The Importance of the Shared Responsibility Model for Your Data Security Strategy
Published 10/17/2023
Originally published by Dig Security.
Written by Sharon Farber.
A shared responsibility model is a cloud security framework that outlines the distribution of security and compliance responsibilities between the cloud service provider (CSP) and the customer.
There has been a long debate about who shares what type of responsibilities between CSPs and cloud service consumers.
Both parties share responsibilities related to the security, privacy, and management of data throughout its lifecycle within the cloud environment. But what happens in the event of a data breach? Who will be held accountable? It might not be who you think.
Gartner estimates that through 2025, 99% of cloud security failures will be the customer's fault. The good news is that you can prevent cloud security failures by following the shared responsibility model.
Let’s dig a bit deeper into the key responsibilities of both CSPs and cloud service consumers.
Who’s Responsible for What?
Here is a detailed breakdown of the various responsibilities both CSPs and customers have.
Cloud Service Provider | Customer |
Responsible for the physical layer. This includes all hardware and infrastructure management, data backup, and disaster recovery | Responsible for implementing data protection measures such as data loss prevention (DLP) and managing encryption keys to ensure secure storage and rotation |
Responsible for securing and maintaining the virtualization layer which includes VMs, live migration from one physical host to another, and ensuring proper isolation and resource allocation for virtual devices | Responsible for implementing access management, permissions, and setting up IAM policies to prevent unauthorized access to cloud resources |
Responsible for ensuring high availability and reliability of their services. This includes maintaining data centers, network connectivity, and hardware to minimize downtime | Responsible for securing applications, which includes patch management, code security, and secure development practices such as implementing Multi-factor authentication (MFA) |
Responsible for demonstrating adherence to industry standards and are certified by a widely recognized third-party such as ISO 27001 or SOC 2 Type II | Responsible for maintaining compliance with industry regulations such as GDPR, HIPAA, and PII and meeting the necessary guidelines and legal obligations related to the handling, storage, and protection of sensitive data |
Different Types of Shared Responsibility Models
There are three main variations of the shared responsibility model; IaaS, PaaS, and SaaS. Here is a detailed breakdown of each cloud delivery model:
IaaS (Infrastructure as a Service) - Here, the service provider is responsible for the virtualization layer along with the physical data centers. Customers are responsible for securing the operating systems (OS) of the virtual machines they deploy in the cloud, middleware such as implementing proper access controls, data management, and container security.
PaaS (Platform as a Service) - In this model, the CSP is accountable for securing the PaaS platform itself. This includes securing the databases, middleware, development frameworks, runtime environments, and operating systems (OSes). Customers are responsible for developing and maintaining their applications running on the PaaS platform. This includes writing secure code, regularly updating and patching application components and data protection.
SaaS (Software as a Service) - In a SaaS model, the provider controls virtually all aspects of application security, while customers are faced with the task of protecting a user's login credentials and data from phishing or social engineering tactics, which account for an astonishing 98% of cyber attacks.
Shared Responsibility Model in Cloud Service Providers
Let’s take a closer look at how the shared responsibility model applies to major cloud service providers such as AWS, Azure, and Google Cloud Platform (GCP).
AWS | Azure | GCP |
Responsible for protecting all of the AWS cloud infrastructure. This includes the hardware, software, and networking that comprise AWS cloud services | Microsoft Azure is very similar to AWS in that it is responsible for protecting all of its infrastructure | GCP is responsible for the network and infrastructure, and almost all aspects of SaaS and for the majority of controls in PaaS |
Customers are responsible for securing the data they store on AWS, such as configuring S3 buckets and EC2 storage with appropriate IAM access management and encryption measures | In Azure, the users own their data and identities for all cloud deployment types. Customers are also responsible for endpoints, accounts, and access management | Customers are completely responsible for implementing access policies and data management. This includes guest OS, content, usage, deployment, web application security, and network security |
Shared Responsibility Best Practices
Thoroughly examine SLAs - Take the time to carefully review your SLAs with cloud vendors. When organizations change cloud providers or shift to a different cloud delivery model, it is imperative to reevaluate the fine print of the SLA to avoid any misunderstandings and ensure that customer data is protected in accordance with privacy laws.
It’s All About the Data - Regardless of chosen CSP, the organization bears complete responsibility for the handling and management of the data. Data classification is a fundamental component of shared responsibility best practices. Organizations must categorize their data based on sensitivity level. Regular data backups are also critical for data resilience and for ensuring that data can be recovered in the event of accidental deletion, system failure, or other security incidents.
Make IAM Policy Enforcement a Priority - IAM enforcement provides organizations with granular control over user access to cloud resources. IAM policies leverage the principle of least privilege, empowering admins to define and control access policies based on user roles, granting each individual precisely the required permissions to perform their tasks effectively. It also enhances data confidentiality and minimizes the potential for data exposure due to inadvertent user actions.
Arm Yourself with the Right Security Tools - Security tools such as DLP solutions help prevent the unauthorized exfiltration of sensitive data from their cloud environment. Organizations can take their security to the next level by adopting a mix of advanced security tools such as Data Security Posture Management (DSPM) and Data Detection & Response (DDR) which can enhance your security posture beyond traditional firewalls.
Shared Responsibility Model FAQ
- What is a shared responsibility model? The shared responsibility model is a cloud security framework that defines the division of security responsibilities between the Cloud Service Provider (CSP) and the customer.
- What is the shared responsibility model in AWS? AWS is responsible for protecting the infrastructure supporting all services available in the AWS Cloud. This includes hardware, software, networking, and facilities.
- What are the different types of shared responsibility models? The different types of shared responsibility models include Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS).
Related Articles:
Group-Based Permissions and IGA Shortcomings in the Cloud
Published: 11/18/2024
Navigating Cloud Security: A Shared Responsibility
Published: 10/17/2024
App-Specific Passwords: Origins, Functionality, Security Risks and Mitigation
Published: 10/11/2024
Reflections on NIST Symposium in September 2024, Part 2
Published: 10/10/2024