Recent Webinar: Building an Adaptive Cyber Resilient Cloud
arrow-white arrow-white Watch now
close

How Does Shared Responsibility Affect Cloud Security?

Posted by Daniel Petrillo on September 4, 2020

The shared responsibility security model impacts cloud vendors

Cloud migration continues at a brisk pace. As many as 94% of enterprises now use the cloud, and data suggests that by the end of 2020, only 27% of workloads will happen on-premises. For everything from data storage to critical applications, the cloud is the first and often the only option many companies consider.

And rightly so. As promised, the cloud cuts costs, simplifies IT management, streamlines scalability, and makes tech an agile asset. No wonder in a recent survey of IT spending priorities, 80% of respondents identified cloud applications and 61% said cloud infrastructure – the top two spots respectively. By all accounts, spending will only increase as the cloud becomes the de-facto choice for enterprise IT.

Exciting as this migration may be, it’s also riskier than advertised. Cloud migration raises thorny questions about cybersecurity while also offering less protection than many users expect. Security issues shouldn’t keep anyone out of the cloud – but adopters must understand exactly what they’re getting into.

What Makes Cloud Security Different?

On-premises security isn’t easy, but at least it’s relatively straightforward. Companies have valuable data and applications on servers inside the office, then they create a physical and digital perimeter around those assets and keep everyone without access out. Even if there are still setbacks and failures as part of that effort, there’s no question where security professionals need to focus and what their responsibilities entail.

Things are hazier in the cloud. Cloud vendors often handle the essentials of cybersecurity, such as patch management and platform security. While that makes things easier on users, it asks them to trust a third-party to provide a stable system that keeps their mission-critical data and applications safe while eliminating the ability to make certain choices about their own security strategy. Some users feel liberated to stop micromanaging cybersecurity; others feel uncomfortably out of the loop.

Both groups are right that cloud security comes with advantages and disadvantages. But they’re also both suffering from the same common misconception: that cloud security offers complete protection. It doesn’t, by design. In fact, the cloud delegates specific responsibilities back to the user. The question is, which ones?

Making Sense of the Shared Responsibility Model

Cloud vendors use what’s known as a “shared responsibility” model to define who does what in terms of cybersecurity. Typically, the vendors handle security for the underlying cloud infrastructure, including hardware, software, networks, and physical assets. Users then must secure the assets within the cloud, which encompasses things like data encryption, identity/access management, and general application security. In simple terms, vendors secure “around” the cloud, and users secure “inside” the cloud.

Unfortunately, simple terms rarely apply to this model. Trying to split an obligation as big, dynamic, and consequential as cybersecurity between two separate parties creates plenty of opportunities for conflict. The Capitol One breach from 2019 is a perfect example of where this disagreement can turn into lawsuits.

The reason that these sorts of public disagreements can happen is often because the specifics of shared responsibility vary by vendor. For example, Amazon AWS users will have different responsibilities than Microsoft Azure users. The boundary between vendor vs user responsibility doesn’t follow a straight line, often shifts, and requires wading through a mountain of fine print to define. Consequently, there may be gaps between where vendor responsibility ends and user responsibility begins – gaps still big enough for hackers to execute send the worst kinds of attacks directly in the cloud.

Covering Your Bases in a Shared Responsibility Model

First, they need to deploy a cloud workload protection platform to cover their not-insignificant part of the responsibility. These cybersecurity products are designed to protect assets “inside” the cloud from the kinds of advanced persistent threats that bypass “outside” protections managed by the vendors.

Second, users need to put protections in place that are expansive enough to secure whatever they may have overlooked or underestimated in regards to their own responsibility. Hackers understand where the weaknesses exist and target them specifically. Therefore, cloud security requires an approach that goes above and beyond what users expect to need. Said differently, don’t let the strict details of the security responsibility dictate the limits of the protection.

Working out of the cloud can make cybersecurity easier to manage, less resource-intensive, and more effective overall – but only with the right security strategy and tools bolstering the effort. Don’t overlook this crucial fact as we race into the cloud-first era.

cloud workload protection guidebook