Blog
Understanding the Cloud Shared Responsibility Model
Your responsibilities for securing IaaS, PaaS, and SaaS
Amélie Darchicourt
October 30, 2019
When an organization runs its own on-premise data centers, control over security is pretty straightforward: it falls solely on the shoulders of internal teams. They are the ones responsible for keeping servers secure, as well as the data stored within them.
In a hybrid or cloud environment, the conversation around security inevitably shifts as a cloud service provider (CSP) enters the picture. While the CSP is responsible for some aspects of security, there is a tendency for customers to "over trust" cloud providers when it comes to securing their data.
Per a recent McAfee report, 69% of CISOs trust their cloud providers to keep their data secure, and 12% believe cloud service providers are solely responsible for securing data.
The truth of the matter is that cloud security is a shared responsibility. In an effort to educate cloud customers on what's required of them, CSPs like Amazon Web Services (AWS) and Microsoft Azure have created the cloud shared responsibility model (SRM).
In its simplest terms, the cloud shared responsibility model denotes that CSPs are responsible for the security of the cloud and customers are responsible for securing the data they put in the cloud. Depending on the type of deployment—IaaS, PaaS, or SaaS—customer responsibilities will be determined.
Infrastructure-as-a-Service (IaaS)
Designed to provide the highest degree of flexibility and management control to customers, IaaS services also place more security responsibilities on customers. Let's use Amazon Elastic Compute Cloud (Amazon EC2) as an example.
When customers deploy an instance of Amazon EC2, the customer is the one who manages the guest operating system, any applications they install on these instances and the configuration of provided firewalls on these instances. They are also responsible for overseeing data, classifying assets, and implementing the proper permissions for identity and access management.
While IaaS customers retain a lot of control, they can lean on CSPs to manage security from a physical, infrastructure, network, and virtualization standpoint.
Platform-as-a-Service (PaaS)
In PaaS, more of the heavy lifting is passed over to CSPs. While customers focus on deploying and managing applications (as well as managing data, assets, and permissions), CSPs take control of operating the underlying infrastructure, including guest operating systems.
From an efficiency standpoint, PaaS offers clear benefits. Without having to worry about patching or other updates to operating systems, security and IT teams recoup time that can be allocated to other pressing matters.
Software-as-a-Service (SaaS)
Of the three deployment options, SaaS places the most responsibility on the CSP. With the CSP managing the entire infrastructure as well as the applications, customers are only responsible for managing data, as well as user access/identity permissions. In other words, the service provider will manage and maintain the piece of software—customers just need to decide how they want to use it.
How to Uphold Your End of the Shared Responsibility Model
Through 2022, it's estimated that at least 95% of cloud security failures will be caused by missteps on the part of customers. That's why it's more important than ever before to clear up confusion around the cloud shared responsibility model and set customers up for success.
While there are clear differences in responsibilities based on deployment types, a common thread remains: it's imperative that businesses can visualize conversations between devices, detect potential security threats in real-time and easily investigate and remediate issues. No dark space and faster response times mean greater security in your cloud investment.
Discover more