The Shared Responsibility Model is a cloud security framework that dictates the security obligations of the cloud provider and its users for accountability. The framework defines which components is the cloud service provider (CSP) responsible for and which need to be protected by the user/customer.
It generally states that the CSP is responsible for the security of the cloud while the client is responsible for the security of the data in the cloud.
For services, applications, and controls between these ownership levels, security responsibility varies by cloud provider and service type. For example, a cloud client has more security responsibilities in an Infrastructure as a Service (IaaS) model than in a Software as a Service (SaaS) model.
Shared Responsibility Model Explained Using AWS EC2 Example
For example, a service such as Amazon Elastic Compute Cloud (Amazon EC2) is classified as Infrastructure as a Service (IaaS) and requires the customer to perform all necessary security and management tasks.
When customers deploy Amazon EC2 instances, it manages the guest operating system, any applications they install on those instances, and the firewall configuration provided on those instances.
Customer is responsible for and manages the configuration of the guest operating system (including updates and security patches), other related application software, and AWS-provided security group firewalls. To ensure security in this cloud environment, the client configures and manages the security of the guest operating system and other applications, including updates and security patches, as well as security group firewalls.
Moreover, the client is also responsible for data control, asset classification, and implementing appropriate permissions to manage identity and access. This puts the primary responsibility for properly configuring the security of the provided service on the client, such as applying permissions at the IAM platform and user/group level.
Shared Responsibility of PaaS versus IaaS
Under PaaS, the provider also assumes full responsibility for hosting the physical infrastructure and network security, while sharing responsibility with the customer at the application and access control level.
While IaaS clients retain most of the control, they can rely on the CSP to manage physical, infrastructure, network, and virtualization security. If you use your CSP applications in a SaaS model, you are not responsible for the security of the applications. For example, if you use your applications in the cloud as PaaS or IaaS, you are responsible for their security. You are responsible for protecting your data and identities, on-premises resources, and the cloud components you manage (depending on the type of service).
User/Customer Responsibility: Traditional Data Center versus Cloud
In the traditional data center model, you are responsible for securing the entire operating environment, including applications, physical servers, user controls, and even the physical security of buildings. Your operations team must work closely with security professionals to maintain policy-based control over how and when cloud resources are provisioned. By partnering with a cloud service provider and sharing some of the responsibility for security, you can maintain a secure environment with lower operating costs.
By outsourcing responsibilities to a cloud service provider, organizations can achieve greater security, allowing them to reallocate security resources and budget to other business priorities. In the cloud, your provider offers valuable assistance to your teams by taking on many of the operational burdens, including security. Control over the security of your cloud workloads makes your organization more prepared to detect threats and resolve issues quickly.
How to leverage the shared responsibility model for your workloads
Putting the concept of shared security into practice for cloud workloads requires evaluating the details of how these workloads are configured. The key to successfully implementing security in the cloud is understanding where your vendor’s responsibility ends and yours begins. Understanding customer security responsibilities is the first step to protecting your data in the cloud.
In order to fully take into account, the overall responsibility for security, it is necessary to maintain complete transparency of the cloud environment.
In a shared security responsibility model, when you move applications, data, containers, and workloads to the cloud, your security team is responsible for security, and the provider has some, but not much, responsibility.
When it comes to “shared responsibility,” it’s important to understand that you and your cloud service provider will never share responsibility for any aspect of your security operations. Additionally, you remain responsible for securing everything in your organization that connects to the cloud, including the on-premises infrastructure stack and user devices, your own network and applications, and the communication layer connecting internal and external users.
Essentially, your cloud provider is responsible for ensuring that your infrastructure built on its platform is secure and reliable from the outset. But in either model, you need to take an active role in your cloud deployment, setting up your CSP security controls and monitoring your cloud solution to ensure your data is protected.
In the case of IaaS, the CSP is typically responsible for protecting the physical aspects of managing the infrastructure, while the customer is responsible for protecting the configuration and internal operation of the provisioned cloud resources. Under IaaS, the cloud service provider is solely responsible for the physical resources and shares responsibility for infrastructure and host network security with the customer; everything else is the responsibility of the customer.