Introduction
The Shared Responsibility Model (SRM) is a security and compliance framework that specifies the obligations of cloud service providers (CSPs) and end users for safeguarding all elements of the cloud environment, including hardware, infrastructure, endpoints, data, configurations, settings, operating systems (OS), network controls, and access rights.
A single data breach can cause revenue loss, business interruption, and penalties. According to Gartner, user error will be to blame for 99% of all cloud security failures by the year 2025. The “Shared Responsibility Model” concept binds the duties of both customer and the cloud service provider in an attempt to solve the failures in cloud security.
This essentially means that a cloud provider oversees protecting the elements of the cloud that it directly manages, such as the hardware, network, services, and physical locations where cloud resources are hosted. At the same time, end users are typically in charge of protecting everything they build in the cloud, including the configuration of a cloud workload, particular services, and the infrastructure necessary to construct/build the required cloud environment. However, depending on the cloud service model (PaaS, SaaS, or IaaS) and provider (AWS, Azure, GCP), the actual roles and responsibilities are different.
Shared Responsibility approach of the CSPs
AWS
- AWS responsibility – AWS is responsible for protecting the infrastructure that runs services offered on AWS Cloud. This infrastructure is composed of the hardware, software, networking, and services that run AWS Cloud services.
- Example 1: Amazon S3 and Amazon DynamoDB – AWS operates the infrastructure layer, the operating system, and platforms, while the customers access the endpoints to store and retrieve data.
- Example 1: Amazon S3 and Amazon DynamoDB – AWS operates the infrastructure layer, the operating system, and platforms, while the customers access the endpoints to store and retrieve data.
- Customer responsibility – is determined by the AWS Cloud services that a customer selects.
- Example 1: Amazon EC2 – Infrastructure as a Service (IaaS): requires the customer to perform all of the necessary security configuration and management tasks.
- Example 2: Amazon S3 and Amazon DynamoDB: managing data (including encryption options), classifying their assets, and using IAM tools to apply for appropriate permissions.
Azure
- Azure responsibility – security of software, hardware, and physical facilities that host Azure services
- Examples: Azure Kubernetes Service (AKS), Container Instances, Cosmos DB, SQL, Data Lake Storage, Blob Storage.
- Examples: Azure Kubernetes Service (AKS), Container Instances, Cosmos DB, SQL, Data Lake Storage, Blob Storage.
- Customer responsibility – responsible for everything that they instantiate, build, and/or use.
AWS and Azure simply put together-
| On-premises | IaaS | PaaS | SaaS | |
| Data Classification and Accountability | Customer | Customer | Customer | Customer |
| Client and End Point Protection | Customer | Customer | Customer | SHARED |
| Identity and Access Management | Customer | Customer | Shared | Shared |
| Application-level controls | Customer | Customer | Shared | Shared |
| Network Controls | Customer | Shared | CSP | CSP |
| Host Infrastructure | Customer | Shared | CSP | CSP |
| Physical Security | Customer | CSP | CSP | CSP |
GCP:
- Google oversees the cloud’s infrastructure, whereas the customer is in charge of anything that can be configured there.
- They bind the idea of “shared fate” together rather than shared responsibility.
- Shared fate is the next phase in the process of forging stronger ties between cloud service providers and their customers so that everyone may more effectively address ongoing and future security concerns.
Key features of shared fate-
- Secure-by-default configurations
- Secure blueprints
- Secure policy hierarchies
- Consistent availability of advanced security features
- Availability of security solutions
- High assurance attestation of controls
- Insurance partnerships
GCP believe that the “shared fate” approach, which puts the interests of the customer first when deploying resources and applying knowledge of the cloud environment to security responsibilities, can benefit cloud customers. Here, the CSP makes use of its vast experience to assist the customer in truly being secure in the cloud, rather than shifting responsibility to consumers who might not have the skills to handle it properly.
Pros and cons of Shared Responsibility model
Although a shared security model is intricate and requires close cooperation between the CSP and the customer, this strategy has significant advantages for end users. They enable:
- Efficiency: Though the customer bears significant levels of responsibility, some key aspects of security – such as security of hardware, infrastructure, and the virtualization layer – are almost always managed by the CSP making it more efficient.
- Enhanced protection with prioritized data security: Cloud service providers are hyper-focused on the security of their cloud environment dedicating significant resources to ensuring their customer environments and data are fully protected.
- Expertise: When customers engage a cloud vendor, they benefit from the partner organization’s experience, assets, and resources.
With benefits come a certain amount of risks or drawbacks:
- Access management: The cloud customer is fully responsible in defining access rights to cloud-based resources and granting access to authorized users. This makes it difficult to identify if any users have breached.
- The customers must be able to trust their cloud providers for security, especially when dealing with sensitive/confidential information. Hence, at times, it is required for customers to know specific info or know-how to be able to understand and follow the changes that happen.
Conclusion
The cloud is an exponential force with many layers of complexity, which makes it challenging to manage. It is not a good idea to rely solely on the cloud provider for security. Instead, both the cloud service provider and the customers must carefully comprehend their respective roles in terms of cloud security. We should consider and respect the shared responsibility model that defines the rules governing cloud settings rather than blaming customers for cloud errors. This is one of the best methodologies to prevent cyber-breaches. To sum up the concept, the customer is in charge of what is in the cloud, while the cloud provider is in charge of cloud security.