The shared responsibility model is one of the most important features of effective cloud security. This applies whether you use a Software as a Service model such as Microsoft 365 or an all-encompassing Infrastructure as a Service model. There are always responsibilities shared between you and the cloud service provider.
The model defines the individual responsibilities of the cloud service provider (CSP) and the customer. It also covers shared accountabilities where both parties have a role to play. Benefits of the shared responsibility model include an improved security posture, greater accountability and lower costs.
One aspect that is never shared is the customers’ responsibility to secure their data, accounts and identities. As a customer, you’re responsible for your data security and making certain you have safe, secure, and reliable backups when you need them.
When you move workloads to the cloud, your responsibilities change. The cloud service provider becomes accountable for the provision of certain services, while you retain responsibility for the balance. In some cases, you and the cloud provider share specific responsibilities. This is known as a cloud shared responsibility model.
It’s vital to fully understand the contents and context of the shared responsibility model that applies to your application. Responsibilities differ depending on the CSP and the type of service you use. In each instance, you, the user, have specific responsibilities regarding cloud security and compliance. You’re always responsible for the security of your data and your backups. By taking the time to fully understand these requirements and implementing appropriate security measures, you can allay concerns regarding cloud security.
The division of responsibilities depends on the cloud solution you employ. At one extreme is the bare-bones IaaS model, where all the CSP provides is a cloud-based host structure. At the other extreme is the SaaS model, which includes everything from the basic hardware up to a complete software application.
It’s important to note the nuances of each CSP’s offering. For example, not all SaaS applications are the same. In some instances, the CSP claims responsibility for everything except the client’s data, while in others, customer responsibility includes access control, application configuration and data security.
The three main cloud service models are:
- IaaS: Infrastructure as a Service
- PaaS: Platform as a Service
- SaaS: Software as a Service
Variations not covered here include Network as a Service, Database as a Service, and Storage as a Service.
Infrastructure as a Service
IaaS is the closest equivalent to having an on-premise data center, except that it’s in the cloud. The CSP’s responsibility is the provision of a physical or virtual host, network and data center. This includes the security, management and software maintenance of these facilities. As the user, you’re responsible for the security of the operating system, software applications, network management, data storage, backups, application configuration, accounts, and identity controls.
Platform as a Service
The main difference between IaaS and PaaS is that the CSP provides the operating system. The customer’s responsibilities include the application software, data management tools, backups, and access management. PaaS often includes a greater proportion of shared services than other models, and the actual division of security responsibilities differs across providers. The user is responsible for data security and storage.
With the SaaS model, the provider provides and is responsible for the infrastructure, operating system and application. As a user, all you have to do is initialize and configure the application to your needs and start using it. Examples include Microsoft 365, Salesforce, Dropbox, and Slack. It’s important to understand that you, as the user, remain responsible for the security of your data. While the CSP has a shared responsibility to make certain the infrastructure and applications are secure, you have to do your part by maintaining secure accounts, user identities and data integrity. Actual responsibilities differ depending on the application and the freedom you have to alter its configuration.
Cloud Service Provider Responsibilities
CSP responsibilities vary depending on the cloud model. In all instances, the CSP is responsible for the provision and security of the physical data center, host software and internal networks. They do this through physical measures together with robust security software, firewalls and protocols. They protect against unplanned downtime through rapid failover services to mirror data centers, comprehensive internal backups and sophisticated disaster recovery solutions. CSPs manage virtualization layers that allow users to access and provision resources. The CSP is responsible for protecting individual customer accounts and partitions from malicious intrusions.
In the case of SaaS and PaaS solutions, the CSP manages all resources up to an agreed level related to the service provided and the customer’s needs. These include software updates, security patches and all aspects of operational security for services provided by the CSP.
You are responsible for every aspect of the service that’s under their direct control. This always includes full responsibility for the security and safety of their data. Aspects include controlling access, identity and user authentication and password management. A crucial aspect is that the user or client is responsible for encrypting, backing up and protecting their data, as well as meeting regulatory requirements such as retention periods.
Customers are responsible for endpoint security, account management, and external network connections. Other points to consider include system configurations, software updates, and the implementation of security patches for all software managed by the user.
Veeam’s 2023 Report on Cloud Protection Trends highlights that many cloud users don’t fully appreciate these responsibilities. These concerns extend to data retention periods and data security.
In most instances, you need to clearly define shared responsibilities. Areas where this can occur include directory infrastructure, applications, and network controls. For example, with IaaS, users often select the operating system. This decision raises issues such as who is responsible for OS configuration, updates and patches. With SaaS, the vendor may provide a firewall, but the user configures it.
At a time when many companies’ IT departments are stretched, the shared responsibility model is an attractive option. CSPs, with their larger budgets and technical depth, can relieve your team of significant responsibilities. Benefits include an improved security posture, a clear division of responsibilities, greater flexibility, and reduced costs.
