Who is responsible for cloud security: The service provider or the customer? Many people view it as a shared-responsibility relationship. Here are best practices for managing that relationship.
When it comes to securing data in the cloud, the importance of deciding who's responsible for what cannot be overstated. Currently, there are three choices: Cloud-service customers, cloud-service providers, or customers and providers sharing the responsibility.
A 2018 Global Cloud Data Security Study (Figure A) conducted by the Ponemon Institute for Gemalto found that:
"[In 2017] Fewer respondents (32 percent of respondents) say it is a shared responsibility [between the cloud provider and the cloud user]. Respondents are evenly divided between responsibility resting with the cloud provider or cloud user (both 34 percent)."
SEE: Cloud computing policy (Tech Pro Research)
The shared-responsibility model
Jenna Kersten, content marketing specialist at KirkpatrickPrice, in her blog post Who's Responsible for Cloud Security? sides with the survey respondents opting for shared responsibility. In her post, Kersten takes it a step further and discusses one way to divvy up responsibility between cloud-service customers and cloud-service providers in the following cloud-service models: Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS).
- IaaS solutions: In IaaS, the cloud-service provider manages facilities, data centers, network interfaces, processing, and hypervisors. The cloud-service customer is responsible for the virtual network, virtual machines, operating systems, middleware, applications, interfaces, and data.
- PaaS solutions: With the PaaS model, Kersten adds virtual networks, virtual machines, operating systems, and middleware to the cloud-service provider's responsibilities. The customer is still responsible for securing and managing applications, interfaces, and data.
- SaaS solutions: The SaaS model, according to Kersten, moves responsibility for everything except interfaces and data to the cloud-service provider.
"Cloud-service providers and cloud-service customers both have a responsibility to protect data," continues Kersten. "It's also important to note that execution of individual security-management tasks can be outsourced, but accountability cannot. The responsibility to verify that security requirements are being met always lies with the customer."
Amazon Web Services
The powers that be at Amazon Web Services (AWS) agree with the "32 percent" and Kersten. From the AWS website about the company's vision of shared responsibility:
"This shared model can help relieve customer's operational burden as AWS operates, manages and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the service operates. The customer assumes responsibility and management of the guest operating system (including updates and security patches), other associated application software as well as the configuration of the AWS provided security group firewall."
Data in the cloud still resides somewhere on physical devices (i.e., servers, hard drives, and the like). Since responsibility is shared, both customers and providers need to ensure buildings, computing equipment, and physical infrastructure are secure. Employees are also an important consideration, as social engineering is a preferred attack method of cybercriminals due to its success.
How to manage a shared-responsibility relationship
Kersten looks at how parties responsible for cloud services at the customer's site and the provider's location can best manage a shared-responsibility relationship, starting with cloud-service providers:
- Consider risks from the customer's perspective, and then implement controls that will demonstrate everything possible is being done to mitigate the risks.
- Document the internal controls used to manage risks.
- Provide documentation on how customers can use the provided security features. Kersten adds, "AWS does a great job of this through their educational programs."
- Create a responsibility matrix that defines how your solution will help your customers meet their various compliance requirements. Turn to the CSA's CAIQ and CCM as starting points for establishing the shared responsibility model.
Next, Kersten focuses on the cloud-service customer:
- Define cloud-security requirements before selecting a cloud-service provider. "If you know what you're looking for in a cloud service provider, you can better prioritize your needs," adds Kersten.
- Harmonize the corporate governance program between traditional and cloud-based IT delivery. Migrating systems and applications into the cloud is going to require policy changes.
- Establish contractual clarity on the roles and responsibilities of each party, especially with regards to the public cloud, including:
* Who's responsible for cloud security?
* How far does the cloud-service provider go?
- Develop a responsibility matrix that defines the security roles and responsibilities for you and for each vendor, including cloud-service providers.
SEE: Vendor management: How to build effective relationships (free PDF) (TechRepublic)
Do not forget about compliance
Compliance and cloud security might be considered a digital symbiotic relationship--one cannot exist without the other the way regulations are structured. Duane Tharp pulls no punches when talking about compliance and security:
"The first reason is regulatory. Businesses have to be compliant to a regulatory regime, whether state, federal, or internal. The other reason is fear. The nominal additional investment in security potentially can prevent a bad situation from arising in the future. There is a positive net return."
- Report: One in four public cloud users has had data stolen (ZDNet)
- Only 16% of organizations believe their current security can protect them in the cloud (TechRepublic)
- The cybersecurity skills gap caused 40% of IT pros to stall their cloud migrations (TechRepublic)
- How to make a secure transition to the public cloud: 10 steps (TechRepublic)
- Cloud data storage policy (Tech Pro Research)