Because of the magnitude of the target, cloud-based organization data is often a magnet for malicious attacks from hackers both within and outside of enterprises. A single security threat can cost a company millions or even billions—the average security threat cost was $4.35 million in 2022. This happens through lost revenue, fines, business interruptions, and penalties. As cloud data theft and cyberattacks become common, enterprises may wonder who is to blame.
A recent report by Gartner shows the onus is on the end user. Gartner forecasts that through 2025, user errors will account for 90% of all cloud security failures. Fortunately, these issues are preventable virtually in all cases when the cloud user understands their roles and responsibilities and the responsibilities of their Cloud service provider (CSP) in cloud security.
What Is the Shared Responsibility Model?
The Shared Responsibility Model is a compliance and security framework that demarcates the responsibilities of customers and cloud service providers (CSPs) to secure every aspect of the cloud environment, including physical infrastructure, hardware, data, endpoints, settings, network controls, configurations, access rights, and operating systems (OS).
Essentially, the Shared Responsibility Model stipulates that a cloud service provider like Microsoft Azure, Amazon Web Services (AWS), or Google Cloud Platform (GCP)—should track and address security risks related to the cloud itself and the underlying infrastructure. In the meantime, end users, including organizations and individuals, must protect sensitive data and other assets they store in the cloud environment.
Unfortunately, this concept of shared responsibility or shared fate is often misunderstood, causing the notion that cloud workloads and any applications, activity, or data related to them—are fully secured by the cloud provider. That often results in end users unknowingly running cloud workloads in public environments that aren’t fully protected, exposing them to cyberattacks that target applications, data, or operating systems. Even well-configured workloads can become targets of cyberattacks at runtime because they’re vulnerable to zero-day exploits.
Check out Google Cloud Platform security best practices here.
What Are 5 Employee Responsibilities in the Workplace?
Here are five employee responsibilities in the workplace related to cybersecurity:
1. Access controls
Cybersecurity employees responsible for access controls dictate who has access to systems and data across an organization. These employees must determine who requires access to systems and data to perform their daily duties effectively.
2. Network and applications performance
Cybersecurity professionals must closely monitor the performance of the organization’s networks and applications. This allows them to identify security issues that hamper web or app performance and remedy those issues quickly before any service interruptions, downtime, or outages occur.
3. Patch management
Security vulnerabilities can arise anytime, and cybersecurity employees must address them immediately. Vulnerability management enables your company to use defined procedures and processes to identify and resolve cybersecurity vulnerabilities.
4. Endpoint retention and response
Cybersecurity professionals must monitor endpoints and network events frequently. An organization can use endpoint detection and response to track and report internal and external data threats, including ransomware, malware, and other advanced cybersecurity threats.
5. Backup and disaster recovery
Cybersecurity employees must back-up systems and data and ensure they can be recovered seamlessly after a security incident.
Why Is the Shared Responsibility Model Important?
Security and compliance responsibilities rest solely with the owner in on-premise data center environments. Accountability for physical infrastructures, patching, and maintaining security controls falls to the company’s security team or other responsible parties like the IT department, not the hardware vendor. However, when parts of a network are composed of public or private cloud services, some compliance and security responsibilities fall on the cloud service provider (CSP).
That’s where a shared responsibility model comes in handy, stipulating clearly which security responsibilities, locations, data protection, and so on fall into the customer’s domain and which are in the CSPs. Amazon Web Services (AWS), Google Cloud Platform, Microsoft Azure, and other CSPs each have their own models; customized to their special offers.
Further, unlike security for traditional IT assets and infrastructure, where cloud consumers have complete control of security and infrastructure, cloud security requires consumers to share cloud security responsibilities with CSPs. The primary benefits of the Shared Responsibility Model include the following:
- It demarcates accountability to ensure there’s no ambiguity concerning who handles certain aspects of cloud security.
- It reduces the end user’s operational burden by outlining the physical infrastructure elements the cloud provider is responsible for.
