Cybersecurity in the Cloud – a Shared Responsibility Model

Cybersecurity in the Cloud – a Shared Responsibility Model

As organizations are migrating towards the cloud, the question that needs to be answered is – who is responsible for cloud security? Is that you as a customer or the cloud service provider (CSP)? This article explores the details.

Introduction

In a traditional on-premises setup where organizations have their data centres in their own geographical location, the security responsibility is clear. The organization is solely responsible for the security of everything, from the physical infrastructure to the data that resides in the infrastructure.

However, the security responsibility shifts considerably as the cloud service provider enters this scenario. In many cases, the organizations over trust the cloud service provider for keeping their data secure. In fact, as per the Gartner report, “through 2025, 99% of cloud security failures will be the customer’s fault[1]”.

Shared Responsibility Model

To help customers understand their security responsibilities, the cloud service providers like Amazon Web Services, Microsoft Azure and Google Cloud have come up with a shared responsibility model. In the simplest manner, the shared responsibility model denotes that the cloud service provider is responsible for the security “of” the cloud whereas the customers are responsible for security “in” the cloud. Let us now look at how the model helps to demystify the security responsibilities in different deployment models.

Infrastructure as a Service (IaaS)

Infrastructure as a Service (IaaS) provides the maximum flexibility and controls to the user of the cloud and it is one of the most widely used cloud computing models. However, this freedom and flexibility put a greater part of the security responsibility on the shoulders of the user. In this model, the responsibility of securing the environment mostly lies on the user. The cloud service provider provides virtualized computing resources to the user over the Internet.

Taking Amazon Web Services Elastic Compute Cloud (EC2) as an example, the customer is responsible for installing and patching the guest operating system. The customer is also responsible for the proper access management and making sure that the data is protected while in transit and at rest.  The CSP manages the security of physical data centre, internal network and the virtualization layer.

Platform as a Service (PaaS)

In Platform as a Service (PaaS), the customer deploys and manages the application and the cloud service provider provides underlying services including the guest operating system.

Let us take the example of Amazon Web Services Elastic Beanstalk. Elastic Beanstalk is used to develop and scale web applications in Amazon Web Services. This approach offloads the user responsibility of installing and patching the underlying operating system onto the CSP. However, the user is still responsible for managing the data stored in the application and proper access management.

Another example can be Force.com which is a product of Salesforce. It provides an option for the developers to create and deploy add-on applications that can be integrated into the main Salesforce application. These add-on applications are created by the customers of Salesforce but hosted on the Salesforce cloud infrastructure. In this scenario, Salesforce will provide the guest operating system on their infrastructure but the application developer is responsible for creating a secure application that keeps securing the data of the users.

Software as a Service (SaaS)

Software as a Service (SaaS) shifts the major part of security responsibility to the cloud service provider. The cloud service provider manages almost everything right from the application to the physical infrastructure. However, it is still the responsibility of the user of the cloud to implement proper controls within the application so that the data of the organization is properly protected.

One example of SaaS could be Google’s Gmail for Business. The application Gmail and all underlying services are managed by Google itself. The user is responsible for the data of their users along with user accounts and permissions. Google, in this case, is responsible for the data that is stored in the application remains safe as long as proper access controls are in place by the user.

Conclusion

In the end, the answer to the question “Who is responsible for cloud security” is both. The shared responsibility model denotes that there is a fine line which distinguishes the security responsibilities of the user and the cloud service provider. The user and the cloud service provider must work in conjunction with securing the cloud-hosted environment.

At the same time, there is a need to shift the thinking from “Is my cloud infrastructure secure?” to “Are we putting proper controls in the cloud infrastructure to use it securely?”

References:

• “Amazon EC2.” Amazon Elastic Compute Cloud Documentation, Amazon Web Services, docs.aws.amazon.com/ec2/?id=docs_gateway.
• “Elastic Beanstalk.” AWS Elastic Beanstalk, Amazon Web Services, 2011, docs.aws.amazon.com/elastic-beanstalk/?id=docs_gateway.
• “Google Security Review.” Google Cloud, Google Cloud, www.cloud.google.com/security/overview.
• Panetta, Kasey. “Is the Cloud Secure?” Smarter With Gartner, Gartner, 10 Oct. 2019, www.gartner.com/smarterwithgartner/is-the-cloud-secure/.
• “Shared Responsibility in the Cloud – Microsoft Azure.” Microsoft Docs, Microsoft Azure |, 16 Oct. 2019, www.docs.microsoft.com/en-us/azure/security/fundamentals/shared-responsibility.
• “Shared Responsibility Model.” Amazon, Amazon Web Services, www.aws.amazon.com/compliance/shared-responsibility-model/.

For more blogs Click here