spk-logo-white-text-short
0%
1-888-310-4540 (main) / 1-888-707-6150 (support) info@spkaa.com
Select Page

Cloud Security: The Shared Responsibilty Model Explained

Cloud Security The Shared Responsibilty Model Explained featured image
Written by Michael Roberts
Published on January 27, 2023
Categories: Atlassian | AWS | Azure | Cloud | Cybersecurity

Transformative tech trends like the internet of things (IoT), artificial intelligence (AI), virtual reality (VR) and dispersed workforces have increased cloud adoption. Why? Because it provides the ability for agility, productivity, and scalability like no other infrastructure. And whilst the cloud isn’t necessarily new, it does still leave plenty of organizations with questions. Particularly around security. The Shared Responsibility Model is a term you should familiarize yourself with as you explore your cloud journey. It could be the difference between cloud protection and brand damage.

Clearing Up Cloud Security

Cloud service providers such as AWS, Azure, and Atlassian provide an unimaginable scaling opportunity for businesses globally. Not only does it remove the need for expensive upfront capital expenditure it also enables unlimited access to scalable data servers on a pay-as-you-go model. In just a few clicks. Additionally, you can configure new employee machines from anywhere in the world, and protect them without the need to purchase, deploy and wait for the arrival of new hardware. It’s all digital. It’s Infrastructure as a Service (IaaS).

In 2023 and beyond, cloud adoption will continue to grow. Companies that don’t adopt it will undoubtedly be left snapping at the heels of earlier adopters. In fact, Gartner forecast that by 2025 cloud spending will overtake traditional IT expenditure

The cloud shift accelerated during the pandemic, and now there’s no going back. Organizations capitalized on its potential and they’re reaping the benefits fast. In 2022, more than $1.3 trillion in enterprise IT spending was at stake from the shift to cloud, growing to almost $1.8 trillion in 2025, according to Gartner. 

And, as more organizations migrate their own, and customer-sensitive data to the cloud, it opens up the question of who is responsible for the data that is now hosted there. Is it the cloud service provider? Or is it the organization purchasing the service from the host?

Who’s Responsibility Is It To Protect Cloud Data?

It’s true that cloud service providers offer the likes of compliance certifications and their own security. But, it’s not true that they offer complete security. In fact, cloud security is a shared responsibility between the vendor and the business. This isn’t much different from when you bought that PC back in 1995 at home and it came pre-loaded with the latest out-of-the-box anti-virus software like McAfee. Just because it was there didn’t mean it was McAfee’s responsibility to protect your PC for years to come. Or as you downloaded new software. Yes, it might flag a potential threat, but if your PC was infected by a new, undiscovered virus, you certainly weren’t going to take McAfee to court for not remaining up to scratch with the latest market threats. It was your responsibility to continually assess if that out-of-the-box solution matched your requirements, and that you kept it updated.

Now, as more data is hosted in the cloud, the principle remains the same. Your organization has specific requirements to protect your customer data. That might require very different layers of security for a small business compared to a large enterprise cataloging customer data. For example, think of the health industry.

 

The Shared Responsibility Model

The Shared Responsibility Model lays out an agreement between cloud service providers and organizations utilizing their hosted services. Essentially, the model clarifies that cloud service providers are responsible for protecting the overall infrastructure in the cloud. This is known as the “security of the cloud”. Conversely, you maintain responsibility for the security of any content, platform, applications, systems and networks you choose to host there. This is known as “security in the cloud”.

Cloud service providers’ responsibility includes:

  • Control the host operating components of the system and virtualization layers. 
  • Physical security of the offices and data centers the host operates from. 
  • Protection services such as encryption.
  • Security groups.
  • Multi-factor authentication capabilities.

As an organization, you are responsible for:

  • Assessing your chosen security solution.
  • Maintaining the integrity of the cloud infrastructure.
  • Updates and patches to application software.
  • Configuration of firewalls.
  • Deploying security utilizing the hosts protection services such as access assignments and permission levels.
  • Additionally, you can increase security by using host-based firewalls, threat-based detection and encryption

Recovering Deleted Cloud Data

In 2021, Co-Founder and CEO of SPK and Associates Christine McHale, interviewed Vish Reddy, Co-Founder of Revyz, a cloud backup solution. 

