Skip to main content
Back to Blogs

Industry Perspectives

Who’s Responsible for Cloud Security Failures? Answer: More People Than You Think

November 30, 2023

By Claire Hatcher - Regional Director of Sales, United Kingdom, Skyhigh Security

Shared responsibility is a concept we all intuitively understand but that many organizations don’t fully comprehend when it comes to securing the cloud. Either the frameworks that explain it are relatively new or expectations haven’t been made clear enough. Many organizations are unfortunately dropping the ball by not fully grasping their own roles and responsibilities, and the end result is security gaps and breaches.

Given that 90% of IT professionals have experienced a cybersecurity breach, cloud computing—like all technology—is not foolproof. While cloud service providers (CSPs) do provide some advanced security tools and services, there’s clearly some misunderstanding on the customer’s side about what CSPs actually do protect. Perhaps an analogy can help clarify who does what and dispel some myths and confusion.

How the right mental framework can prevent a disaster

Let’s look at renting a vacation property from an online marketplace. The online marketplace provides the underlying infrastructure to facilitate the transaction. You connect with the property owner through the platform. The online marketplace is responsible for providing a secure platform to conduct this transaction. The owner is responsible for the property itself. For example, they are expected to install locks on the doors and windows of the rental—and you are responsible for using the locks. You can’t expect the online marketplace to be responsible for ensuring you are not robbed while staying at a property, especially if you do not use the provided mechanisms—locks in this case—to secure the property and your belongings.
Another analogy is buying or renting tools from the hardware store. The vendors might have some liability if the tool breaks or fails to perform, but it’s always up to you to wear eye protection, ensure a safe working environment, and use the tools responsibly.

Organizations need to understand that it’s not so different for them with regard to the cloud service platforms they use. CSPs are not liable for every security breach. The customer has a significant role to play and shares responsibility for securing their public cloud environment.

Enter the shared responsibility model

CSPs have clearly defined their responsibilities when it comes to security. Amazon Web Services (AWS) and Microsoft Azure have both published Cloud Security Shared Responsibility Models to delineate who is responsible for what. Though the details depend on whether the model is software-as-a-service (SaaS), infrastructure-as-a-service (IaaS), or platform-as-a-service (PaaS), generally the enterprise customer is responsible for these aspects of cloud security:

  • Endpoint security
  • Network security
  • Configurations
  • Identity and Access Management (IAM)
  • Data classification and accountability
  • Data collaboration control
  • Virtual machines
  • Security of workloads and containers

The cloud service provider, on the other hand, is responsible for:

  • Physical security and maintenance of their own facilities, including power and internet connectivity
  • Computing host infrastructure, including servers, operating systems, patching, load balancing, scaling, storage, and platform services configuration
  • Network controls and provider services

Going back to our analogy with the door and window locks at the vacation rental, CSPs have various security defenses built into their services, but it’s up to the customer to implement them to protect their own networks, users, vital data, and applications.

To fully understand your roles and responsibilities as a customer of any cloud service, it’s important to carefully review the service level agreement (SLA). Don’t make any assumptions. The SLA will clarify exactly what aspects of security you are responsible for and what features and policies you need to properly configure at the outset to gain the full benefits of the platform. In a complex multi-cloud world, this can be challenging from an administrative point of view, but addressing your responsibilities upfront to ensure your data in the cloud is safe is fully worth the time and effort it takes.

Cloud security is a team sport, and everyone has to carry the ball when it’s their turn. Shared responsibility models provide a framework to help you understand the rules of the game.

To learn how Skyhigh Security can help you fulfill your responsibilities and secure your data on public cloud platforms, visit our website.

Back to Blogs

Related Content

Recent blogs

Industry Perspectives

Leveraging AI in Security Service Edge Solutions

Nick Graham - February 21, 2024

Industry Perspectives

Biden’s Landmark AI Regulations: Balancing Innovation and Security

Nick Graham - January 30, 2024

Industry Perspectives

Data Privacy Day: Users Will Tip the Scales

Thomas Wethmar - January 26, 2024