Managing Cyber Risk in the Cloud: Understanding the “Shared Responsibility Model” for Cloud Services

• Your contract with your Cloud Services Provider most likely states that you, as the customer, has certain specific cybersecurity responsibilities as you use its services.
• These provisions are often overlooked and/or misunderstood by customer organizations, thus leaving important data, processes and systems vulnerable.
• Review the contracts for each of your cloud vendors carefully to ensure you are aware of your security responsibilities.

Cloud Services Vendor Shared Responsibility Model

For organizations that use one or more cloud services provider, the cloud services “shared responsibility model” is a critical concept for ensuring cloud security.

According to CrowdStrike, “The Shared Responsibility Model is a security and compliance framework that outlines the responsibilities of cloud service providers (CSPs) and customers for securing every aspect of the cloud environment, including hardware, infrastructure, endpoints, data, configurations, settings, operating system (OS), network controls and access rights.”

Each of the major cloud services providers publicly explains this model as it applies to their offerings and also provides requirements for security in its customer contracts (typically called “Service Level Agreements” or “SLAs”).

Approaches and Requirements Can Vary

All major cloud services providers follow the Shared Responsibility Model. However, they may take different approaches, have different requirements and use different language in their contracts.

Cloud vendors typically take responsibility for security related to the cloud itself and its underlying infrastructure, but they require their customers to manage their individual organization’s cloud instance(s) and installed applications.

Cloud vendors responsibilities include securing the cloud infrastructure (physical data centers, networking, and server hardware). According to CrowdStrike, this includes:

• The Physical Layer and all associated hardware and infrastructure
• The Virtualization Layer
• Network controls and provider services
• Facilities that run cloud resources

Generally, the customer has responsibility for their use of the cloud infrastructure they are procuring: the security of data, operating systems, and applications as well as access to data and resources. They are also responsible for all compliance requirements. According to CrowdStrike, this means that the customers must provide:

• Identity Access and Management (IAM)
• User security and credentials
• Endpoint security
• Network security
• Security of workloads and containers
• Configurations
• APIs and middleware
• Code

Best Practices for Organizations

Best Practices regarding the Shared Responsibility Model, as provided by CrowdStrike, include:

• Carefully review your contract - it is critical for organizations to carefully review their contract with their cloud vendor to ensure they are fully aware of their security responsibilities.
• Prioritize data security. Cloud customers are always fully responsible for any data stored in the cloud or produced by applications in the cloud.
• Ensure robust identity and access management. The cloud customer is also completely responsible for defining access rights to cloud-based resources and granting access to authorized users.
• Embrace DevSecOps (Development Security and Operations) DevSecOps is the practice of integrating security continuously throughout the software and/or application development lifecycle in order to minimize security vulnerabilities and improve compliance.

Resources

For the major cloud vendors, see their resource page for more information:

• Amazon Web Services
• Google Cloud
• Microsoft Azure

Summaries of the Shared Responsibility Model are provided by:

• ISACA
• Cloud Security Alliance
• Center for Internet Security
• CrowdStrike
• Sentinel One
• Salesforce