The shared responsibility model is a framework in cloud computing that divides security and compliance responsibilities between the cloud service provider (CSP) and the customer. The model ensures that organizations and CSPs actively contribute to securing the cloud infrastructure and maintaining compliance. Under the shared responsibility model:
The shared responsibility model ensures that organizations and CSPs actively contribute to securing the cloud infrastructure and maintaining compliance. By understanding and adhering to the shared responsibility model, both the CSP and the customer can work together to create a secure cloud environment, effectively mitigating risks and ensuring compliance with industry regulations and best practices.
Under this model, the CSP is responsible for the security of the cloud, which includes securing the physical infrastructure, network, and hardware. They ensure the underlying cloud services, such as compute, storage, and databases, are protected from threats, and maintain a secure and reliable environment for their customers. The CSP also provides tools and features for customers to manage their security configurations.
On the other side of the relationship, the customer is responsible for the security in the cloud, which involves securing the data, applications, and workloads they deploy within the cloud environment. This includes tasks such as data encryption, access management, patching and updating software, and configuring security settings according to their specific needs and compliance requirements.
The shared responsibility model's specifics may vary depending on the cloud service model in use, such as infrastructure as a service (IaaS), platform as a service (PaaS), or software as a service (SaaS). In an IaaS model, the customer takes on more security responsibilities, such as managing the operating system and applications. In contrast, the CSP handles more responsibilities in a SaaS model, including application-level security.
Concerns over data exposure have made cloud security a priority. The challenge lies in balancing an organization’s need for agility with the need to improve the security of applications as well as that of data as it moves between various clouds. Gaining visibility and fighting attempts to exfiltrate data — whether from external locations or through lateral attacks — is imperative across all locations where applications and data reside.
Figure 1: 73% of organizations struggle to understand the shared responsibility of cloud security, which ultimately leads to blind spots.
A number of different teams within an organization could be responsible for cloud security: the network team, security team, apps team, compliance team or the infrastructure team. However, cloud security is also a shared responsibility between the broader organization and its cloud vendor. Exactly how this breaks down varies by the nature of the cloud offering:
As organizations transition from private clouds to public clouds or SaaS applications, they may rely on their vendors to secure the data, apps and infrastructure. Regardless of whatever platform security measures are used, the organization still maintains responsibility for the security of its own data.
To safely enable applications, IT security must be confident that their cloud vendors have implemented the appropriate security measures to keep the applications and data secure. To compensate for what cloud vendors lack in security, organizations must also have the right tools in place to manage and secure risks effectively. These tools must provide: