In today’s digital world, cloud has become a mainstream technology due to its strong value proposition of agility, scalability, and flexibility. It is hard to imagine building a technology solution that is not backed by cloud services. However, with the increasing adoption of cloud, there are also increasing concerns regarding security. But whose responsibility is it? Is it the cloud service providers (CSPs) such as Amazon, Oracle, Microsoft or Google who own the infrastructure? Or is it the organizations that own the data and applications?
The answer – Cloud security is a shared responsibility!
According to Gartner, through 2025, 99% of cloud security failures will be the customer’s fault.
Considering this forecast, it is essential that organizations fully understand ‘Shared Responsibility Model’ in order to implement the requisite security measures.
The ‘Shared Responsibility Model’ (SRM) explained
Cloud service providers and customers must work together to meet cloud security objectives. The shared responsibility model clearly delineates the responsibilities of the cloud customer and the cloud service provider (CSP). The CSP is responsible for security ‘of‘ the cloud infrastructure i.e. hardware, software, network, and the physical facilities housing them. The customer is responsible for security ‘in‘ the cloud i.e. data, applications, identity and access management, and network controls etc. The cloud customer is also responsible for encrypting data in-transit and at-rest.
While the cloud offers several security features, the biggest vulnerabilities come from human blunders. If organizations embrace the shared responsibility model to implement necessary security measures and educate employees, they can derive extensive value from cloud-based services.
Shared responsibility model for cloud security provides clarity on expectations for cloud users and cloud service providers. However, understanding of the expectation is just the first step. Users and CSPs must act on these responsibilities by creating policies and procedures for their portion of cloud security. In order to achieve this, both parties should use security tools and resources that directly address the needs of their cloud environment.
The type of cloud service model i.e. Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS) and Software-as-a-Service (SaaS) dictates who is responsible for which security tasks. Generally, customers’ responsibilities increase as they move down the stack from SaaS to PaaS to IaaS.
While it may seem like a daunting task, engaging with experienced consultants and undergoing a cloud security assessment is an excellent next step in building a roadmap to help your organisation stay on top of security while you embark on your cloud journey.