printer friendly version

Understanding the Shared Responsibility Model

The decision to move a portion or all of your business into the cloud can be a big milestone in your organisation’s growth. Cloud operations can give your business more freedom and flexibility to scale and differentiate itself from its competitors.

Nazy Fouladirad, president and COO of Tevora.

However, while the cloud can certainly be a growth enabler in many ways, it can also introduce new security risks that should be considered. You want to have a clear understanding of where your security duties end and where your cloud service provider’s (CSP) begin.

Before you assume that your CSP will take on the lion’s share of security management in the cloud, you will first want to understand the shared responsibility model (SRM) and how it should impact your security planning initiatives.

Shared Responsibility Model overview

Partnering with a qualified CSP can be a great way to help your business grow more sustainably. Taking this approach lets you offload a wide range of business tasks, including time-consuming and often cost-intensive infrastructure management tasks like provisioning physical servers and databases.

Taking this approach is an effective way to give your internal teams more time, while enabling you to scale your operations without focusing primarily on workforce size. It also allows teams to spend more time focused on strategic growth initiatives rather than primarily on maintenance-specific tasks.

That said, it is common for organisations to fall into the trap of assumptions about how security responsibilities shift in cloud-based environments. It is easy to think that, since you are paying for a cloud service, any and all responsibilities for cloud security rest with the CSP.

However, cloud security is a shared responsibility.” This is exactly why the SRM exists. It helps clear up misunderstandings about where security-focused tasks should be managed and how CSPs and their clients should coordinate on data privacy principles.

The SRM is essentially a functional map you can use for security planning and execution. It is designed to break down the different layers of security controls, including everything from the physical hardware used to provision cloud instances to the business data accessed and moved across on-premises and off-premises environments.

[subhead] Security "of" the cloud vs security "in" the cloud

One thing to keep in mind about the SRM is that it is designed to help differentiate different cloud responsibilities between a CSP and their clients. To help define these different accountabilities, the SRM references security “of” and security “in”.

Security "of" the cloud is meant to help define what a CSP is directly responsible for. One of the easiest ways to illustrate how this works is to consider the relationship between a landlord (the “CSP”) and a tenant (the “client”).

Landlords are responsible for making sure that the building where clients reside is secure. They are responsible for maintaining the building, installing necessary security measures such as locking gates and doors, and carrying out other essential tasks. In a cloud environment, CSPs follow similar accountabilities to those in physical data centres, installing and maintaining hardware, and ensuring the software in place is able to run their client’s cloud environments.

Security "in" the cloud is where the clients come in. Just as tenants are responsible for keeping their possessions secure by locking their doors and following best practices, clients also have their own duties to manage. In cloud settings, clients are responsible for what happens inside their specific environments. This means managing user permissions, encrypting sensitive files, and keeping data organised.

Why the Shared Responsibility Model matters

Creates clear accountability

When it comes to security, you cannot afford any "I thought you were doing that" moments. Whether your data is on your own local servers or in the cloud, someone needs to be the designated lead for every task.

Using the SRM removes that confusion. It allows you to set clear standards for your internal team and your cloud vendor. When everyone knows their role, you are much less likely to have a security gap that goes unnoticed. This helps you catch and fix potential risks before they turn into real problems.

Makes your security team more effective

Once your team knows exactly what the provider is handling, they can focus their efforts on the elements within their control.

Knowing what falls within their responsibility allows internal experts to focus on protecting your unique business. They can spend their time strengthening your custom software, improving how you manage user access, or looking for suspicious patterns in your data traffic. It puts your human talent where it is needed most.

Reiterates the importance of effective setup

In most cases, major cloud breaches are not just a result of being targeted by a highly skilled cybercriminal. While these individuals are skilled at capitalising on apparent vulnerabilities, those security gaps are often left by cloud administrators who did not enable the right cloud configurations.

By following SRM and aligning your operations with industry standards such as NIST or HITRUST, you can build a much stronger, more resilient cloud foundation from the very first day you migrate your systems.

A primary benefit of working with cloud providers is that they often build their systems from the ground up to meet high safety standards. You can leverage this security readiness and start using the built-in security tools and features. Taking this approach can give your business a significant advantage by protecting against major security threats, such as ransomware or DDoS attacks.

Promotes smarter workflows

The cloud is incredibly powerful, but its interconnected nature and complex architecture can also be a double-edged sword. It can be easier than organisations realise to expose sensitive data, especially when rushing to deliver new features.

The SRM encourages businesses to prioritise security over speed and can serve as a useful model for evaluating your cybersecurity protocols and initiatives. For example, working with penetration testing teams that reference the SRM as a guide can help them to simulate real-world attack scenarios to see how well your business can defend itself.

If certain security gaps remain, these research teams can provide actionable advice on addressing them, while building and executing smarter cloud security workflows going forward.

Keeping your cloud operations secure

As you continue to evolve your business operations and migrate into cloud environments, making the SRM a core part of your strategy is essential. By taking ownership of your specific duties in the cloud and working with your CSP to ensure they understand their own responsibilities, you can successfully close the door on risky security gaps, while feeling more confident in protecting your company’s future.

Author

Nazy Fouladirad is president and COO of Tevora, a cybersecurity consultancy. She has dedicated her career to creating a more secure business and online environment for organisations. She is passionate about serving her community and acts as a board member for a local non-profit organisation.

Share this article:

Further reading: