?
Clients:
A client or customer needs to take care of configurations and settings that are under their control, including:
- Data: The user’s responsibility is to create and upload data in the cloud system. This also includes the creation of data access authorizations and their encryption.
- Applications: The user is responsible for every cloud VM workload. The user also needs to properly secure all integrations, connections, and updates of local databases, workloads, etc., of all connected systems.
- Credentials: IAM environments, including login mechanisms, single sign-on, certificates, encryption keys, passwords, and any multifactor authentication items, are controlled by the user.
- Configurations: Users are completely responsible for maintaining significant security through proper configuration system tools and options of a cloud environment.
- Outside interference: A user is solely responsible for anything that connects to the cloud to the outside world, such as local data infra and applications.
Service Providers:
Owing to the vast and complex nature of public cloud infrastructure, the service provider needs to take care of the security, management, and maintenance of several components, including:
- Physical layer: Maintaining and protecting the elements of physical infra, such as servers, storage, network gear, and other hardware or facilities, is the vendor’s responsibility. It also includes backup, restoration, and disaster recovery management.
- Virtualization layer: Public clouds are widely popular for their flexibility and customization, simplifying users’ lives. But such flexibility demands extreme virtualization, automation, and orchestration, whose responsibility lies with the cloud service provider.
- Provider services: Security and maintenance of pre-installed services such as databases, caches, firewalls, serverless computing, machine learning, and big data processing lie with the service provider. They are also responsible for the maintenance of the operating system and application.
Are there any best practices for shared responsibility cloud security?
A public cloud system is a complex system that generally requires security intervention from both sides, i.e., cloud providers & users. There are no set rules to follow, but a few best practices can help enrich better security. It includes:
- SLAs: As the user responsibility is different for each cloud service model and provider, users need to understand & refer to the SLAs they have with their cloud vendors. This helps reduce redundancies, assumptions, and misunderstandings that might present security threats.
- Data: The user is entirely responsible for every data in the system; thus, they need to place proper data security policies. Classification & categorization for data and creating proper authorization for each data set at every level enhance security..
- Credentials: Who can access what is completely user responsibility. So, defining and securing accessibility via credentials is important.
- Communications: It is vital to pay proper attention to the communications and updates from the vendor as it helps users keep up with system security and updates.
- Tools: Tools to distill complex cloud environments into easy-to-use interfaces can help users maintain security without regular human intervention by blocking unauthorized access and creating security alerts.
Though a shared security model is complex and requires a careful assessment before adoption, if implemented correctly offers efficiency, enhanced protection, and expertise to the users. Hence, choose carefully.
Still unclear about whether or not to opt for shared responsibility and need more information, connect with Rapyder Experts today.
