Select Page

Cloud breaches of high-profile companies grab headlines every year with details of sophisticated scams, lucrative payouts, and blindsided victims. But what these stories often leave out, the most important fact: In most cases, it is the customer, not the provider, who is responsible for the breaches due to the lack of proper controls to protect their data. Unfortunately, this is not likely to change anytime soon. Gartner predicts that through 2025, 99 percent of cloud security failures will be the customer’s fault.

To reduce the risk of cloud breaches and data leaks, it’s imperative that organizations understand their role in ensuring cloud security. This becomes critical as they shift more workloads to the cloud to support a remote workforce in the wake of the global Covid-19 pandemic. Cloud security operates on a shared responsibility model that defines the balance of security responsibilities of the cloud service provider (CSP) and of the cloud customer.

Generally, it stipulates that the CSP is responsible for the security of the cloud and the customer is responsible for the security in the cloud. In practice, it’s a little trickier as the specific breakdown of cloud security responsibilities changes depending on the particulars of the cloud service that a customer is using. The cloud customer has more security responsibilities under an Infrastructure as a Service (IaaS) model than they do in a Software as a Service (SaaS) model, for example.

Amazon Web Services (AWS) was one of the leaders in developing and promoting the shared responsibility model, and it is the basis of AWS security. The company has invested heavily in security to win the confidence of organizations still reluctant to move to the cloud. Charged with helping customers meet compliance requirements for every regulatory agency, it offers the broadest set of compliance controls and supports more security standards and compliance certifications than any other provider, including HIPAA/HITECH, PCI-DSS, GDPR, FedRAMP, ISO, FIPS 140-2, and NIST 800-171. Much of the responsibility for putting security controls in place to satisfy these requirements, though, falls on the customer.

AWS Services are deployed uniformly throughout their global infrastructure, providing the same security standards to a small business as the most security-sensitive enterprise. But to get the most value from these, it’s essential to understand the division of responsibilities between AWS and its customers. Let’s look at how these break down for each party.

What is the AWS Shared Responsibility Model?

The AWS Shared Responsibility Model prescribes which security controls are AWS’s responsibility and which are the customer’s. Broadly, the model says that AWS guarantees the security of its Global Cloud Infrastructure — its physical facilities, network, hardware, etc. — and the customer is responsible for securing whatever they put into the cloud through network controls, application configurations, identity, and access management, and other measures.

Here is another way to look at this: AWS is the Homeowners Association responsible for common areas, infrastructure, construction of public amenities, and street access. The customer is the homeowner responsible for securing the home, its contents, home maintenance, who has access to the home and ensuring only the proper residents enter the home.

Under this model, however, the balance of responsibility changes depending on the particular AWS service the customer is using. To make this clearer, AWS provides three primary shared responsibility models that delineate the security boundaries for its categories of service:

  • Shared Responsibility Model for Infrastructure Services
  • Shared Responsibility Model for Container Services
  • Shared Responsibility Model for Abstract Services

As we look more closely at these, we’ll see how more security control shifts to AWS as more of its infrastructure is abstracted away. That removes a lot of infrastructure management — and also control — from the customer. In exchange, the customer gets a more turnkey experience allowing them to focus more on their application development and other core business activities.

Infrastructure Services

As mentioned, AWS oversees the security of the cloud. That includes the components of its global infrastructure — Regions, Availability Zones, and Edge Locations — as well as its storage, database, networking, and compute services.

It is responsible for the physical security of the data centers where the customer stores its data. It manages and controls access to everything from the networking and hardware components to the generators, power supplies, and air conditioning units that support its data center facilities. This essentially relieves customers of the responsibility for managing all the physical elements typically included in an on-premise infrastructure.

However, the customer is still accountable for securing anything they put in the cloud. An organization using AWS’s EC2 service, for example, can install and configure their own operating system in the cloud and run whatever applications they wish on top of it. But this OS-level of access and control comes with greater security responsibility. It falls on the customer in this situation to secure their operating system and control network access to all their instances, as well as manage application security and identity and access management. AWS provides a range of security controls to meet these responsibilities, but how and when they’re used is up to the customer.

