Shared Responsibility & Your Company’s Requirements for Cloud Security

Shared Responsibility & Your Company’s Requirements for Cloud Security

Many companies choose to outsource their cloud management. Moving to the cloud means the business no longer has to bear the costs that go with maintaining servers and an onsite network. The cloud management provider also helps bear some of the responsibility for maintenance and security for the company.

Each one offers different services that work to protect your data when it comes to cloud service providers. However, these services do not entirely take all the responsibility for protecting your business data. Instead, the cloud providers use what’s called a shared responsibility model, which shares responsibility for your environment and the physical network. This means the provider meets their responsibilities, and the rest is left up to you.

In other words, you are responsible for certain parts of your cloud services. That’s the case even if you have a highly comprehensive package with your cloud provider. You’re still in charge of keeping company data safe.

We’ve put together some information about the shared responsibility model and what your shared responsibilities may include with different types of IT services.

What is a Cloud Provider? 

A cloud provider is a company that offers the network required to host a cloud environment, such as a service over the Internet. The provider’s package may include physical hosts, a physical network, and the data centre where the hardware is kept.

Cloud providers usually offer a pay-as-you-go service, which means your costs are based on how much computing power you use. In addition, providers usually group these services into infrastructures as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS).

What is a Cloud Service Provider (CSP)? 

A cloud service provider (CSP) is a third-party vendor that offers certain components of cloud computing as a service. For example, they may build the cloud environment, much like a cloud provider. The CSP may also manage certain aspects of a private cloud for a business.

You’ll recognise these names, which are cloud providers: Microsoft, Google, and Amazon. Each of these is also CSPs because they offer various cloud services along with the network.

It’s also possible for a Managed service provider (MSP) to also be a CSP. Most MSPs offer cloud management services on demand. These services can include processing data, running virtual machines, and large amounts of storage space.

What is Shared Responsibility? 

Shared responsibility is a model that says cloud providers and their clients are collectively responsible for the cybersecurity of the client’s environment and the data it contains. In other words, the cloud provider is responsible for security in the cloud, and the customer is responsible for the security of what is kept in the cloud.

As a client, you’re responsible for securing and governing your company’s data. The cloud providers are always responsible for the security of the network running your cloud.

With the division of responsibilities, the end result may be that some responsibilities fall through the cracks. This is where a CSP or MSP can fill the gap. They manage any other responsibilities not covered by the cloud provider. Thus, you won’t be left with all the responsibility of managing customer data, data governance, content, rights management, and more.

What are the Responsibilities of a Cloud Provider? 

The cloud provider keeps your cloud infrastructure safe and secure. This usually includes the cloud servers and data centres. It may also include the software that runs your company’s cloud and the network that your data needs to travel from the cloud to the endpoints.

The provider must also provide the capability for clients to uphold their duties. In other words, the cloud provider must provide services that keep your business running.

What are the Responsibilities of the Client? 

As a client, you’re responsible for what’s in the cloud, including the data in the cloud and the individuals who access the data. You may also be in control of the configuration of the environment. In addition, you’re responsible for access management, the data, endpoints, and accounts.

You must provide and maintain security guidelines. A cloud provider cannot set up security groups, permissions, or access assignments for you.

What is Data Governance? 

Data governance is the way data is handled, made available, and how it’s secured. Policies are needed to determine how data can be used and what methods need to be in place to protect sensitive information.

Governance also includes data classification and how it is sorted. When data is not classified correctly, compliance issues can arise.

Under the shared responsibility model, data governance always falls to the client.

What are Client Endpoints?

Client endpoints are the destination of any data transfer, which may include hardware such as a smartphone, laptop, or desktop. As a result, endpoints are some of the most vulnerable attack points for cybercriminals. For this reason, endpoints must be highly secured.

Under the shared responsibility model, client endpoint security always falls to the client. However, an MSP can offer assistance in creating and implementing security policies.

What is Account & Access Management? 

Account management is the process of creating and assigning profiles to users. Access management controls the permissions for each user on the system. Data restricted using these methods is more secure, making it harder for cybercriminals to steal and misuse the information.

The best account and access management policies use both authentication and authorisation for each account. Authentication methods work to verify the identity of a person trying to access the data. Authorisation processes determine when and how an authorised person can access the data.

Under the shared responsibility model, account and access management are a shared responsibility when using PaaS and SaaS. However, when using IaaS on-premises, the client bears full responsibility.

What are Application-Level Controls?  

Application-level controls are settings that prohibit or allow applications to operate in different ways. In other words, the function of some business applications is limited, making it more difficult for unauthorised apps from making data more vulnerable to cyberattacks.

Under the shared responsibility model, application-level controls are shared when using PaaS. However, for IaaS on-premises, the client is fully responsible.

For SaaS, the cloud provider has total responsibility. What’s more, an MSP can help monitor application-level controls to ensure company data remains safe. They can also use intelligent monitoring to secure backups.

What are Network Controls? 

Network controls manage the communication and interoperability of the company’s network. Network controls include setting up load balancing, domain name systems (DNS), and virtual networks.

Under SaaS, network controls are the full responsibility of the cloud provider. Under PaaS, responsibility is shared. For IaaS, responsibility is entirely on the client.

What are Host Infrastructure & Security? 

Host infrastructure is the management and configuration of platform services. It also includes computing and storage in the cloud.

Under PaaS and SaaS, host infrastructure is the responsibility of the cloud provider.

With IaaS, the host infrastructure is a shared responsibility between the cloud provider and the client. In this instance, the client needs to configure their own permissions and network controls.

What is Physical Security? 

Physical security is the security of the servers, server rooms, and data centres that host the public cloud.

If the server is hosted on-premises, it is the responsibility of the company. However, if a cloud provider is hired, they bear full responsibility for the network’s physical security, even under the shared responsibility model.

Summing It Up

Moving to the cloud is an excellent option for many companies; however, remember that the responsibility of keeping your environment secure is not only with the cloud provider. Your company may also be responsible for certain aspects of the cloud too. So, be sure to know and understand your responsibilities to keep your cloud safe and secure from cyberattacks and other possible risks.