Cloud security - shared responsibility model

Most companies have taken advantage of the “as a service” models found just about everywhere you look. They’ve moved part, if not all of their services to cloud providers like Microsoft, AWS or Google. In fact, when you consider web-based CRM’s, communication tools, HR or Accounting software, it’s safe to say that just about every business has some sort of service or application hosted in the cloud.
With ease of access, always on, low cost, login from anywhere systems and applications, it’s obvious to see why we’re embracing this model, particularly as one of the greatest draws is the promise of greater security. After all, cloud providers clearly have the expertise and resources making them better equipped to secure these services than we can achieve by keeping it in-house - so it’s okay to shift that responsibility over to them, right?

Well, not entirely. Contrary to the expectations of far too many, securing a cloud environment doesn’t lie solely with your provider.
If you look a little closer at your service you’ll find that the vendors are largely responsible for things like the applications, availability of the data, network controls, updates and short-term data recovery.
Yet for most services you are still responsible for the accounts and access management, the protection of your endpoints, long-term backups, disaster recovery and importantly – for meeting data protection and other legal or regulatory requirements.
Regulation bodies are shifting many of the responsibilities back on to the users of cloud technology to create what’s being called the “shared responsibility model”. We can no longer take advantage of these services, sit back and wash our hands of all responsibility for them.



What is shared responsibility all about?

Put simply, it’s a model which places some of the accountability back on the customer when operating in the cloud. What exactly does that mean to you? While every service is likely to differ slightly, there are some general responsibilities you’ll need to consider when moving or hosting services with a cloud provider, which IASME have summarized quite well:

 

Requirement

IaaS

PaaS

SaaS

Firewalls

Applicant and Cloud Provider

Cloud Provider but sometimes also applicant

Cloud Provider

Secure Configuration

Applicant and Cloud Provider

Applicant and Cloud Provider

Applicant and Cloud Provider

User Access Control

Applicant

Applicant

Applicant

Malware Protection

Applicant and Cloud Provider

Cloud Provider but sometimes also applicant

Cloud Provider

Security Update Management

Applicant and Cloud Provider

Applicant and Cloud Provider

Cloud Provider

 

Since many of our customers subscribe to Microsoft cloud services, it makes sense for us to drill down a little into the responsibility requirements according to Microsoft, which incidentally, is awfully similar to the model according to AWS. Here are the highlights…


Responsibilities according to Microsoft

Microsoft clarifies that speaking broadly, they are responsible for their applications and servers while you, the customer, are responsible for the data being hosted on them.

Microsoft are the data processor, while you remain the data owner. This means they’ll keep the data secure, but you are still accountable for the reason for capturing it, for its accuracy and for ensuring its lawful processing, storage and removal. They’ll keep the software and all the components of the cloud infrastructure updated with regular security patches and provide redundancy for your data but you are responsible for ensuring it is backed up.

Microsoft, like any cloud provider, are certainly not impervious to attack or misuse. Customers must ensure that they put measures in place to protect against accidental deletion of data and the introduction of malware to the platform or service – particularly by means of social engineering and insider threat.


Shared Responsibility in a layered approach to security

We often speak about a layered approach to security and you won’t find a better example than in the protections applied with a shared responsibility model. Good access control, strong passwords with Multi-Factor Authentication, endpoint protection, data backups and security awareness training are some of the small measures which you can take that will ensure your data is protected in a secure cloud environment in a shared responsibility model. If you're serious about protecting your data in the cloud and want to know more about how you can play your part, give us a call today.

 

Back to Blog