What is Shared Responsibility Model?

As defined, this model clearly outlines what CSPs and users are responsible for securing particular aspects of the cloud environment. It also reflects the strengths of both the parties. Because CSPs are expert in securing their infrastructure, and you are well-versed about your data and security needs.

As said above, your CSP is responsible for securing your cloud infrastructure. Because of this, you can dedicate your resources to core business functions. Your IT teams can focus on developing and managing your applications within the cloud, improving your development efficiency and innovation.

Just like the users, devices are also given controlled access within the zero-trust environment. This involves managing and authenticating devices before they are granted organizational resources. Measures like device registration, posture checks, and endpoint security controls can be implemented to ensure that only authorized and secure devices can connect to the network.

The CSPs take care of the security of your underlying infrastructure, including vulnerability patching and hardware maintenance. This allows your internal security team to focus and prioritize high-level security tasks such as access control or data encryption that are specifically related to your cloud assets.

The shared responsibility model fosters a culture of continuous improvement. CSPs and users share a common interest in maintaining a secure environment. This leads to continuous advancements while maintaining security updates and protocols within the cloud platform.

The Shared Responsibility Model is a widely used framework in cloud computing. With the benefits it provides for CSPs and users, It has become almost standard practice for all the major cloud providers like Amazon AWS, Microsoft Azure, GCP, IBM Cloud, Alibaba Cloud, and more.

Cloud providers invest heavily in security including advanced tools and expertise. The Shared Responsibility Model benefits organizations with pre-secured security tech at potentially lower costs compared to building and maintaining your own secure infrastructure.

With a shift in the IT industry in the last two decades that continues to grow even today, many organizations are adopting the cloud for the first time. Thus, the shared responsibility model can relatively be a new concept for such organizations. We have explained 5 practices that benefit both new as well as experienced cloud users.

Regardless of your experience, it is important to understand your security obligations that fall under the model. For new users, we recommend thoroughly reviewing their CPS’s security documentation and shared responsibility matrix. Whereas, experienced users should also revisit these documents periodically to stay updated in case of changes.

Before migrating to the cloud, both new and experienced users should carefully prepare a list of their data. And further, identify and classify this data based on the risk levels from HIGH to LOW. This practice will help to determine the appropriate security controls required within the cloud environment.

There are many services and educational materials that are offered by CSPs, these may include certification courses, encryption services, access control, activity monitoring tools, etc. Both experienced and new users should leverage and utilize these security features offered by their CSPs. Training resources is one of the best ways to understand effective configuration and its uses.

So many things have evolved, but IAM still needs attention. Prioritize robust IAM practices within the cloud. This includes defining user roles with the least privilege access, enforcing multi-factor authentication, and regularly reviewing user access permissions.

Learn more about IAM here

As we always say “Security is not a set-and-forget practice” and should be a continuous process. Security professionals should foster a culture of security awareness within the organization. Educating employees on cloud security best practices, including data procedures, reporting suspicious activity, and providing hands-on training is a must. Spreading security awareness within the development teams will take your security game to the next level!

• Physical Security: The CSPs are responsible for the physical security of the data centers where the actual cloud infrastructure resides. This includes measures like access control systems, intrusion detection, video surveillance, and environmental controls to safeguard against physical threats.
• Underlying Infrastructure: The CSP secures and manages the core infrastructure including hardware, network components, and visualization layer. They are responsible for ensuring the availability, reliability, and security of these fundamental elements.
• Cloud Platform Security: CSPs look after the core cloud platform, including the operating system and security features of their cloud services. This involves patching vulnerabilities, managing user access to the platform, and implementing security best practices.

• Data and Applications: The security of the data stored within the cloud environment is your responsibility. This includes encryption of sensitive information (at rest and in transit), access controls to manage who can access your data, and proper configuration of your cloud applications to minimize threats.
• Guest Operating System: The security of the guest operating system you choose to run on the cloud platform is your responsibility. This includes keeping the operating system software up-to-date with the latest security patches and maintaining secure configurations to minimize vulnerabilities.
• Compliance: You should ensure that the use of your cloud platform complies with the required compliance and industry standards that apply to your organization type. This may involve implementing additional security controls or data residency requirements depending on your specific industry or data sensitivity.
• Reviewing SLA: It is your responsibility to carefully review the service agreement (SLA) with your cloud service provider to understand their specific security commitments and your corresponding area of responsibility.

• Planning and Communication: The CSP develops the entire incident response plan, and users are expected to understand and get familiar with it while creating a complementary internal plan. Both parties establish clear communication protocols to notify each other and keep users informed in case of an incident.
• Action during an incident: The CSP leads the investigation and remediation within their platform. Users isolate the affected resource within the cloud environment, helping CSPs in their investigation.

• CSP’s role: Provide training resources and learning material specific to their platform and keep their users updated on evolving threats and weaknesses.
• User roles: conduct regular security awareness training for their employees, tailored to their roles within the cloud environment, and foster a culture of security awareness within the organization.

• CSP’s role: Provide secure logging capabilities and various monitoring tools within their platform.
• Customer’s role: They configure the given tools to monitor their cloud environment, analyze logs for suspicious activity, and communicate any potential threats to the CSP for further investigation.

• CSP’s role: Provide IAM tools and features to define user roles, assign access permissions, and enforce multi-factor authentication.
• Customer’s role: They leverage the provided IAM tools to implement the principle of least privilege, and conduct regular access reviews to minimize the attack surface.

• CSPs: CSPs provide data encryption capabilities and secure data deletion procedures.
• Customer’s role: They classify data based on sensitivity, apply appropriate encryption measures, and define data retention policies to minimize risk.

• CSP’s role: They proactively patch vulnerabilities within their infrastructure and platform services.
• User role: Always keep their guest operating system and applications running in the cloud up-to-date with the latest security updates.

• Customer’s responsibility: Users are ultimately responsible for ensuring their use of the cloud platform complies with relevant regulations and industry standards.
• CSP’s support: The CSP can provide resources and guidance to help users understand their compliance requirements within the cloud environment.