Cloud Security: The Shared Responsibility Model

Cloud security builds off of the same IT infrastructure and security stack principles of a local data center. However, a cloud vendor offering provides a pre-packaged solution that absorbs some operational and security responsibilities from the customer.

Exactly which responsibilities the cloud vendor absorbs depends upon the type of solution. While cloud security offerings provide a wide spectrum of choices, there are three generalized situations to compare against on-premises data centers: infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS).

For each model, the cloud provider hands off different segments of the security responsibilities to the customer. Customers that fail to understand their obligations will likely leave security gaps exposed for attack.

Cloud providers continue to enable more stringent default security for their tools and may also offer tools to support a customer’s security obligations. However, ultimately the customer will hold the full risk and responsibility for proper implementation of their security obligations.

Also read: CNAP Platforms: The Next Evolution of Cloud Security

Shared Security Model: Cloud Provider Responsibilities

Customers of every type of cloud solution benefit by offloading operations and security functions associated with bare-metal infrastructure. Key cloud providers state their obligations differently but generally cover the same parts of the security stack:

  • Amazon Web Services (AWS): “AWS is responsible for protecting the infrastructure that runs all of the services offered in the AWS Cloud. This infrastructure is composed of the hardware, software, networking, and facilities that run AWS Cloud services.”
  • Microsoft Azure: Instead of providing a statement in words, Azure displays a table illustration of shared and non-shared responsibilities in which Microsoft shows it fully bears responsibility for physical hosts, physical networks, and the physical data center.
  • Google Cloud: With far more detail than AWS or Azure, Google Cloud emphasizes both shared responsibility and a shared fate for security. Its table illustration also goes into more detail and notes Google’s responsibility for hardware, boot, hardened kernel and interprocess communication (IPC), audit logging, network, and storage and encryption of data.

Cloud providers generally will be expected to manage the security and reliable availability of the cloud itself, which encompasses the following security functions:

  • Physical Security: Access to the buildings, the server rooms, and the server racks.
  • Hardware: Access to the bare-metal hardware of the servers, network cards, storage hard drives, fiber optic or Ethernet wiring between servers, and power supplies.
  • Drivers, Firmware, Software: Cloud providers bear responsibility to secure, test, and update the software and code that supports the firmware and the basic software infrastructure of the cloud. This responsibility does not extend to software that customers install on cloud devices.
  • Virtualization Layers: Cloud providers determine the type of virtualization used to create the cloud solution and the security between the solution and the server. The cloud provider will ensure that customers cannot see each other’s infrastructure or access the underlying infrastructure hosting the cloud solution.
  • Network: The cloud provider ensures security for the networking infrastructure supporting the functioning of the cloud and encrypted interservice communications. This does not apply to customer-created networks or connections.
  • Provider Services & Software: Cloud providers may offer a range of services such as databases, firewalls, artificial intelligence (AI) tools, and application programming interface (API) connections. The cloud provider will be responsible for testing and securing these tools as applications, but the customers will be responsible for the settings and how they are used.
  • Storage and Encryption: When a customer’s data is inactive or sitting at rest on a hard drive in a cloud provider’s server rack, the cloud provider will be responsible for encrypting and securing that data. However, the customer must secure that data when the environment is active.
  • Audit Logging and Monitoring: The cloud provider will be responsible for creating and monitoring the log files that track the use of the cloud infrastructure itself.
  • Operations and Availability: Cloud providers are responsible for redundancy and maintenance to keep the cloud environment running. Cloud providers also will be responsible for compliance, certification, security, and incident response related to the cloud infrastructure.

Shared Security Model: Shared Responsibilities

Cloud providers secure the cloud, but customers secure what goes in it. When in doubt, consider the service or the access. The one who built the service will generally be the one responsible for securing it. Similarly, if the customer is able to access and change the security parameters, then they will be responsible for those settings and that layer of security.

IaaS-specific responsibilities

IaaS cloud providers deliver computing environments configured for a specific operating system (OS), such as Linux, Windows Server, Windows PC, and macOS. PaaS and SaaS customers will not be responsible for these security controls because they will be generally handled by their cloud solution or not applicable. IaaS customers take on security layers not required by other cloud customers, including:

OS hardening

The cloud provider might include the OS license in the purchased instance, but the customer bears the responsibility to configure the OS to their needs, and that includes hardening the device for security. Vulnerability testing, patching, and updates also are the responsibility of the IaaS customer. The Center for Internet Security (CIS) provides access to hardened images, CIS Controls and CIS Benchmarks as guidance for deployments.