- It offers guidance on how best to secure workloads and data on the cloud.
Check out AWS security best practices here.
Which Three Customer's Responsibilities in the Shared Responsibility Model for Security?
Customer responsibilities depend on the cloud service provider a customer selects. This determines the amount of configuration they must perform as part of the security responsibilities. For example, a cloud service like the Amazon Elastic Compute Cloud is classified as Infrastructure as a Service (IaaS). Here, customers perform all the necessary management tasks and security configurations. Thus, any customer who deploys Amazon Elastic Compute Cloud will manage guest operating systems and any utilities or application software installed by the customer.
Essentially, the three responsibilities of customers in the Shared Responsibility Model are:
- Customers are always responsible for managing their data and encryption options
- They’re also responsible for classifying their assets
- And they’re responsible for using Identity and Access Management (IAM) tools to assign appropriate permissions.
What Is the Responsibility of Cloud Service Providers in the Shared Responsibility Model?
In the Shared Responsibility Model, CSPs are often responsible for the cloud's security, whereas the cloud consumer is always responsible for security in the cloud. Each CSP, like Azure, AWS, and GCP, defines shared responsibilities differently. Here are basic outlines of the responsibilities of cloud service providers as defined by the major CSPs:
- Amazon Web Services safeguards the physical infrastructure that operates all the services provided in the AWS cloud. This infrastructure includes software, networking, hardware, and facilities that use AWS cloud services.
- For the Google Cloud Platform, Google protects the cloud, including physical security (mainly in Platform-as-a-Service scenarios), infrastructure, deployment, and web applications in Software-as-a-Service scenarios.
- For Microsoft Azure, responsibilities vary based on whether the workloads are hosted on Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), or Software-as-a-Service (SaaS).
What are the security risks of cloud computing? Click here to read more.
What Are 3 Examples of Responsibility?
Here are three examples of responsibility in the Shared Responsibility Model:
Review the service level agreement (SLA) carefully.
Organizations must carefully examine their SLA with their cloud vendors to ensure they’re aware of their security responsibilities and to point out any potential gray areas that need to be clarified. If any organization is changing cloud service providers, for example, it must carefully review its contract and identify any changes. Further, it’s essential for companies operating in multi-cloud environments to reevaluate each SLA individually because terms aren’t standard across cloud vendors.
Make data security a top priority
Cloud consumers are fully responsible for any data produced by apps or stored in the cloud. As such, companies must create a solid data security plan designed to secure cloud-based data.
Ensure strong identity and access management
Also, cloud consumers are fully responsible for awarding access rights and granting access to authorized individuals. Therefore, these efforts must be included in the company’s broader identity and access management (IAM) solution set and policy.
What Are the Two Recommendations for a Shared Responsibility Model?
The Shared Responsibility Model corresponds to two recommendations:
- First, cloud service providers must document their internal security controls precisely and customer security features so that cloud consumers can make educated decisions. Cloud providers must also design and execute those controls properly.
- For any cloud projects, cloud consumers must have a responsibilities matrix that documents who is executing which controls and how. This must align with the compliance regulations.
What Is Identity and Access Management (IAM)?
IAM provides the right organizational employees and job roles access to the tools and resources they need to do their jobs. For example, IAM systems allow your company to manage employee apps without needing to log into each app as an administrator. In addition, these systems help your company to manage various identities, including software, people, and hardware like IoT and robotics devices.
Understand Your Responsibilities in the Cloud
Cloud service providers continually invest in innovative solutions to boost their security profiles. You must also do the same to hold up your end of the shared responsibility model. By understanding the shared responsibility model and its benefits, you’ll be in a better position to protect your cloud infrastructure and boost your overall security profile.
At RiskRecon, a Mastercard company, we understand the importance of protecting data. That’s why we offer free demos to assess your cybersecurity with our own software. Schedule a free demo today and see how we can help.
