If you’re new to the cloud, here’s the first thing you should know: Cloud providers follow the shared responsibility model. This model has immediate implications for your cloud adoption strategy and your ongoing cloud security program. But recent research shows that if you’re new to the cloud, you’re more likely to assume that others will let you know of a data breach—and less likely to be proactive in securing your cloud deployment. Are you opening yourself up to the risk of data breach without even knowing it?
The shared responsibility model is a model for cloud operations in which you and your cloud service provider (CSP) divvy up responsibilities for your cloud deployment. Your CSP may handle everything from physical networks, servers, and storage to hypervisors, virtual networks, middleware, runtimes, operating systems, and even applications, but you’ll be responsible for the rest. In other words, no matter what level of service your CSP offers, you’re responsible for the security and compliance of some part of your cloud deployment.
The division of cloud security responsibility generally falls into three buckets, depending on your cloud service model:
Remember this well: Even if your CSP provides your entire cloud system—servers, systems, and applications—you’re still responsible for the security of your data wherever it is, whether it’s at rest or in transit.
The shared responsibility model is important because it should drive both your cloud migration strategy and your ongoing cloud security plan. For example, if you use your own apps in the cloud in a PaaS or IaaS model, you’re responsible for their security. And because an application’s vulnerabilities follow it wherever it goes—you can’t just “configure away” vulnerabilities in the cloud—you’ll have to conduct application security testing on your cloud apps. If you use your CSP’s applications in the SaaS model, you’re not responsible for application security. But in any model, you must play an active role in your cloud deployment, configuring your CSP’s security controls and monitoring your cloud solution to make sure your data stays protected.
Unfortunately, many organizations that have adopted the cloud struggle with the concept of shared responsibility for cloud security. 451 Research has found that organizations have different expectations for their cloud providers depending on how conservative they are about adopting new technology. The newer you are to the cloud game, the less likely you’re taking an active-enough role in securing your cloud deployment.
Fortunately, there are things you can do to strengthen your cloud security program and reduce your risk of data breach. 451 Research’s Business Impact Brief Cloud Security: Whose Job Is It, Anyway? is a quick read that explains how to support your cloud migration and stay vigilant in the ever-evolving landscape of cloud security threats.