Network, firewall, and web application firewall (WAF) hardening

IaaS customers bear the responsibility to control the inbound, outbound, and lateral traffic for their cloud-based IT infrastructure (virtual servers, routers, networks, etc.). Most cloud implementations will use virtual versions of gateways, routers, and firewalls that can be deployed in a standardized fashion, but customers still bear the responsibility for their setup, integration, and monitoring.

Customer virtualization

Customers will often launch Kubernetes containers or virtual machines (VMs) within their own environment and will be wholly responsible for their security.

Also read: Cloud Bucket Vulnerability Management

Audit logging and monitoring

The IaaS customer will be responsible for creating and monitoring the log files that track the use of their cloud-based infrastructure. Some reports may be available through the cloud providers, but those reports generally will not encompass virtual machines, containers, or other infrastructure installed by the customer in the environment.

Operations

Customers are responsible for redundancy and maintenance to keep the infrastructure they installed optimized and running. Customers also will be responsible for compliance, certification, security, and incident response related to the cloud infrastructure.

IaaS and PaaS responsibilities

PaaS cloud providers provide more extensive and standardized IT infrastructure, so PaaS customers can focus on developing applications or other dedicated functions enabled by the PaaS platform. IaaS customers will also be responsible for these layers of the security stack that relate to resources installed within the cloud infrastructure.

SaaS customers will not be responsible for these security controls as they are either embedded into their solution or not applicable. Both PaaS and IaaS customers will be responsible for:

Applications logic & code

Even if the cloud provider provides the hardened platform, the customer is responsible for the programs and code installed, running, or communicating on that platform. If the cloud provider provides the code, then they will harden and secure the code itself, but the customers will be responsible for modifications, settings, connections, and access.

Network, API, firewall, and WAF hardening

IaaS and PaaS customers can bear the responsibility to control the inbound, outbound, and lateral traffic associated with installed programs and applications. IaaS customers may have more traditional network configurations than PaaS customers, but PaaS customers can still integrate their cloud applications into their private networks and must secure that traffic.

Malware defense

IaaS customers bear the responsibility to monitor cloud devices for infection, detect attacks in progress, and perform incident response. Cloud providers or traditional anti-malware providers may offer solutions to solve this problem for IaaS customers for an additional fee.

Both IaaS and PaaS customers must monitor their applications, databases, websites, and other installed resources for signs of attack or malicious activity such as unauthorized access, data exfiltration, and distributed denial of service.

Data protection

The cloud provider provides the secure container, but the client needs to make sure the data is secured within that container. Clients should enable controls such as encryption or data loss prevention (DLP) tools to ensure the integrity of data hosted in the cloud as well as to mitigate the risk of data theft.

IaaS and PaaS cloud customers will similarly need to provide network traffic protection controls, such as encryption, integrity, and monitoring, to monitor data in use within the cloud and between the cloud and other resources.

Also read: Exfiltration Can Be Stopped With Data-in-Use Encryption, Company Says

Shared Security Model: Customer Responsibilities

All cloud customers, including SaaS customers, will need to handle security functions fully within their control:

Content

Customers will be fully responsible for securing the storage, transfer, and backup of data to their cloud environment. Data classifications for specific security profiles or compliance obligations will also be the customer’s responsibility.

Data backup

SaaS cloud providers will often be responsible for the integrity and availability of data at rest. However, SaaS providers do not police if changes to that data are authorized or intentional. Customers that accidentally delete or allow attackers to corrupt their data may find the SaaS provider backup does not roll back sufficiently to recover the data. Customers are responsible for the frequency, security, and integrity of their own backups.

See the Best Backup Solutions for Ransomware Protection

Identity and access management (IAM)

Cloud customers bear the ultimate responsibility to establish user identities, verify identities, classify them for access, and verify their access and use of the cloud environment. Customers also bear the responsibility for monitoring and analyzing access for compliance and security purposes.

