Contact Us

Cloud security:
the cloud shared
responsibility model

Author: Sue Poremba

Before your company migrates to the cloud, you have to be able to answer one small question: Who's in charge of cloud security? A lot of misconceptions surround cloud security, but one thing is true: No matter who your provider is, cloud security is a shared responsibility, and you need to set clear expectations between those who build your cloud environment and those who use it. Knowing what security the providers are responsible for is essential if there's a cyber incident.

The cloud shared responsibility model looks something like this: Cloud providers manage the security of the cloud infrastructure, while cloud customers are responsible for what goes into the cloud and who has access to the data and assets they store in the cloud.

In a cloud shared responsibility model, the provider and the customer draw up an agreement on how to best work together to offer the highest levels of security. Both sides must be cognizant of industry and government regulations and how to meet the stringent requirements of these regulations, such as the General Data Protection Regulation (GDPR), the Health Insurance Portability and Accountability Act (HIPAA) and the growing number of state data privacy laws. While there will always be unique variables for each provider-customer relationship, each side should consider following some general guidelines.

Cloud shared responsibility model

Cloud security: The provider's role

"The key to a successful security implementation in a cloud environment is understanding where your provider's responsibility ends, and where yours begins," a CloudPassage article stated.

The provider's responsibility depends in part on the cloud service model the customer chooses. While similar security protections may be offered under infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS) and software-as-a-service (SaaS) cloud service models, each model demands varying levels of responsibility by a provider.

In the IaaS model, the provider is typically responsible for securing the physical elements of the cloud, such as the data centers and network infrastructure, as well as data storage and processing, while in the PaaS model, the provider typically handles security for virtual machines and operating systems. SaaS providers are responsible for the most security, managing everything except customer data and online customer touchpoints, such as websites and mobile apps. Facility security is also the provider's responsibility, protecting not only the data centers but the buildings in which the provider employees work, the employees themselves and third-party contractors.

Popular public cloud providers like Amazon Web Services (AWS) and Azure have their own security standards. AWS handles "protecting the hardware, software, networking, and facilities that run AWS Cloud services," while Azure secures "physical hosts, networks, and data centers," according to the CloudPassage article. 

Cloud security: The customer's role

The customer is responsible for managing the data and applications stored in their cloud across all cloud models. They're also in charge of the security for any protections the cloud service provider doesn't offer. Understanding who has what responsibility in a cloud shared responsibility model is essential because a data breach involving AWS cloud, for example, may in fact have come from errors on the customer side.

Cloud customers need to include cloud security in their overall security policies. Security awareness training should include the risks to data and applications in cloud formats. Customers may also be responsible for endpoints, and there should be security processes in place to protect devices that use cloud applications.

Communications in a cloud shared responsibility model

Shared responsibility requires good communication and best practices between the provider and the customer. The risks to the cloud infrastructure and data should be outlined as part of any agreement, as well as who is responsible for security and remediation if there's an incident.

Just as customers turn to the cloud for its scalability, responsibility surrounding the cloud security should also be scalable. Providers should understand cloud usage from the customer's point of view—recognize what and where the greatest risks are, what assets need protection and how vulnerabilities on the cloud side impact the customer's business—and then add security controls that are unique to the customer's needs. As the customer's needs change, the provider should be able to pivot in tandem.

At the same time, customers must be able to accurately define their own requirements for cyber security and how that translates to cloud security. If the customer doesn't have a clear picture of their most valuable assets or what industry regulations are required around cloud computing, the provider won't be able to take the right security steps on its end.

Most importantly, everyone involved with cloud security—from the customer's security and IT teams to the provider's representatives—should know exactly where one team's security requirements end and the other team's begins and where there's any overlap. There should be clear communication concerning any third parties that would have access to the cloud architecture or how issues like shadow IT are handled. And everything should be put in writing in the contract. There should not be any ambiguity in a cloud shared responsibility model.

Although your cloud service provider is largely responsible for the security of your applications, as a generator and user of data, you also have a key role to play in ensuring cloud security. Set reasonable expectations for the security your cloud provider offers, but also have a security plan in place to protect your assets within the cloud. Cloud security will always be a shared responsibility; how you and your provider work together to align on a cloud shared responsibility model could be the difference between a devastating data breach and well-protected digital assets.

Discover what makes a cloud services partnership with Verizon productive and secure.