Revyz was created after Vish realized that a colleague had deleted valuable data in the cloud, only to find that data in the cloud is not backed-up automatically. A common misconception of cloud service users. 

In the interview, Vish explains:

“Imagine this. You’re the user of the application and the administrator. You accidentally press the wrong thing and things get deleted. Who is responsible for that? That action was taken by you as the customer. Now, that could have been a legitimate action. You want to actually go delete something. Microsoft can’t go and revert whatever you want to actually delete and get rid of, right? That’s where the shared responsibility model comes into play. It means you as the customer are responsible for certain things which are protecting your data. Microsoft, Atlassian or Salesforce, will give you the structure or the mechanisms to protect the data but you have to do it yourself. The Cloud Security Alliance updated their questionnaire, or their assessment mechanism, to include the shared responsibility model related questions. Because they found that this understanding of every administrator out there was, as people assume, in the cloud. That people don’t need to worry about it. Therefore, they don’t need a cloud backup solution.”

Cloud backup solutions like Revyz and AFI Backup are well worth the investment for organizations looking to deliver on the Shared Responsibility Model well.

The Responsibility Model Overview Vs Infrastructure

On-premises:

Responsibility
The customer is 100% responsible for information and data right down to the physical infrastructure.
Pro’s
The customer has greater control in compliance scenarios because they have 100% control and it also provides flexibility in supporting legacy technologies. Your cloud platforms will only support software versions so far into the past so this relieves any pressure to move forward before the customer is ready.

Infrastructure-as-a-Service (IaaS)

Responsibility
The Cloud Service Provider takes on the responsibility of managing the data center facilities, the network and server infrastructure. It is the customer’s responsibility to manage all other security and integrity aspects.
Pro’s
This reduces or eliminates the customer's need to manage a physical data center and server infrastructure. An example of an IaaS service would be Azure Virtual Machines.

Platform-as-a-service (PaaS)

Responsibility
The Cloud Service Provider assumes some additional responsibility, this time for network controls, operating systems and identities. Responsibility for network controls and identities along with applications is shared between the cloud service provider and the customer, meaning that the customer has some configuration control.
Pro’s
This typically reduces the customer's cloud operating cost as compared to Infrastructure as a Service. An example of a PaaS service would be Azure SQL Database.

Software-as-a-Service (SaaS)

Responsibility
The cloud service provider assumes more responsibility for applications and network controls. The customer shares some responsibilities around identity and directory infrastructure and the customer continues to assume 100% responsibility for access control, the devices used to access the service and the security of their data.
Pro’s
The customer has more protection from the cloud service provider, and remains in more control of their organizations data protection. An example of a SaaS service would be Microsoft or what you may know as Office 365.

Conclusion

It’s critical to understand the Shared Responsibility Model in depth. A solid understanding of these protection layers will also provide a solid foundation for the cloud security of your data. By clearly defining whether you, the customer, or the cloud service provider is responsible for cloud-hosted data, you will be able to better protect both customer and market-sensitive data.

Cloud backup solutions like Revyz and AFI Backup are worth their weight in gold as an extra layer of protection in the Shared Responsibility Model agreement.

If you need further support on protecting your cloud services, you can contact our expert managed services team here for a no-obligation discussion. At SPK, we partner with the largest players in the cloud market including AWS and Azure. We were also recently accoladed as Atlassian Gold Partners for our work on successful integrations and migrations, so you can trust our team to support yours.

Latest White Papers

The Hybrid-Remote Playbook

The Hybrid-Remote Playbook

Post-pandemic, many companies have shifted to a hybrid or fully remote work environment. Despite many companies having fully remote workers, many still rely on synchronous communication. Loom offers a way for employees to work on their own time, without as many...

Related Resources

Strategies to Reduce ITSM Complexity

Strategies to Reduce ITSM Complexity

You will be taken to another page to registerBy submitting this form, I acknowledge receipt of SPK and Associates' Privacy Policy.Presented by Atlassian Gold Solution Partner, SPK and Associates, this webinar will dive into how Jira Service Management (JSM) can...