November 30, 2023
By Claire Hatcher - Regional Director of Sales, United Kingdom, Skyhigh Security
Shared responsibility is a concept we all intuitively understand but that many organizations don’t fully comprehend when it comes to securing the cloud. Either the frameworks that explain it are relatively new or expectations haven’t been made clear enough. Many organizations are unfortunately dropping the ball by not fully grasping their own roles and responsibilities, and the end result is security gaps and breaches.
Given that 90% of IT professionals have experienced a cybersecurity breach, cloud computing—like all technology—is not foolproof. While cloud service providers (CSPs) do provide some advanced security tools and services, there’s clearly some misunderstanding on the customer’s side about what CSPs actually do protect. Perhaps an analogy can help clarify who does what and dispel some myths and confusion.
How the right mental framework can prevent a disaster
Let’s look at renting a vacation property from an online marketplace. The online marketplace provides the underlying infrastructure to facilitate the transaction. You connect with the property owner through the platform. The online marketplace is responsible for providing a secure platform to conduct this transaction. The owner is responsible for the property itself. For example, they are expected to install locks on the doors and windows of the rental—and you are responsible for using the locks. You can’t expect the online marketplace to be responsible for ensuring you are not robbed while staying at a property, especially if you do not use the provided mechanisms—locks in this case—to secure the property and your belongings.
Another analogy is buying or renting tools from the hardware store. The vendors might have some liability if the tool breaks or fails to perform, but it’s always up to you to wear eye protection, ensure a safe working environment, and use the tools responsibly.
Organizations need to understand that it’s not so different for them with regard to the cloud service platforms they use. CSPs are not liable for every security breach. The customer has a significant role to play and shares responsibility for securing their public cloud environment.
Enter the shared responsibility model
CSPs have clearly defined their responsibilities when it comes to security. Amazon Web Services (AWS) and Microsoft Azure have both published Cloud Security Shared Responsibility Models to delineate who is responsible for what. Though the details depend on whether the model is software-as-a-service (SaaS), infrastructure-as-a-service (IaaS), or platform-as-a-service (PaaS), generally the enterprise customer is responsible for these aspects of cloud security:
- Endpoint security
- Network security
- Configurations
- Identity and Access Management (IAM)
- Data classification and accountability
- Data collaboration control
- Virtual machines
- Security of workloads and containers
The cloud service provider, on the other hand, is responsible for:
- Physical security and maintenance of their own facilities, including power and internet connectivity
- Computing host infrastructure, including servers, operating systems, patching, load balancing, scaling, storage, and platform services configuration
- Network controls and provider services
Going back to our analogy with the door and window locks at the vacation rental, CSPs have various security defenses built into their services, but it’s up to the customer to implement them to protect their own networks, users, vital data, and applications.
To fully understand your roles and responsibilities as a customer of any cloud service, it’s important to carefully review the service level agreement (SLA). Don’t make any assumptions. The SLA will clarify exactly what aspects of security you are responsible for and what features and policies you need to properly configure at the outset to gain the full benefits of the platform. In a complex multi-cloud world, this can be challenging from an administrative point of view, but addressing your responsibilities upfront to ensure your data in the cloud is safe is fully worth the time and effort it takes.
Cloud security is a team sport, and everyone has to carry the ball when it’s their turn. Shared responsibility models provide a framework to help you understand the rules of the game.
To learn how Skyhigh Security can help you fulfill your responsibilities and secure your data on public cloud platforms, visit our website.
Back to Blogs