What is the shared responsibility model in cloud-based services?
Cloud-based services have revolutionized cyber security. Repeatedly, cloud providers have demonstrated that their systems can outcompete onsite solutions in terms of effectiveness, efficiency, and security. Indeed, the cloud makes it possible to easily and safely outsource certain aspects of a company’s IT systems to a capable cloud provider. In addition, cloud-based services are less resource intensive for the client company and can therefore be an excellent choice from a business perspective. Everything from email services to virtual machines can be more securely handled by a cloud provider — and release the company from handling substantial portions of their security. However, the cloud does not reduce the risk of end-users being compromised nor endpoints being infected. End-users and endpoints are just as vulnerable as ever.
By offloading on-premises IT systems to clouds offered by partners, organizations of all sizes are better able to focus on their day-to-day business. But does this mean that businesses are absolved of all responsibility when it comes to staying safe from cyber threats? Unfortunately, no. We are not there yet. For now, organizations must understand their liabilities and fulfil their obligations under shared responsibility models in order to remain secure.
What is shared responsibility?
Simply put, the customer is both accountable and responsible for all aspects of securing and operating solutions when they are deployed on-premises. As organizations move further in leveraging cloud-based services, more responsibilities are shifted to providers. In general, the key benefit of cloud-based services is that what happens on the cloud is the responsibility of your vendor or partner. In other words, cloud providers and cloud clients are each liable for failures in the features under their control.
The more inclusive a service offered by a provider is, the fewer responsibilities a client organization has. The specific responsibilities of cloud providers span a considerable gradient based on the specific type of cloud-based service, ranging from infrastructure as a service (IaaS) to software as a service (SaaS) models, with platform as a service (PaaS) occupying an intermediate position.
IaaS: you’re on your own more or less
With IaaS, your organization is fairly independent with respect to security, but this still is a big step away from keeping your own racks of servers on premises. Under IaaS models, organizations are responsible for not only their own data, clients, and users but also applications, network configurations, and even operating systems.
However, IaaS offloads the considerable responsibility of physically storing and maintaining servers to your partner and makes computing resources available through simple interfaces such as virtual machines. Moreover, your IaaS provider is responsible for some basic level of network security (i.e., detecting breaches) and physical security (i.e., backup). Even this basic level of cloud service is sure to help management sleep better at night.
PaaS: a little more hassle-free
Under PaaS, network security and storage issues solely become the responsibility of your cloud provider. This level of service permits your organization the additional comfort of knowing that network breaches are being minded by your vendor combined with the ease that comes from computing resources being available on-demand.
At this level, if client organizations can focus on keeping their endpoint users safe from introducing malware and malicious content to the cloud, their data can be kept quite safe. Under PaaS, you are responsible for securing and managing applications as well as users, endpoint devices, and data.
SaaS: the simplest and often safest cloud model
The least responsibility to client organizations comes under SaaS models. At this point, the cloud provider maintains and secures everything but the users, the endpoint devices, and the data on the cloud. This service level abstracts away nearly all of the technical computing details, and reputable SaaS providers continuously upgrade applications as new threats emerge. SaaS models include the many enterprise and consumer-oriented services offered by Google (e.g., Gmail and Google Docs) as well as Salesforce and Microsoft Office 365.
While SaaS models are the safest cloud-based services, they are not risk free — as demonstrated by the June 2016 Cerber ransomware virus attack on Microsoft 365. Like many traditional Microsoft Office viruses, Cerber relied upon users opening a file from an email and then enabling macros as instructed.
So what exactly is your part of shared responsibility?
No matter what, security in the cloud is a shared responsibility, as cloud services are not ‘secure by default.’ Everything that enters the cloud from your organization’s users and endpoint devices are the responsibility of your organization. The industry-leading IT research and advisory firm Gartner predicts that by 2020, 95% of cloud security failures will be the result of client oversight. In light of this forecast, it is essential that companies fully understand shared responsibility models in order to implement the necessary security measures that they are expected to handle.
While the cloud offers significant simplicity and security advantages, the biggest vulnerabilities still come from human blunders. If you do your homework about shared responsibility models, implement complementary security measures, and educate your users, your organization can take full advantage of cloud-based services without fear.