AWS infrastructure services security responsibilities: 

  • AWS foundation services: networking, compute, storage, database
  • AWS global infrastructure: regions, availability zones, edge locations

Customer infrastructure service security responsibilities:

  • Customer data
  • Platform, applications, Identity & Access Management
  • Client and server-side encryption
  • Operating system, network, and firewall configuration
  • Network traffic protection

Container Services

A container service enables multiple applications on the same operating system to share resources. AWS Elastic Map Reduce (EMR), and AWS Elastic Beanstalk, and Amazon Relational Database Service (RDS) are all examples of AWS container services.

Running containerized services on AWS adds a layer of abstraction. Though these services use EC2, they remove visibility and access to the operating system. That shifts responsibility for the operating system and network configuration as well as platform and application management over to AWS. A great way to think about this using our previous home example would be apartment living. The apartment management controls the property, is responsible for the maintenance and provides smaller living units within the much larger infrastructure. The apartment tenants, however, are still responsible for securing the contents of the apartment and access into the apartment itself.

This reduces — but doesn’t eliminate — the customer’s container security responsibility. They’re still responsible for firewall configuration and securing their data through access management and encryption.

AWS container services responsibilities:

  • AWS foundation services: networking, compute, storage, database
  • AWS global infrastructure: regions, availability zones, edge locations
  • Platform and applications management
  • Operating system, network configuration

Customer container services responsibilities:

  • Customer data
  • Identity & Access Management
  • Client and server-side encryption
  • Firewall configuration
  • Network traffic protection

Abstract services

For abstract services, including Amazon Glacier, DynamoDB, S3, and SQS, even more security responsibility is shifted to AWS. In addition to the security levels of the infrastructure and container service models, AWS takes responsibility for server-side encryption and network traffic protection. The leaves the customer responsible mainly for properly configuring the security of the given service, such as applying permissions at the platform and IAM user/group level. Taking our housing analogy one last time, in this scenario we can equate this to a hotel room. All responsibility falls on the provider except for personal access to the room which is still defined by the tenant.

AWS abstract services security responsibilities:

  • AWS foundation services: networking, compute, storage, database
  • AWS global infrastructure: regions, availability zones, edge locations
  • Platform and applications management
  • Operating system, network configuration
  • Data protection at rest
  • Network traffic protection for data in transit

Customer abstract services security responsibilities:

  • Customer data
  • Identity & Access Management
  • Client-side encryption
  • Function code and resource configuration

Meeting your security responsibilities

Understanding the customer’s area of security responsibility is the first step to protecting your data in the cloud. But fulfilling those responsibilities requires familiarity with the security, permissions, and privacy settings you need to secure that data. Like all cloud providers, AWS has default settings that will determine what security controls are enabled in your environment. While they may provide a base level of protection, they are most likely insufficient for your organization’s specific security and compliance requirements. Ultimately, you are accountable for ensuring that the appropriate security controls are active. AWS provides multiple layers of security controls to prevent unauthorized access, for example, but if you don’t enable multi-factor authentication or configure inadequate user credentials, you will be responsible for any resulting data breach.

Moving to the cloud exposes organizations to an array of new threats, and a proactive security approach is the best defense. To learn how you can get started, download our Shared Responsibility eBookin which we outline how the shared security responsibility model impacts you and recommend a 5-step plan for using it to maximize your protection.

It may also make sense to partner with a managed detection and response (MDR) provider, like Alert Logic. We can help you determine and manage the appropriate controls and settings for your organization’s AWS environment so you can meet your security responsibilities and provide your applications and data with the highest level of protection. Contact us today to request your free demo!

Zuri Cortez
About the Author
Zuri Cortez

Zuri Cortez is a Product Marketing Manager based in Austin, TX and has worked for Alert Logic for 2 years. He previously worked at AlienVault and AT&T as an SE, Capitol Metro, and in the US Army as a Network Engineer. Zuri's passions are learning about human behavior, the arts, D&D, and effective communication through the lens of EQ, in an IT world.

Related Post

Ready to protect your company with Alert Logic MDR?