Understanding The Shared Responsibility Model When Utilizing Public Cloud Services
For any business thinking of embracing public cloud services, or any variation on X-as-a-Service paid features, it is vital that they understand how security works on public cloud servers. The importance of this is hard to overstate. According to Gartner research, 95% of all security incidents involving cloud servers are the fault of the cloud customer, rather than the cloud provider. Not only that, they predict this statistic to hold true until at least 2022!
This clearly illustrates a need for better understanding of cloud security models among business users, particularly given how destructive and costly cloud security incidents can be.
So in this article, we want to talk in some depth about the shared security model – the standard model for cloud security on Azure, AWS, and all other major public cloud systems.
What Is the Shared Security Model Of Cloud Security?
“Who is responsible for cloud security, the cloud provider or the customer?”
According to the shared security model, the answer is both. Both provider and customer have areas of responsibility for maintaining security, and there are relatively few places where that responsibility overlaps. In our experience, a large number of security problems among cloud customers involve misunderstanding those realms of responsibility.
Further, it’s safe to say that there are more areas of cloud security for which the customer is responsible, rather than the provider. Companies who understand this basic delineation of responsibility will be a much better position to maintain a high level of cloud security.
What Aspects Of Security Does The Cloud Provider Oversee?
Broadly speaking, in most public cloud services, the cloud provider is only responsible for the physical security of their systems, as well as protecting the underlying infrastructure powering the cloud system.
This breaks down to several clear areas of responsibility.
Physical premises security. The cloud provider is wholly responsible for protecting their physical facilities from any intrusion and ensuring that their hardware is not directly compromised.
Environmental security. Along with security against in-person tampering, cloud providers will also be expected to provide a reasonable level of protection against environmental problems, such as earthquakes or weather-related disasters. Of course, there will be a practical upper limit to what they can guarantee here – nature can always potentially conjure a disaster which will overwhelm even the best human-built protection.
Underlying server-level security. If we’re talking about attacks which would affect an entire cloud server, and all its customers, that’s the responsibility of the service provider. They are the ones who should be providing protection against DDOS attacks, Man-In-The-Middle attacks within their network, and similar broad-spectrum attacks.
Cloud systems updates and patching. The provider is responsible for the underlying software powering their cloud systems. If, for example, a zero-day exploit is discovered in Azure that could affect any customer, it’s Microsoft’s responsibility to fix it. However, this is only true for software being directly provided by the vendor. The customer is still responsible for any software they deploy.
Business continuity services and contingencies. Most, if not all, reputable cloud providers will provide some contingencies in the case of accident or system failure, such as backup servers. As with the primary cloud infrastructure and software, they are responsible for securing any such backup measures.
And that sums up what cloud providers are reasonably expected to provide, in terms of security. That means everything else is the customer’s responsibility.
What Aspects Of Cloud Security Does The Customer Control?
Since cloud services can be used for a wide variety of services, it’s impossible to present a 100% complete list, but this hits the most common highlights:
Properly configuring systems for detecting when a cloud account has been breached.
Managing and handling all matters relating to logins, authentication, and access permissions.
Controlling what data is uploaded to the cloud, and ensuring that proper encryption is utilized.
Any and all monitoring of access to the cloud services, including virus scanners and port scanning.
Updating and maintaining user-side software, such as guest operating systems, VMs, third-party apps, etc.
Understanding platform-specific usage and documentation to ensure provided tools are being used in the recommended manner.
All device-side permissions and security, such as which devices are allowed onto the cloud server.
Are there any areas of overlap? A few. For example, say a cloud provider has created tools that allow reporting on usage and access to cloud access. It would be the provider’s responsibility to ensure the tools are functioning properly without any low-level security holes, but it would be the customer’s responsibility to read the documentation and configure those tools appropriately for their needs and with the correct access privileges attached.
Both Microsoft and Amazon have some great imagery to help you understand the shared responsibility model. Here is Microsoft's:
And here is Amazon's:
Hope that helps to clarify YOUR responsibility in a shared responsibility model.
Learn More About Proper Cloud Security With Our Free eBook!
Not sure where to start when locking down your cloud server? Our eBook 7 Deadly Sins Of Azure Misconfiguration And How To Fix Them is a free download, Click here to get your copy today.