See the Best Identity and Access Management (IAM) Solutions

Audit logging and monitoring

Cloud providers may provide access to log files that track access to the level of cloud services provided for SaaS, PaaS, IaaS, licensed cloud tools, or other provided cloud architecture. Customers will be responsible for reviewing those provided logs as well as establishing any additional log files they might require for installed PaaS and IaaS infrastructure.

Access security controls

Cloud customers determine the password requirements and multi-factor authentication (MFA) controls suitable to verify access or identity to cloud resources.

Awareness & training

Customers must provide training to their staff to ensure their staff understands how to securely use the cloud environment (SaaS, PaaS, or IaaS) and what anomalies might indicate environmental compromise.

Mind the Security Gaps

Although the concept of shared responsibility provides overall guidelines for what security cloud providers will include within their solutions, customers ultimately will bear the bulk of the risk for failure. Customers should trust, but also find ways to test and verify that the cloud provider continues to hold up their end of the bargain.

Gartner anticipates that, through 2025, 99% of cloud security failures will be the customer’s fault and that 90% of organizations will inappropriately share sensitive data when they fail to control public cloud use effectively. Fortunately, many vendors also offer solutions to help manage cloud security and integrate those solutions with existing IT infrastructure.

However, even when selecting a third-party tool to manage cloud security, security managers need to be aware of where gaps might exist to ensure the tool covers those gaps.

See the Top Cloud Security Companies & Tools

Gaps in coverage

Customers should assume responsibility for any possible shared security until they verify that the cloud provider covers it sufficiently. Customers should review service-level agreements (SLAs) and do vulnerability and penetration testing on their own infrastructure. Only if the cloud provider’s security proves to be sufficient can the customer consider dropping potentially redundant and overlapping solutions.

Keep in mind that the visibility and control points will be different on the cloud, and there will be an adjustment period as security teams new to the cloud learn the variances.

Gaps in cloud implementation variance

Customers with multiple cloud providers cannot assume their security stack will be identical from cloud provider to cloud provider. Some gray zones may be interpreted differently by different vendors, and security should be verified across the entire security stack for each implementation.

Organizations should also regularly check security controls over time or when putting data into different regions. Different regulations may enable or prevent the cloud provider from providing security controls in different jurisdictions. Cloud providers may also implement changes and updates that affect existing security controls and open gaps or cause tool failures.

Gaps in default security

Although cloud providers may provide security, customers may intentionally choose to implement different or redundant security solutions to further mitigate risk. For example, a cloud provider might provide encryption keys for cloud-hosted data, but the organization may decide to use their own keys to improve security.

Gaps for incident response

Incident response teams have their favorite go-to data and tools to investigate, mitigate, and recover from attacks on local infrastructure. Some of this data will be available from cloud infrastructure and some tools will work fine as well. Others require adjustments.

Security teams need to work with operations teams to enable sufficient alerts and logs for potential incident investigation. Simulations should also be run to verify that their planned investigation and incident response methods work sufficiently for the cloud environment.

See the Best Incident Response Tools

Gaps in monitoring

IaaS servers, PaaS applications, and SaaS can be easily started by employees, who might forget to inform security. Security teams need to actively monitor for network traffic to resources that may have escaped inventory to ensure their monitoring strategy can encompass them.

Tools like CASB are one way for IT security teams to monitor such “shadow IT” applications.

Gaps on the periphery

Strong implementation of cloud security does not make an environment immune from compromised credentials, hijacked endpoints, or insider threats from users. Organizations must still secure their users, peripheral devices, and other non-cloud resources.

Understanding Cloud Provider and Customer Responsibilities

Moving resources to the cloud can save enormous operational, financial, and time resources. However, the cloud is not a magic bullet that solves all problems.

The cloud provider will provide a very secure foundation, but the customer is still responsible for knowing what they are building on the cloud infrastructure, whether IaaS, PaaS, or SaaS, and how to secure what they build. Understanding the Shared Security Model is the first step to building a security stack that will protect the organization against risks and adversaries for the long run.

Read next: Top Secure Access Service Edge (SASE) Providers

Chad Kime
Chad Kime
Chad Kime combines his Electrical Engineering and MBA degrees to translate between technical language and common English. After managing over 200 foreign language eDiscovery projects, Chad values practicality over idealism. He has written on cybersecurity, risk, compliance, network security hardware, endpoint monitoring software, anime DVDs, industrial hard drive equipment, and legal forensic services.

Top Products

Related articles