Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog

The Importance of the Shared Responsibility Model for Your Data Security Strategy

Home
Industry Insights
The Importance of the Shared Responsibility Model for Your Data Security Strategy

Blog Article Published: 10/17/2023

Originally published by Dig Security.

Written by Sharon Farber.

A shared responsibility model is a cloud security framework that outlines the distribution of security and compliance responsibilities between the cloud service provider (CSP) and the customer.

There has been a long debate about who shares what type of responsibilities between CSPs and cloud service consumers.

Both parties share responsibilities related to the security, privacy, and management of data throughout its lifecycle within the cloud environment. But what happens in the event of a data breach? Who will be held accountable? It might not be who you think.

Gartner estimates that through 2025, 99% of cloud security failures will be the customer's fault. The good news is that you can prevent cloud security failures by following the shared responsibility model.

Let’s dig a bit deeper into the key responsibilities of both CSPs and cloud service consumers.


Who’s Responsible for What?

Here is a detailed breakdown of the various responsibilities both CSPs and customers have.

Cloud Service Provider

Customer

Responsible for the physical layer. This includes all hardware and infrastructure management, data backup, and disaster recovery

Responsible for implementing data protection measures such as data loss prevention (DLP) and managing encryption keys to ensure secure storage and rotation

Responsible for securing and maintaining the virtualization layer which includes VMs, live migration from one physical host to another, and ensuring proper isolation and resource allocation for virtual devices

Responsible for implementing access management, permissions, and setting up IAM policies to prevent unauthorized access to cloud resources

Responsible for ensuring high availability and reliability of their services. This includes maintaining data centers, network connectivity, and hardware to minimize downtime

Responsible for securing applications, which includes patch management, code security, and secure development practices such as implementing Multi-factor authentication (MFA)

Responsible for demonstrating adherence to industry standards and are certified by a widely recognized third-party such as ISO 27001 or SOC 2 Type II

Responsible for maintaining compliance with industry regulations such as GDPR, HIPAA, and PII and meeting the necessary guidelines and legal obligations related to the handling, storage, and protection of sensitive data


Different Types of Shared Responsibility Models

There are three main variations of the shared responsibility model; IaaS, PaaS, and SaaS. Here is a detailed breakdown of each cloud delivery model:

IaaS (Infrastructure as a Service) - Here, the service provider is responsible for the virtualization layer along with the physical data centers. Customers are responsible for securing the operating systems (OS) of the virtual machines they deploy in the cloud, middleware such as implementing proper access controls, data management, and container security.

PaaS (Platform as a Service) - In this model, the CSP is accountable for securing the PaaS platform itself. This includes securing the databases, middleware, development frameworks, runtime environments, and operating systems (OSes). Customers are responsible for developing and maintaining their applications running on the PaaS platform. This includes writing secure code, regularly updating and patching application components and data protection.

SaaS (Software as a Service) - In a SaaS model, the provider controls virtually all aspects of application security, while customers are faced with the task of protecting a user's login credentials and data from phishing or social engineering tactics, which account for an astonishing 98% of cyber attacks.

Shared Responsibility Model in Cloud Service Providers

Let’s take a closer look at how the shared responsibility model applies to major cloud service providers such as AWS, Azure, and Google Cloud Platform (GCP).

AWS

Azure

GCP

Responsible for protecting all of the AWS cloud infrastructure. This includes the hardware, software, and networking that comprise AWS cloud services

Microsoft Azure is very similar to AWS in that it is responsible for protecting all of its infrastructure

GCP is responsible for the network and infrastructure, and almost all aspects of SaaS and for the majority of controls in PaaS

Customers are responsible for securing the data they store on AWS, such as configuring S3 buckets and EC2 storage with appropriate IAM access management and encryption measures

In Azure, the users own their data and identities for all cloud deployment types. Customers are also responsible for endpoints, accounts, and access management

Customers are completely responsible for implementing access policies and data management. This includes guest OS, content, usage, deployment, web application security, and network security

Shared Responsibility Best Practices

Thoroughly examine SLAs - Take the time to carefully review your SLAs with cloud vendors. When organizations change cloud providers or shift to a different cloud delivery model, it is imperative to reevaluate the fine print of the SLA to avoid any misunderstandings and ensure that customer data is protected in accordance with privacy laws.

It’s All About the Data - Regardless of chosen CSP, the organization bears complete responsibility for the handling and management of the data. Data classification is a fundamental component of shared responsibility best practices. Organizations must categorize their data based on sensitivity level. Regular data backups are also critical for data resilience and for ensuring that data can be recovered in the event of accidental deletion, system failure, or other security incidents.

Make IAM Policy Enforcement a Priority - IAM enforcement provides organizations with granular control over user access to cloud resources. IAM policies leverage the principle of least privilege, empowering admins to define and control access policies based on user roles, granting each individual precisely the required permissions to perform their tasks effectively. It also enhances data confidentiality and minimizes the potential for data exposure due to inadvertent user actions.

Arm Yourself with the Right Security Tools - Security tools such as DLP solutions help prevent the unauthorized exfiltration of sensitive data from their cloud environment. Organizations can take their security to the next level by adopting a mix of advanced security tools such as Data Security Posture Management (DSPM) and Data Detection & Response (DDR) which can enhance your security posture beyond traditional firewalls.

Shared Responsibility Model FAQ

  1. What is a shared responsibility model? The shared responsibility model is a cloud security framework that defines the division of security responsibilities between the Cloud Service Provider (CSP) and the customer.
  2. What is the shared responsibility model in AWS? AWS is responsible for protecting the infrastructure supporting all services available in the AWS Cloud. This includes hardware, software, networking, and facilities.‍
  3. What are the different types of shared responsibility models? The different types of shared responsibility models include Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS).
AWSAzureShared Responsibility Model

Share this content on your favorite social network today!

Core Cloud
Related Resources
Top Threats to Cloud Computing
The eleven salient threats, risks, and vulnerabilities in the cloud.
Certificate of Cloud Security Knowledge (CCSK)
The industry's standard cloud security credential.
Corporate Membership
Gain knowledge and connections in the cloud industry.
Latest from CSA
Virtual Cloud Trust Summit 2024
The State of AI and Security Survey Report
CSA's STAR: The Key to Cloud Security & Compliance
Trending This Week
#1 The 5 SOC 2 Trust Services Criteria Explained
#2 What You Need to Know About the Daixin Team Ransomware Group
#3 Mitigating Security Risks in Retrieval Augmented Generation (RAG) LLM Applications
#4 Cybersecurity 101: 10 Types of Cyber Attacks to Know
#5 Detecting and Mitigating NTLM Relay Attacks Targeting Microsoft Domain Controllers
Enhance your cloud security skills with CSA's online training options.
Related Articles:
Remote Code Execution (RCE) Lateral Movement Tactics in Cloud Exploitation

Published: 04/12/2024

Detecting Compromised Accounts in Microsoft 365

Published: 04/04/2024

Powerful Cloud Permissions You Should Know: Part 1

Published: 03/26/2024

Defend Against Azure Cross-Tenant Synchronization Attacks

Published: 03/15/2024