- Improved security posture: With their broader obligations, CSPs devote significant resources to security, and their teams have significantly greater expertise. They ensure their teams implement firmware and software updates and patches in a timely manner. Their teams focus on keeping systems secure and free of malware, and they constantly monitor their systems for cyber threats
- Clear division of responsibilities: Shared responsibility models clearly define roles and accountabilities. Both parties understand who does what, so there’s no confusion. The cloud shared responsibility model helps eliminate gaps and frees client resources to focus efforts on priority areas
- Flexibility and scalability: Compared to on-premise situations, the cloud provides immense flexibility, allowing users to tailor their applications to suit current needs while still having the ability to scale as needed
- Lower costs: The shared responsibility model allows you to leverage your CSP’s security and infrastructure services to reduce in-house IT workloads. This is at no additional cost other than the agreed-upon monthly subscription for the cloud service
Whether you’re new to the cloud or an experienced user, it’s useful to define a set of shared responsibility best practices. These will help you manage your relationship with your CSP and help you better understand your responsibilities.
- Service level agreement: Make certain you understand the SLA between you and your CSP. Note that these agreements differ between CSPs and with the services you use. Identify and address any gray areas, and carefully define your responsibilities
- Security considerations: You’re always responsible for the security of your data, so prioritize developing a robust data protection strategy
- Identify and access management policy: Develop an access management policy incorporating role-based multifactor authentication policies
- Compliance: Conduct a comprehensive review of all laws and regulations regarding data security and privacy that apply to your data. Make certain your CSP can comply with these requirements
- Audits: Continually audit your systems using threat hunting and forensic tools to detect unauthorized and malicious traffic
- Governance framework: Check that your CSP has a governance framework that includes a person responsible for security and a security and compliance policy
To gain a better perspective on the shared responsibility model, let’s look at three popular cloud platforms: AWS, Microsoft 365, and Salesforce. Each is distinctly different. AWS is primarily an IaaS model, but it offers PaaS and SaaS services. Office 365 and Salesforce are both SaaS cloud models.
AWS is currently the largest cloud service provider. The company has three main cloud platforms. These are:
- EC2. Amazon EC2 is a virtual computer server service offering scalable computing
- Glacier. Amazon Glacier is a low-cost, long-term data storage service for archiving data
- Amazon S3. Amazon Simple Storage Service is a high-performance data storage system intended for frequently accessed data
Amazon EC2 is an IaaS solution that uses Glacier and Amazon S3 for storage. AWS provides the hardware and hypervisor layers over which customers install their guest operating systems and applications. The AWS Shared Responsibility Model specifies that customers are responsible for managing their data and applying identity access and management tools.
Office 365 is an extremely popular cloud version of Microsoft’s Office Suite. Microsoft 365 is a SaaS service built on the Microsoft Azure cloud service. One of the attractive features of 365 is its built-in data replication service, which ensures your data is safe should something go wrong at one of Microsoft’s data centers. Many users assume the data replication service is the same as a backup service. It’s not, nor is Office 365’s recycle bin, which only offers short-term recovery options. The Microsoft 365 Shared Responsibility Model states that it’s the customers’ responsibility to secure (backup) their data, account information and identities.
Salesforce is a company offering a comprehensive suite of sales, marketing and commercial software products under the Customer 360 brand name. It was the first company to offer a true SaaS cloud service. Today, the company has one of the most customizable CRM platforms in the cloud. Like Microsoft, Salesforce operates multiple data centers with full failover capabilities. But this service does not constitute a backup; it simply means you can recover your working data in the event of a disaster. It doesn’t protect against inadvertent deletion, corrupted data or ransomware. The Salesforce Shared Responsibility Model makes it clear that it’s the customers’ responsibility to secure their Salesforce instance.
The shared responsibility model has demonstrated the effectiveness of shared cloud security. CSPs and customers who fully understand and apply these models create safe and secure cloud environments. However, cloud security is a moving target, and new requirements and threats are continually emerging that impact shared responsibility models.
Future trends in shared responsibility models include:
- Greater CSP involvement. CSPs will start to get more involved with clients to resolve shared issues and provide technical support
- Shared fate. The concept of shared fate, where CSPs become active partners helping clients solve their security problems, will gain traction
- Artificial intelligence. CSPs will introduce AI and machine learning cloud security tools with improved and faster threat detection capabilities
- Cloud-native tools. Vendors will introduce cloud-native data security and backup tools that help simplify cloud security
Secure Your Cloud Environment With Veeam
Shared responsibility models are the foundation for building successful cloud environments. These models clearly delineate the responsibilities of the CSPs and their clients. CSPs are responsible for the security of the underlying cloud infrastructure. Other responsibilities are shared, depending on the cloud implementation model.
One constant is that the customer is always responsible for the security of their data, backups, identity and account management, and configurations. Retain full control and ownership of your data with Veeam’s platform native Hybrid Cloud Backup Solutions.