How the Cloud Shared Responsibility Model Affects You
Public cloud services have changed the way many organizations operate. When you have an on-premises data centre, you own the whole stack and are responsible for securing it. However, with the proliferation of Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS) models, you can rest easy knowing that the service provider takes full responsibility for securing your organization’s data in the Cloud, right?
Public cloud services providers, including big players like Amazon Web Services (AWS) and Microsoft Azure, typically employ a sharedresponsibility model for security. As the name of this model suggests, it’s based on your organization and the service provider dividing up the security responsibilities based on their type. In the following sections we’ll look at where the lines of responsibility are typically drawn and examine how the shared responsibility model affects your organization.
Who Does What
The rule of thumb with the shared responsibility model is: The service provider is responsible for security of the Cloud, while your organization is responsible for security in the Cloud.
This means that the cloud provider is responsible for the physical security of the hosts, network, and data centre, while your organization retains responsibility for securing information and data, your devices which interact with the cloud service, and accounts and identities.
For example, AWS operates, manages, and controls the components from the host operating system and virtualization layer right down to the physical security of the facilities in which the service operates. The AWS customer, meanwhile, assumes responsibility and management of the guest operating system (including updates and security patches) and other related application software.
However, responsibilities vary depending on the service type when we venture into the middle ground. A case in point, Microsoft Azure applies a sliding scale based on how the workloads are hosted:
- SaaS: Microsoft shares security responsibilities with an organization for Identity and Directory Infrastructure, and Microsoft assumes full responsibility for Applications, Network Controls, and Operating Systems.
- PaaS: Microsoft remains full responsibility for Operating Systems however security for Identity and Directory Infrastructure, Applications, and Network Controls are shared.
- IaaS: Microsoft places full responsibility on an organization for securing of all four of these areas.
How responsibilities are shared, as in the SaaS and PaaS scenarios, depends on the stipulations of the service provider. For example, for AWS shared security controls, AWS provides the requirements for the infrastructure and the organization must implement their own controls within their use of AWS services. Some examples include:
- Patch Management: AWS is responsible for patching and fixing flaws within the infrastructure, but the organization is responsible for patching their guest operating systems and applications.
- Configuration Management: AWS maintains the configuration of its infrastructure devices, but the organization is responsible for configuring their own guest operating systems, databases, and applications.
- Awareness & Training: AWS trains AWS employees while an organization must train its own employees.
It’s important to remember you always own your data and identities, regardless of the cloud deployment type. Your organization is responsible for protecting the security of your data and identities, on-premises resources, and the cloud components under your control.
While certain responsibilities will always remain with the customer regardless of the cloud deployment type, the cloud service provider still takes on many of the “commodity” responsibilities formerly assigned to your team. Subsequently, you can re-allocate your resources to address unmet security responsibilities and improve your organization’s overall security posture.
Figuring out the demarcation points of responsibility with a cloud service provider can be tricky and implementing security measures over the controls for which your organization is responsible can also be daunting. An iON Security Assessment can help you determine where your organization needs to pick up the slack for overlooked responsibilities. We can help deploy and configure industry-leading secure access service edge (SASE) solutions that extend your security capabilities into the Cloud.
Contact us for more information.
You might also like
Employee Spotlight: Meet Peter Woods
iON is delighted to shine the Employee Spotlight on Contract Specialist, Peter Woods.Meet Peter WoodsOriginally from Ottawa, Peter moved to Calgary in 1999 after completing his degree. During this time, he began his career in procurement as a buyer and progressed through various roles in supply chain and contract management.Climbing and Lessons LearnedAlthough always active…
Employee Spotlight: Meet Chris Timmons
iON is pleased to shine the Employee Spotlight on Assessment Services Team Lead, Chris Timmons. Meet Chris Timmons From an early age, Chris has been a high achiever. He excelled at his elementary school in Pilot Butte, SK. And when he moved to Ottawa as a teen, he used previously taken classes to fast-track through Grade 11 and…
iON at Calgary Cyber Summit 2022
iON is proud to be a gold sponsor at this year’s Calgary Cyber Summit. Running September 13-16, the event hosts over 300 law enforcement, partner agencies, and corporate cybersecurity representatives from a dozen countries, allowing for unparalleled networking and learning opportunities. The theme of this year’s event is “Stronger Together,” with a focus on expanding…