As organizations embrace the cloud and migrate servers, applications and data to cloud service providers, security is a paramount consideration. The question becomes, “Who is responsible for implementing and maintaining that security—the organization or the cloud service provider?” A recent survey by 2nd Watch found that the answer to that question still eludes many people.
Cloud Shared Responsibility Model Confusion
2nd Watch conducted a survey of more than 1,000 enterprise IT professionals representing companies with at least 1,000 employees and found that a massive 73 percent do not truly understand the cloud shared responsibility model or their own organizations roles and responsibilities within that model. Many are under the very risky illusion that the cloud service provider is responsible for more aspects of cloud security than it generally is.
According to the 2nd Watch survey, 40 percent of respondents believe that the cloud service provider is completely responsible for all security of physical and virtual infrastructure, servers, applications, and data. More than a third—34 percent—have the misguided belief that they alone are responsible for providing all security. Neither of those extremes is true because of the cloud shared responsibility model.
“Enterprise organizations are moving wholeheartedly to public infrastructure, but many could stand to learn more about the shared responsibility model used by the major public cloud providers,” says Jeff Aden, EVP of Marketing & Strategic Business Development & Co-Founder at 2nd Watch. “Thirty percent of IT pros responding to our survey indicated that their organizations have suffered as many as five serious security attacks in the past year. In order to adequately protect their companies and customers, it’s critical that IT professionals work closely with their cloud providers and partners to fully understand their cloud security responsibilities, and implement a plan that meets their needs.”
Understanding Your Role in the Cloud Shared Responsibility Model
That isn’t exactly a new concept, either. Alert Logic’s Monica Yoo wrote in August of 2016 that the idea that the cloud service provider is entirely responsible for securing data is one of the three major cloud security myths. She explained, “Protecting the global infrastructure of the cloud and the physical security in which the services operate are the responsibility of the cloud service provider. On the other hand, the customer is accountable for the security measures related to the content and applications that make use of the cloud provider’s services. To ensure your data is protected, customers need to assess and understand what security measures are delivered by the cloud service provider and supplement it for comprehensive security protection.”
The line between what the cloud service provider is responsible for and what aspects of cloud security remain your burden is nuanced. It is fairly safe to assume the cloud service provider is responsible for the physical security of the data center and the hardware inside. How the responsibility is split beyond that depends on the type of cloud service model you’re embracing, and varies from SaaS (software-as-a-service), to PaaS (platform-as-a-service), to IaaS (infrastructure-as-a-service).
The simplest way of thinking about it is that the cloud service provider is generally responsible for securing those things it is actually providing, while you are responsible for the security of the things you execute or store using the resources provided by the cloud service provider. It’s up to you to clarify precisely what your cloud service provider is managing and understand what aspects of cloud security are still your responsibility. Ultimately, when your servers are compromised and your data is breached, the blame is going to fall on you no matter what the cloud shared responsibility model says.