How the Shared Responsibility Model Works
In cloud environments, the cloud provider and customer share responsibility for the IT infrastructure stack. The cloud provider is always responsible for the physical infrastructure, and the cloud customer is always responsible for its own data.
Everything in between is dependent on the cloud service model in use.
With network control over part of the infrastructure stack comes the responsibility for securing it. For instance, if a cloud customer can deploy virtual machines (VMs) in a cloud environment, they are responsible for using secure VM images and configuring them correctly to protect them against potential attacks.
The cloud shared responsibility model lays out which areas of security are solely the responsibility of the cloud service provider or customer and which they share. At the point where responsibility transitions from one to another, the cloud provider may hold some responsibility but require the cloud customer to configure certain settings as well.
Why is the Shared Responsibility Model Important?
The cloud shared responsibility model is a vital part of ensuring that cloud data and applications are secured against attack. Each cloud provider’s shared responsibility model outlines:
- What security tasks are their responsibility.
- Which are the customer’s.
Cloud customers need to understand the cloud shared responsibility model to know their role in securing their cloud infrastructure against attack.
Examples of Shared Responsibility Models
Each cloud provider has its own shared responsibility model, and these define the breakdown of responsibilities for each of its service models.
The three main cloud shared responsibility models include:
Challenges in Implementing Shared Cloud Responsibility
The responsibility for cloud security is shared between cloud providers and their customers. Some common challenges that cloud users face when trying to do their part include:
- Lack of Understanding: The cloud shared responsibility model lays out the cloud customer’s responsibility for its own security. If an organization doesn’t understand the shared responsibility model, it won’t be able to effectively secure its cloud environment.
- Multi-Cloud Environments: Most organizations have multiple cloud environments and may take advantage of different services within those environments. This means that security teams must understand and comply with a variety of shared responsibility models.
- Limited Visibility and Control: Cloud customers have limited or no visibility and control in lower layers of their IT infrastructure but are responsible for managing the security of higher layers. This limited visibility and control can make it difficult to deploy security solutions capable of meeting an organization’s responsibilities.
- Security Misconfigurations: Fulfilling security responsibilities under the shared responsibility model often means configuring vendor-provided settings and security configurations. Misconfigurations are one of the leading causes of cloud data breaches and other security incidents.
- Regulatory Compliance: Organizations are still subject to regulatory compliance requirements in the cloud, but shared responsibility can make this more complex. Instead of directly managing their security, a company may need to rely on a vendor’s own attestation of cloud compliance.
- Gestione degli accessi: Identity and access management (IAM) is essential in the cloud, but integrating access management can be difficult across multiple cloud platforms. This complexity is exacerbated if shared responsibility means that an organization can’t use the same solution in every environment or is forced to use the cloud provider’s solution.
Best Practices for the Shared Responsibility Model
Some best practices for ensuring cloud security under the shared responsibility model include:
- Understanding the Shared Responsibility Model: The cloud shared responsibility model describes an organization’s cloud security responsibilities. Understanding it is the first step to securing a cloud environment.
- Performing Risk Assessments: Risk assessments are designed to identify potential security risks to an organization. Performing them regularly helps an organization to quickly address any security gaps before they can be exploited by an attacker.
- Implementing Security Controls: Many security best practices are equally applicable on-prem and in the cloud. Data encryption, access controls, and similar solutions should always be part of an organization’s cloud security strategy.
- Ensuring Compliance: Regulatory compliance requirements also apply in the cloud. Verify that your organization and your cloud provider are fulfilling compliance responsibilities.
- Training Employees: Employees may inadvertently take actions that threaten cloud security. Providing training on the cloud shared responsibility model and security best practices helps to protect against these risks.
Shared Responsibility Model with Check Point
The shared responsibility model lies at the core of any cloud security program. To learn more about the cloud shared responsibility model and your responsibilities under it, check out this whitepaper on the shared responsibility model. Implementing an effective cloud security program that meets the security requirements of the cloud shared responsibility model requires a clear cloud security strategy.
To get started, check out Check Point’s cloud security blueprint and Check Point’s security solutions for AWS.