Who’s Responsible for Cloud Security?

by Sarah Harvey / April 17th, 2018

As more and more organizations migrate to the cloud, it drives cloud service customers to consider how the cloud will impact their privacy, security, and compliance. First, cloud service customers must understand how their cloud service provider delivers a secure solution. Second, cloud service customers must consider their new role in cloud security. Some cloud service customers mistakenly believe that when they migrate to the cloud, their cloud security responsibilities also shift. Some important questions you should be asking when considering this shift are: Who’s responsible for cloud security? Why do you even need security in the cloud? Let’s discuss the shared responsibility model and help you understand which elements of cloud security that customers are responsible for and which fall under the responsibility of the provider.

What is the Shared Responsibility Model?

The shared responsibility model is a method for determining which roles cloud service providers and cloud service customers play in cloud security. In general, the shared responsibility model outlines that providers are responsible for the security of the cloud, and customers are responsible for security in the cloud. Cloud service providers and customers must work together to meet cloud security objectives.

The model varies with the provider and the service being offered. What this means is the cloud service provider takes responsibility for specific elements of the security related to the storage and physical security of the servers, and the customer takes responsibility for other specific elements. The line between who has responsibility for the different elements is dependent on the provider and the services being used. 

To understand the shared responsibility model, let’s think about security requirements as a spectrum. Cloud service customers add together all of the regulatory, industry, and business requirements (GDPR, PCI DSS, contracts, etc.) that apply to their organization and the sum equals all of that organization’s specific security requirements. These security requirements will help ensure that data is confidential, has integrity, and is available. On one end of the security requirement spectrum is cloud service providers and on the other is cloud service customers. The provider is responsible for some of these security requirements, and the customer is responsible for the rest, but some should be met by both parties. Cloud service providers and cloud service customers both have an obligation to protect data.

Microsoft Azure’s guidance on the shared responsibility model states, “The importance of understanding this shared responsibility model is essential for customers who are moving to the cloud. Cloud service providers offer considerable advantages for security and compliance efforts, but these advantages do not absolve the customer from protecting their users, applications, and service offerings.”

Shared Responsibility Model Across Service Models

When choosing which service model (IaaS, PaaS, or SaaS) your organization needs, you should consider which security responsibilities will apply to you. Technology stacks are a great way to see the shared responsibility model across service model types.

  • For IaaS solutions, the elements such as facilities, data centers, network interfaces, processing, and hypervisors should be managed by the cloud service provider. The cloud service customer is responsible for securing and managing the virtual network, virtual machines, operating systems, middleware, applications, interfaces, and data.
  • PaaS solutions shift the cloud service provider’s responsibilities and add a few elements to their duties. The customer is still responsible for securing and managing applications, interfaces, and data.
  • For SaaS solutions, the responsibilities shift again. Now, the cloud service customer is responsible for the security of interfaces and data.

Cloud service providers and cloud customers both have a responsibility to protect data. It’s also important to note that the execution of individual security management tasks can be outsourced, but accountability cannot. The responsibility to verify that security requirements are being met always lies with the customer.

Physical Security in the Cloud

Physical security in the cloud sounds like an oxymoron, right? Isn’t less management of a physical environment a major benefit of migrating to the cloud? We often hear this case from organizations who haven’t or don’t want to implement cloud security best practices. But…not everything is in the cloud. Everything can’t possibly be in the cloud. Office locations, employees, servers, heating and cooling systems, power regulation, device management—these things don’t exist in the cloud. That’s why physical security must be a major aspect of cloud security.

Best Practices for Managing the Shared Responsibility Model

If you’re a cloud service provider, we believe these best practices will help you better manage the shared responsibility model:

  • Consider risks from your customers’ perspectives, then implement controls that will demonstrate you’re doing everything you can to mitigate those risks.
  • Document the internal controls you use to manage risks.
  • Provide ample documentation on how your customers can use the security features that you provide in your solution. AWS does a great job of this through its educational programs.
  • Create a responsibility matrix that defines how your solution will help your customers meet their various compliance requirements.
  • Turn to the CSA’s CAIQ and CCM as starting points for establishing the shared responsibility model.

If you’re a cloud customer, consider these best practices:

  • Define your cloud security requirements before selecting a cloud service provider. If you know what you’re looking for in a cloud service provider, you can better prioritize your needs.
  • Harmonize your corporate governance program between traditional and cloud-based IT delivery. Migrating systems and applications into the cloud is going to require a difference in policy.
  • Establish contractual clarity on the roles and responsibilities of each party, especially when you get into the public cloud. Who’s responsible for cloud security? How far does the cloud service provider go?
  • Develop a responsibility matrix that defines the security roles and responsibilities for you and for each vendor, including cloud service providers.

Who’s responsible for cloud security? Does your organization understand the security requirements of your cloud provider? Do you understand what your own role is in cloud security? For more information on how to secure the cloud, contact us today.