Cloud security’s shared responsibility model at a glanceCSPs have worked hard to develop their security capabilities. Providers are generally large companies with dedicated teams to securing their infrastructures and products, something that the typical enterprise can’t match in terms of resource dedication. As an example, Microsoft has consistently spent over $1 billion per year on improving the security of its products. Salesforce, on the other hand, continues to expand the security of its SaaS platform with the introduction of Salesforce Shield. Box, for its part, released its data classification feature in 2016 to further empower customers with critical security capabilities. The CSPs, generally speaking, are responsible for the security “of” their SaaS, PaaS and IaaS products. More specifically, they protect the underlying infrastructure of the service from threats, vulnerabilities, abuse and fraud. They’re also responsible for providing their customers with key security capabilities, such as data encryption at rest, identity and access management and multi-factor authentication. The customers are responsible for the security “in” the cloud, which includes proper configuration of the security features, installing updates and ensuring employees aren’t exposing sensitive data to unauthorized parties. There is some overlap, specifically around compliance requirements, but for the most part, the provider and customer have separate responsibilities. This relationship is known as the shared responsibility model, and it is the basis for how modern cloud security operates.
Security “in” the cloudAs data continues to move to the cloud, it is incumbent on the customer to ensure that they continue to meet their security, governance, and compliance requirements. The CSP may be able to protect against brute-force login attempts, for example, but it’s the customer’s responsibility to ensure that employees use unique and secure passwords across all cloud services to minimize the risk of an account compromise. And while the cloud can simplify sharing and collaboration, the CSP can’t be held responsible for when the customer accidentally shares sensitive data to third-parties in a non-compliant manner. Protection against internal malicious users (i.e. employee downloads all records in Salesforce right before leaving for a competitor) also falls in the domain of the customer. Lastly, properly configuring the myriad of native security capabilities (DLP, access control, activity monitoring) and following basic security best practices is yet another area that the cloud service customer is responsible for. Case in point, AWS recommends that users should only be given the least amount of privileges that still allows them to fulfill their job duties. There is nothing AWS can do to protect its customers if they unnecessarily provision users with admin privileges.
Security “of” the cloudCSPs have the responsibility to ensure that their infrastructure is free from vulnerabilities. They’re also responsible for the physical security of the cloud service and ensuring that unauthorized physical access to the hardware or software is prevented, as well as disaster and incident response. Disaster and incident response includes two main areas. The first one is business continuity management, which means that the CSP has to ensure availability and incident response. Essentially, the service has to be up and running, and if anything goes wrong, the CSPs have to work to fix it. The second category includes accounting for environmental or unpredictable scenarios. This includes securing the data centers against power outages, floods, earthquakes and other disasters. If you delineate this further, you’ll find key differences between what a SaaS provider is responsible for vs PaaS and IaaS providers. For SaaS and PaaS, much of the network access controls are set up by the CSP. For IaaS, however, network controls are controlled by both parties. AWS, for example, provides its customers with a service known as AWS security groups. Security groups are equivalent to firewalls to control network traffic. AWS customers are responsible for properly configuring the security groups, so that they’re not exposing themselves to a DDoS attack.
Looking aheadWhile it is true that CSPs like AWS or Microsoft Azure have their own security responsibilities, the truth is that data breaches will continue to occur unless organizations using cloud services collectively fulfill their end of the relationship.