The shared responsibility model is a cybersecurity framework that works to ensure the most secure environment and infrastructure for both cloud service providers and their customers. It’s a joint effort by both parties to help protect digital assets and mitigate risks. In this post we’ll go into detail about what the shared responsibility model is, why it matters, and how you can practice it.
What Is the shared responsibility model?
Security is a shared responsibility. That’s why the Shared Responsibility Model (SRM) exists. It outlines who is responsible for securing data and applications across all layers of the cloud, from infrastructure to user access. The core idea behind this model is that cloud service providers are responsible for securing the cloud infrastructure, while customers are responsible for securing anything they put into or take out of that same environment. This model applies to all types of public cloud services such as Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS). This means that customers are in charge of setting up user access limits, creating policies to protect their data, and auditing access privileges. Providers, on the other hand, must create secure systems, maintain them regularly, and provide customers with visibility into their security posture.
How does the shared security model work?
A cynical read of the shared responsibility model is that it’s intended to allow providers to abdicate responsibility for security incidents and push the lion’s share of any security burdens onto customers. But this isn’t true. The shared security model emerges from the nature of how cloud systems are organized.
Broadly speaking shared responsibility can be broken down into two categories of responsibilities:
- Security of the cloud. This refers to the processes, practices, and procedures that cloud service providers conduct to secure the assets they use to deliver cloud services. Examples of this include physical security and access, as well as managing the network protocols, uptime, and anything else having to do with physical and network level operations. For a full list of what types of security and operational practices a cloud service provider offers, check their documentation.
- Security in the cloud. This second part refers to security within the cloud environment itself. Examples of this include application access permissions and security, as well as any tools used to provide protections to data at the application layer.
The division of cloud security into these two areas of responsibility is not an afterthought for cloud security providers; it stems from the fact that providers do not have visibility within customers’ environments. Their visibility ends at the hypervisor, the space where users’ operating environments are partitioned within a host machine. Customers have visibility beyond the hypervisor at the operating system and application levels, which means that it has to be their job to deploy the appropriate settings and tools to secure their data and environments based on their own specific security and compliance obligations.
The specific responsibilities that a customer has will differ depending on whether they’re using an IaaS, PaaS, or SaaS service provider. For example, a team managing an application on Microsoft Azure will have more granular control over network, OS layer, and application layer configurations than a customer using a SaaS application. To get a better understanding of these distinctions, listen to cybersecurity veteran Ty Sbano speak to the shared responsibility model in the following clip.
Why is the shared security model important?
The shared responsibility model ensures that both parties involved in a cloud deployment have an understanding of which aspects of security each party is responsible for. This helps guarantee that there are no gaps in security coverage, as each party takes ownership over different parts of the security process. Additionally, because both parties are actively engaged in protecting their environment, organizations can benefit from improved threat detection capabilities and better visibility into any potential vulnerabilities or risks across their entire system.
Adopting a shared responsibility model can help organizations get ahead of potential threats before they become major problems. By leveraging both internal and external resources to identify and address any issues quickly, organizations can prevent serious damage from occurring and protect their systems from sophisticated cyber threats such as malware, phishing attacks, or data breaches. Additionally, by having an understanding about which areas need extra attention or resources (both internally and externally), companies can create more effective strategies to protect their assets from potential threats in the future.
What should customers do to follow the shared security model?
As stated above, the specific considerations a customer will want to make will depend on whether they’re leveraging a SaaS, PaaS, or IaaS service provider. Generally, though, customers should focus on protecting their data by setting up user access limits and creating policies to govern how data is handled in the cloud environment. They should also audit access privileges regularly to make sure they have complete control over who can view or modify sensitive information within their organization. Additionally, customers should take advantage of any visibility options provided by the provider so they have complete insight into their security posture from end-to-end.
Ultimately the shared responsibility model is a valuable tool for helping organizations protect themselves against cyber attacks. By incorporating this approach into your organization’s overall security strategy, you can be sure that all areas are covered when it comes to protecting your valuable data and applications from malicious threats online. With this knowledge in hand, you can confidently move forward with creating a secure environment—and rest assured knowing that your organization is well-protected.