Managing Cyber Risk in the Cloud: Understanding the “Shared Responsibility Model” for Cloud Services
Date
Thu, Oct 10, 2024, 05:00 AM
CHIME Announces Incoming Board Members and 2025-2026 Board Officers. Learn More
Date
Thu, Oct 10, 2024, 05:00 AM
Cloud Services Vendor Shared Responsibility Model
For organizations that use one or more cloud services provider, the cloud services “shared responsibility model” is a critical concept for ensuring cloud security.
According to CrowdStrike, “The Shared Responsibility Model is a security and compliance framework that outlines the responsibilities of cloud service providers (CSPs) and customers for securing every aspect of the cloud environment, including hardware, infrastructure, endpoints, data, configurations, settings, operating system (OS), network controls and access rights.”
Each of the major cloud services providers publicly explains this model as it applies to their offerings and also provides requirements for security in its customer contracts (typically called “Service Level Agreements” or “SLAs”).
Approaches and Requirements Can Vary
All major cloud services providers follow the Shared Responsibility Model. However, they may take different approaches, have different requirements and use different language in their contracts.
Cloud vendors typically take responsibility for security related to the cloud itself and its underlying infrastructure, but they require their customers to manage their individual organization’s cloud instance(s) and installed applications.
Cloud vendors responsibilities include securing the cloud infrastructure (physical data centers, networking, and server hardware). According to CrowdStrike, this includes:
Generally, the customer has responsibility for their use of the cloud infrastructure they are procuring: the security of data, operating systems, and applications as well as access to data and resources. They are also responsible for all compliance requirements. According to CrowdStrike, this means that the customers must provide:
Best Practices for Organizations
Best Practices regarding the Shared Responsibility Model, as provided by CrowdStrike, include:
Resources
For the major cloud vendors, see their resource page for more information:
Summaries of the Shared Responsibility Model are provided by: