The Shared Responsibility Model and How it Affects Your Cloud Security

Security and compliance are priorities for companies in the cloud. However, cloud security and compliance is not the responsibility of any single entity alone and determining the demarcation line can lead to confusion. Security and compliance in the cloud is a shared responsibility between the cloud service providers (CSP) and their customers.

Under the Shared Responsibility Model, the CSP is responsible for “security of the cloud” which includes the hardware, software, networking, and facilities that run the cloud services. Organizations (the CSP’s customers), on the other hand, are responsible for “security in the cloud” which includes how they configure and use the resources provided by the CSP.

 

AWS Shared Responsibility Model Diagram

 

 

The rapid adoption of computing architecture like serverless, containers, and S3 buckets may leave security and operations teams scrambling to understand their roles and responsibilities in this dynamic environment. How do they effectively address and secure their cloud environment and assets before they are compromised?

Here’s what today’s organizations need to know in order to continue to leverage all the benefits that the cloud has to offer while not compromising on security.

  1. Configuration is the responsibility of the customer. How you configure and use cloud resources are your responsibility. A good rule of thumb is that the CSP’s API is the unofficial demarcation line between what organizations are responsible for and what the CSP is responsible for.
  2. Focus on permissions and access control. Under the Shared Responsibility Model, the CSP is responsible for the security of the cloud. However, the reality is that organizations need to have the right controls in place. Having the proper access restriction and controls in place can go a long way to increase your security in the cloud. For example, not having adequate restrictions or safeguards to prevent unauthorized access to your infrastructure can put your organizations at risk. Access control lets organizations enforce rules and policies that are relevant to their business.
  3. Ensure visibility across the cloud. Lastly, the most important change you can make to fully embrace your responsibility for cloud security is to have full visibility into your cloud. You can’t ensure the security and compliance of infrastructure you can’t see. Perform frequent scans of your cloud to take inventory of your assets and verify compliance.

Understanding where you fit within the model is a first step to improving your security and compliance posture.

Secure Your Cloud

Find security and compliance violations in your cloud infrastructure and ensure they never happen again.