Which of these responsibilities are cloud service provider responsibilities in the shared responsibility model?

When an organization runs its own on-premise data centers, control over security is pretty straightforward: it falls solely on the shoulders of internal teams. They are the ones responsible for keeping servers secure, as well as the data stored within them.

In a hybrid or cloud environment, the conversation around security inevitably shifts as a cloud service provider (CSP) enters the picture. While the CSP is responsible for some aspects of security, there is a tendency for customers to "over trust" cloud providers when it comes to securing their data.

Per a recent McAfee report, 69% of CISOs trust their cloud providers to keep their data secure, and 12% believe cloud service providers are solely responsible for securing data.

The truth of the matter is that cloud security is a shared responsibility. In an effort to educate cloud customers on what's required of them, CSPs like Amazon Web Services (AWS) and Microsoft Azure have created the cloud shared responsibility model (SRM).

In its simplest terms, the cloud shared responsibility model denotes that CSPs are responsible for the security of the cloud and customers are responsible for securing the data they put in the cloud. Depending on the type of deployment—IaaS, PaaS, or SaaS—customer responsibilities will be determined.

Infrastructure-as-a-Service (IaaS)

Designed to provide the highest degree of flexibility and management control to customers, IaaS services also place more security responsibilities on customers. Let's use Amazon Elastic Compute Cloud (Amazon EC2) as an example.

When customers deploy an instance of Amazon EC2, the customer is the one who manages the guest operating system, any applications they install on these instances and the configuration of provided firewalls on these instances. They are also responsible for overseeing data, classifying assets, and implementing the proper permissions for identity and access management.

While IaaS customers retain a lot of control, they can lean on CSPs to manage security from a physical, infrastructure, network, and virtualization standpoint.

Platform-as-a-Service (PaaS)

In PaaS, more of the heavy lifting is passed over to CSPs. While customers focus on deploying and managing applications (as well as managing data, assets, and permissions), CSPs take control of operating the underlying infrastructure, including guest operating systems.

From an efficiency standpoint, PaaS offers clear benefits. Without having to worry about patching or other updates to operating systems, security and IT teams recoup time that can be allocated to other pressing matters.

Software-as-a-Service (SaaS)

Of the three deployment options, SaaS places the most responsibility on the CSP. With the CSP managing the entire infrastructure as well as the applications, customers are only responsible for managing data, as well as user access/identity permissions. In other words, the service provider will manage and maintain the piece of software—customers just need to decide how they want to use it.

How to Uphold Your End of the Shared Responsibility Model

Through 2022, it's estimated that at least 95% of cloud security failures will be caused by missteps on the part of customers. That's why it's more important than ever before to clear up confusion around the cloud shared responsibility model and set customers up for success.

While there are clear differences in responsibilities based on deployment types, a common thread remains: it's imperative that businesses can visualize conversations between devices, detect potential security threats in real-time and easily investigate and remediate issues. No dark space and faster response times mean greater security in your cloud investment.

Defend Critical Cloud Assets: ExtraHop Reveal(x) 360 for AWS

Reading Time: 5 minutes

Gartner predicts that through 2025, 99% of all cloud security failures will be the customer’s fault. A statistic like this can be jarring, maybe even alarming or worrisome, especially if you’re a cloud customer. The cloud is an unyielding force with exponential levels of complexity, and this lends it to be difficult to control. So perhaps, instead of looking at cloud failures as the customer’s fault, we must consider the guidelines around cloud configuration and acknowledge why it is so easy for customers to ineffectively secure their cloud.

The great news is that a large portion of that 99% of cloud failures is actually preventable, if a customer knows exactly what they are responsible for securing in their cloud. This brings us to The Shared Responsibility Model.

To be brief, the shared responsibility model defines that the cloud provider is responsible for the security of the cloud, while the customer is responsible for security in the cloud. 

Digging a bit deeper, the shared responsibility model is an overarching working model that multiple cloud providers promote and enforce to customers of their product. Each provider defines their own respective shared responsibility model. Below we’ll define the basics of two top cloud providers, but first let’s understand the context behind the creation of the shared responsibility model.

Security in the Cloud

As organizations migrate to the cloud, new needs for security emerged, including a major need for cloud providers to ensure secure environments. It can be viewed as simply as offering your customer a safe and stable platform on which to build and grow their businesses. The Cloud Service Provider’s accountability has grown dramatically in recent years, especially after pivotal moments like Azure’s famous vulnerability detected in its managed database service, CosmosDB.

