Burdens and Benefits of Shared Security Responsibility Model (SSRM) in Cloud Computing

Originally published by CAS Assurance.

What is the SSRM?

The SSRM is the concept in cloud computing that defines and assigns security responsibilities in the cloud ecosystem between the Cloud Service Providers (CSPs) and the Cloud Service Customers (CSCs). As with many things on the planet earth, the concept has its burdens as well as its beauty. It is best practice and the dictate of wisdom to manage and minimize the effects of the burden or disadvantage of any system, situation, or subject while maintaining and maximizing its benefits. We look at both the burdens and benefits of the SSRM in this article, but with the goal of magnifying its benefits above the burdens.

What are the Burdens of the SSRM?

The following are the top burdens of the SSRM:

Complexity, variability, and ambiguity

The cloud environments can become very complex so quickly with multiple integrations of resources, including applications, services, and cloud platforms. This comes with the challenge of wading through the complexities to understand the security risks and assigned security responsibilities for each of the parties (CSPs and CSC). Further, the security responsibilities defined in the SSRM for CSPs and CSCs vary across service delivery models (SaaS, PaaS, and IaaS). The variabilities can be further elevated by the nuances in the policies of different cloud providers, sometimes necessitated by the differences in their platforms features and functionalities. The complexities and variabilities can lead to ambiguity and misunderstanding of security responsibilities, especially for CSCs dealing with multiple cloud providers across multiple service delivery models.

Increased knowledge required

Given the complexities, variabilities and potential ambiguity earlier explained, it is logical that an increased knowledge would be needed, especially on the part of the CSCs, to understand their unique cloud environments (which can even evolve so rapidly with changing technologies and integrations), the inherent risks, and the consolidated security responsibilities. Without this knowledge, it will be difficult for the CSCs in particular to establish robust security policies and procedures for the implementation and operation of security controls in their cloud environments. Acquiring the required knowledge may not always come cheap!

Inherent dependency on the CSPs security practices

The CSCs are almost helplessly dependent on the security posture of the cloud service providers. Any weakness in or breach of a CSP’s security controls may unavoidably impact the CSCs cloud resources negatively, regardless of how good the CSCs may have implemented their own assigned security responsibilities. “If the foundation is destroyed, … - what have you left of the branches?” This re-emphasizes the increased knowledge required to craft robust security policies and procedures for controls implementations to manage the inherent risks, including establishing effective policies and plans for business continuity, disaster recovery, and incident response.

What are the Benefits of the SSRM?

Despite the burdens of the SSRM, on the CSCs in particular, the concept has its inherent benefits that recommend it as invaluable concept of the cloud ecosystem. The following are top of the list of benefits:

Clear delineation of security responsibilities

Generally, the SSRM clearly defines and assigns security responsibilities between CSPs and CSCs for the three service delivery models (SaaS, PaaS, and IaaS). The Shared Security Responsibility Model Implementation Guidelines published by the Cloud Security Alliance (CSA) is a priceless resource in this respect. The Implementation Guidelines is a component of the Cloud Controls Matrix (CCM) now in its 4th version. The clear assignments of responsibilities facilitate better communication, understanding, agreement, acceptance and collaboration between CSPs and their CSCs concerning implementation and operation of cloud security controls. A good understanding of this delineation should serve as an indispensable resource to both parties for establishing robust security policies and procedures, including policies and plans for business continuity, disaster recovery, and incident response.

Access to innovative and enhanced security technologies and features

In performing their piece of the cloud security responsibilities, the CSPs, often by default, are compelled to provide security features, capabilities, and mechanisms which the CSCs are expected to leverage to implement and operate security controls in their respective cloud environments. Generally, the CSPs are leaders in security technologies, constantly advancing their security capabilities to beat the ever evolving cyber threats and to meet compliance obligations. This access is a huge advantage to the CSCs in terms of security capabilities and cost savings.It is therefore imperative for CSCs to understand the security features and capabilities provided by their CSPs and to leverage those to enhance their security and compliance posture in the cloud.

Simplified and improved auditing capabilities

The CSPs typically need to comply with a few regulations and standards related to data security and privacy (e.g. GDPR, HIPAA, PCI DSS, NIST and ISO/IEC standards) for their cloud services. The CSCs can rely on the third party certification or attestation audits performed for the CSPs to prove the compliance status of the cloud (infrastructure, platform, or application). The CSCs can then focus their auditing efforts on their specific cloud environments and resources for which they are responsible (as defined by the SSRM).The responsibility for and the abilities of the CSPs to perform and manage large scale and multiple audits for the cloud services relieve the CSCs of the burdens of auditing the entire cloud ecosystem themselves. Focusing on what they are responsible for and can perform audit on helps the CSCs to save cost and be more effective in their auditing and compliance efforts.

Separation of duties

Although the SSRM is not based primarily on the principle of separation of duties as we know it, there is nonetheless some element of separation of duties inherent in the SSRM concept by default. For instance, since the CSPs are not directly responsible for managing access to resources within the CSCs cloud environment, the CSPs personnel would not be expected to have privileges to create or modify users, roles, or access privileges to resources within the CSCs environments. Similarly, the CSCs personnel would not be expected to have any access to the cloud infrastructure, platform or application which is under the control of the CSPs. This separation of duties limits, to certain extent, the risks of insider threats to security.

Conclusion

The SSRM concept in cloud computing is fundamental and of immense importance. Though it is not without its burdens, its benefits far outweigh the burdens. For a truly secure cloud ecosystem, both the CSPs and the CSCs need to thoroughly understand, accept and perform their respective security responsibilities as delineated in the SSRM for their environments. The CSCs should particularly understand and leverage the functions, features, capabilities, and mechanisms provided to them by the CSPs to implement and operate effective security controls to protect and achieve compliance for their resources in the cloud.