Every now and then we keep hearing of new buzzwords in the Information Technology domain.
One of the buzzwords doing the rounds is “shared responsibility model”.
What does this axiom mean?
In the cloud security context this means a security schedule that ordains the security responsibilities of a cloud computing provider and its users to guarantee accountability.
Lets us now consider two scenarios.
- When a business operates its own IT Infrastructure in-house with its own data center, the primary responsibility for the security of this infrastructure is with the business.
- When the enterprise moves to a public cloud it transfers some of the security responsibilities to their cloud hosting provider. The responsibility scope for the cloud provider and cloud user is clearly demarcated for different aspects of security. Yet, both parties must work in tandem to ensure full coverage of security.
It is to be noted that each type of cloud model, SaaS (software as a service), PaaS (Platform as a Service, and IaaS (Infrastructure as a Service) clearly defines which party is responsible for which security tasks.
According to information technology experts, the users’ accountability increases as they transition from SaaS to PaaS to IaaS.
In this context let us examine the IaaS Model. Here the security responsibilities are alienated as follows.
- The cloud provider is fully responsible for securing basic cloud infrastructure components such as server, storage, virtualization software and networks. The cloud vendor is also liable for the physical security of that data center that houses the infrastructure.
- The client on the other hand is accountable for the security of its OS, software and data.
This is somewhat in line with the best practices outlined by the Amazon Web Services (AWS) security cloud model.
For the infrastructure services the responsibilities are divided as under:
- Customer – Platform, applications, identity and access management, data, OS, firewall configuration, and network
- Vendor – Compute infrastructure, storage, database and network.
To make it simple, the customer is responsible for the security “in the cloud”, whereas the AWS is responsible for the security “of the cloud”.
How did the idea that cloud security is a shared responsibility come about?
Businesses to improve agility and reduce costs are distributing cloud based applications among varying environments or models.
It is the apprehension over data exposures that have brought about security concerns in the cloud.
This is the top most priority for IT managers.
In the present business environment, the challenges are twofold.
- Balancing the company’s need for agility without compromising on the security of data that transitions between various clouds.
- Gaining transparency and preempting attacks that are trying to smuggle data both from external sources as well as internally.
Typically in an IT setup there are several units responsible for cloud security. These include, but not limited to, the technology or network team, applications team, security team and compliance team.
But looking at the overall cloud perspective, the cloud security must be shared between the cloud provider and the company.
This is true even when transitions are made from the private cloud to the public cloud to SaaS.
For a straightforward understanding, here is an explanation.
- In a private cloud, the responsibility of security of data, application and infrastructure is solely with the customer or enterprise.
- In a public cloud setup, data and applications responsibility is with the customer whereas the accountability of security of infrastructure is with the vendor.
- In SaaS, the responsibility of security of data is with the enterprise while the responsibility of apps and infrastructure is with the vendor.
The picture is clear. IT security is the combined responsibility of both the vendor and the enterprise. While the enterprise must be confident that the vendor has implemented adequate security measures to keep applications and data secure, it must also have the right tools to manage what vendors do not do.
So what are and could be the right tools with an enterprise?
In a nutshell, the tools must perform the following functions.
- Provide transparency into activity within applications
- Exhaustive analytics on usage to preempt data risk and compliance breaches.
- Strict monitoring to drive enforcement and quarantine if any violation occurs
- Leverage real time threat intelligence on known threats and perform state-of -the art detection on unknown threats to prevent security compromise via new malware entry points.
Most of the major cloud vendors, such as Amazon Web Services clearly define their shared responsibility models in their offers.
Yet, in practice the responsibility demarcations can become blurred, especially when the when the cloud provider has made a large mark in the cloud domain such as Amazon Web Services.
In such a scenario, companies must clearly demarcate their security roles while signing the contract.
For Interesting Topic – Simplifying the Seemingly Difficult Task of Establishing Security in Public Cloud