Since then, cloud service providers, like Microsoft Azure, Amazon Web Service (AWS) and Google Cloud Platform (GCP), have worked tirelessly to assure its customers that their environment is as secure as possible, even more secure than the on-prem data centers they might be used to. 

But this promise can only go so far, and so a line was drawn in the sand. Cloud providers, AWS, specifically, published a clear guide of how far they will go to monitor and regulate their customer’s environment – the birth of the shared responsibility model.

AWS

AWS is focused on the security of AWS infrastructure, including protecting its computing, storage, networking, and database services against intrusions because it can’t fully control how its customers use AWS. AWS is responsible for the security of the software, hardware, and the physical facilities that host AWS services. Also, AWS takes responsibility for the security configuration of its managed services such as AWS DynamoDB, RDS, Redshift, Elastic MapReduce, WorkSpaces, and others.

The Customer

Customer responsibility depends on what AWS service is being used, but in sum, AWS customers are responsible for the secure usage of services that are considered unmanaged. For example, while AWS has built several layers of security features to prevent unauthorized access to AWS, including multi-factor authentication, it is the customer’s responsibility to make sure multifactor authentication is enabled, particularly for those Identities with the most extensive IAM permissions in AWS.Furthermore, the default security settings of AWS services are often the least secure. Enhancing the  default AWS security settings and uniquely configuring your cloud, therefore, is a low-hanging fruit that organizations should prioritize to fulfill their end of AWS shared responsibility model.

Azure

Azure is focused on the security of the underlying infrastructure, by protecting its computing, storage, networking, and database services against intrusions. Azure is also responsible for the security of the software, hardware, and physical facilities that host Azure services. The Azure cloud security framework takes responsibility for the security configuration of its managed services such as Azure Kubernetes Service (AKS), Container Instances, Cosmos DB, SQL, Data Lake Storage, Blob Storage, and others.

The Customer

Azure customers are responsible for the security in their own cloud, or more simply put, everything that they instantiate, build and/or use. This responsibility is contingent on what service Azure customers are using and whether it is SaaS, PaaS or IaaS. Per Microsoft, “In an on-premises data center, the customer owns the whole stack. As you move to the cloud some responsibilities transfer to Microsoft Azure.” The following diagram illustrates the areas of responsibility between the customer and Microsoft:

Microsoft clearly defines that the customer always owns all their own data and identities and they are therefore responsible for the security of them as well as the cloud components they control.

The Azure Shared Responsibility model continues by stating the four responsibilities that always fall to the customer:

• Data
• Endpoints
• Account
• Access management

Holding Up Your End of the Deal

Now that you know you’ve got your work cut out for you in securing your cloud environment, how do you hold up your end of the deal? Managing all your data, platforms, applications, identities, networks etc. is overwhelming for any security team. The obvious answer is to turn to help.

Consider integrating a third-party platform to your AWS or Azure environment. Solutions  exist today to ensure your cloud is secure at its most foundational level. A key feature of any cloud security platform is Cloud Security Posture Management (CSPM), which evaluates the configuration of your cloud environments looking for security or operational issues and then alerts when misconfigurations arise. More advanced solutions monitor this continuously and offer advanced workflows and automation to correct issues at the speed and scale of the cloud. 

Identities and data run ramped in the cloud, get a hold of them with solutions like Cloud Infrastructure Entitlement Management and Cloud Data Loss Protection. CIEM will provide you insight into all the identities in your environment, person and non-person, and reveal all the permissions they possess, and the potential dangerous escalation paths. By inventorying all your identities, reducing their access to meet least privilege, CIEM solutions can continuously monitor that baseline and alert you when excessive permissions arise. 

Taking things even a step further, explore graphing technologies that will map out the complex web of connections between all identities, identity chains, excessive permissions to data, and so much more allowing you critical insight into the dangers of your environment.

That last capability is one you’ll only get with Sonrai Dig, in fact, Dig is home to CIEM, CSPM, Cloud DLP and automation all in one integrated platform.

Contact us today if you’re interested in seeing how the Sonrai Dig helps you hold up your end of the shared responsibility model.

What are the responsibilities of the cloud service provider in the shared security model?

Which of the following is the responsibility of the cloud service provider?

Which is the responsibility of the Azure cloud platform when IT comes to the shared responsibility model?

Which of the following is the responsibility of AWS under the AWS shared responsibility model?