How the Cloud Shared Responsibility Model Affects You
Public cloud services have changed the way many organizations operate. When you have an on-premises data centre, you own the whole stack and are responsible for securing it. However, with the proliferation of Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS) models, you can rest easy knowing that the service provider takes full responsibility for securing your organization’s data in the Cloud, right?
Public cloud services providers, including big players like Amazon Web Services (AWS) and Microsoft Azure, typically employ a sharedresponsibility model for security. As the name of this model suggests, it’s based on your organization and the service provider dividing up the security responsibilities based on their type. In the following sections we’ll look at where the lines of responsibility are typically drawn and examine how the shared responsibility model affects your organization.
Who Does What
The rule of thumb with the shared responsibility model is: The service provider is responsible for security of the Cloud, while your organization is responsible for security in the Cloud.
This means that the cloud provider is responsible for the physical security of the hosts, network, and data centre, while your organization retains responsibility for securing information and data, your devices which interact with the cloud service, and accounts and identities.
For example, AWS operates, manages, and controls the components from the host operating system and virtualization layer right down to the physical security of the facilities in which the service operates. The AWS customer, meanwhile, assumes responsibility and management of the guest operating system (including updates and security patches) and other related application software.
However, responsibilities vary depending on the service type when we venture into the middle ground. A case in point, Microsoft Azure applies a sliding scale based on how the workloads are hosted:
- SaaS: Microsoft shares security responsibilities with an organization for Identity and Directory Infrastructure, and Microsoft assumes full responsibility for Applications, Network Controls, and Operating Systems.
- PaaS: Microsoft remains full responsibility for Operating Systems however security for Identity and Directory Infrastructure, Applications, and Network Controls are shared.
- IaaS: Microsoft places full responsibility on an organization for securing of all four of these areas.
How responsibilities are shared, as in the SaaS and PaaS scenarios, depends on the stipulations of the service provider. For example, for AWS shared security controls, AWS provides the requirements for the infrastructure and the organization must implement their own controls within their use of AWS services. Some examples include:
- Patch Management: AWS is responsible for patching and fixing flaws within the infrastructure, but the organization is responsible for patching their guest operating systems and applications.
- Configuration Management: AWS maintains the configuration of its infrastructure devices, but the organization is responsible for configuring their own guest operating systems, databases, and applications.
- Awareness & Training: AWS trains AWS employees while an organization must train its own employees.
It’s important to remember you always own your data and identities, regardless of the cloud deployment type. Your organization is responsible for protecting the security of your data and identities, on-premises resources, and the cloud components under your control.
While certain responsibilities will always remain with the customer regardless of the cloud deployment type, the cloud service provider still takes on many of the “commodity” responsibilities formerly assigned to your team. Subsequently, you can re-allocate your resources to address unmet security responsibilities and improve your organization’s overall security posture.
Figuring out the demarcation points of responsibility with a cloud service provider can be tricky and implementing security measures over the controls for which your organization is responsible can also be daunting. An iON Security Assessment can help you determine where your organization needs to pick up the slack for overlooked responsibilities. We can help deploy and configure industry-leading secure access service edge (SASE) solutions that extend your security capabilities into the Cloud.
Contact us for more information.
You might also like
iON Celebrates its 20th Anniversary in Cybersecurity
CALGARY, AB, March 2023 – iON United Inc. (iON), a leading cybersecurity solutions provider in Canada, is celebrating its 20th anniversary this March. Since its inception, iON has been at the forefront of the cybersecurity industry in Canada, helping organizations protect their valuable assets from cyber threats. This 20-year milestone is a testament to our…
Employee Spotlight: Meet Whitney Melrose
iON is excited to shine our Employee Spotlight on Senior Manager, Inside Sales – Whitney Melrose.Meet Whitney MelroseShaped by her early experiences growing up on a farm in Saskatchewan, Whitney’s professional work ethic was formed from essential values instilled in her upbringing.My love for helping others in my career came from helping my family on…
Employee Spotlight: Meet Laurence Bullivant
iON is excited to shine our Employee Spotlight on Senior Network Architect, Laurence Bullivant.Meet Laurence BullivantLaurence travelled round the world before landing in Canada and working for iON. Originally from New Zealand, he studied Computer Science at university, where he excelled in his courses and grew his knowledge. In his second year, he decided to…