The Shared Responsibility Model is a security and compliance framework that outlines the responsibilities of cloud service providers (CSPs) and customers for securing every aspect of the cloud environment, including hardware, infrastructure, endpoints, data, configurations, settings, operating system (OS), network controls and access rights. Show
In its simplest terms, the Shared Responsibility Model dictates that the cloud provider—such as Amazon Web Service (AWS), Microsoft Azure, or Google Cloud Platform (GCP)—must monitor and respond to security threats related to the cloud itself and its underlying infrastructure. Meanwhile, end users, including individuals and companies, are responsible for protecting data and other assets they store in any cloud environment. Unfortunately, this notion of shared responsibility can be misunderstood, leading to the assumption that cloud workloads – as well as any applications, data or activity associated with them – are fully protected by the cloud provider. This can result in users unknowingly running workloads in a public cloud that are not fully protected, making them vulnerable to attacks that target the operating system, data or applications. Even securely configured workloads can become a target at runtime, as they are vulnerable to zero-day exploits. 2022 Cloud Threat ReportDownload this new report to find out which top cloud security threats to watch for in 2022, and learn how best to address them. Download Now Shared Responsibility across the three cloud service delivery modelsThere are three main cloud service models:
Each of these cloud delivery models are subject to the concept of shared responsibility. However, ownership of security tasks and functions varies depending on the delivery model in use. Software as a service (SaaS): SaaS is a software delivery model wherein the vendor centrally hosts an application in the cloud that can be used by a subscriber. In this model, the provider is responsible for application security, as well as its maintenance and management. Platform as a service (PaaS): PaaS is a platform delivery model that can be purchased and used to develop, run and manage applications. In the cloud platform model, the vendor provides both the hardware and software generally used by application developers; the service provider is also responsible for security of the platform and its infrastructure. Infrastructure as a service (IaaS): IaaS is an infrastructure delivery model wherein a vendor provides a wide range of compute resources such as virtualized servers, storage and network equipment over the internet. In this model, the business is responsible for maintaining security of anything they own or install on the cloud infrastructure, such as the operating system, applications, middleware, containers, workloads, data and code.
The Shared Responsibility Model in practiceDirect ControlWhile the Shared Responsibility Model is based on the idea that two or more parties play a role in ensuring security of distinct elements within the public cloud environment, it is important to note that the customer and CSP do not share responsibility for the same asset. Rather, the CSP or the customer has full and complete responsibility for the security of all assets under their direct control, regardless of the service model type. For example, the customer will always have responsibility for data security, compliance and access regardless of whether they are following a SaaS, PaaS or IaaS model. Practically speaking, this is because CSPs have no visibility into data that is stored in the public cloud and therefore cannot effectively manage data security or access. Customers are typically also responsible for:
Meanwhile, the cloud provider—such as Amazon, Microsoft or Google—are responsible for areas for which they possess direct control. This typically includes security of:
Divided responsibilitiesIn some IaaS and PaaS models, security responsibilities may vary depending on the cloud provider or the terms outlined in the service level agreement (SLA). For example, when it comes to a network control like a firewall, the cloud service provider may be responsible for providing the firewall service. However, it is up to the user to manage all other aspects such as configuration, rules, monitoring and response. While both parties play a role in the security element, the responsibilities are still clearly defined and divided. Likewise, if a customer is using a public cloud data storage service offered by a CSP, then the cloud provider is responsible for all aspects of that cloud datacenter, including security, monitoring, maintenance and updating. However, the customer is still wholly responsible for securing any data within the cloud environment, as well as ensuring only authorized users can access it. Based on the concept of divided responsibility, no party has authority over another in terms of how they protect their assets. For example, a customer cannot dictate how or when their CSP performs monitoring and testing. That said, the service agreement should outline the steps the provider will take to protect customers, as well as how documentation for that activity will be shared. Typically, cloud vendors produce regular audit reports to confirm that they are taking the necessary and proper steps to protect their customers. Shared Responsibility Model AdvantagesWhile a shared security model is complex and requires careful consideration and coordination between the CSP and customer, the approach offers several important benefits to users. These include:
ESG Research Report: Leveraging DevSecOps to Secure Cloud-Native ApplicationsGain insight into the trends shaping how businesses secure cloud-native applications and the challenges they face in this ESG research survey. Download Now Shared Responsibility Best PracticesAs organizations shift to the cloud, many are defining their relationships with CSPs for the first time. As companies navigate this complex territory, we offer the following best practices:
CrowdStrike’s Cloud Security SolutionsCrowdStrike has redefined security with the world’s most advanced cloud-native platform that protects and enables the people, processes and technologies that drive modern enterprise. The industry continues to recognize CrowdStrike as a leader, most recently with CRN naming CrowdStrike a Winner of the 2022 Tech Innovator Award for Best Cloud Security. Powered by the CrowdStrike Security Cloud, the CrowdStrike Falcon® Platform leverages real-time indicators of attack, threat intelligence, evolving adversary tradecraft and enriched telemetry from across the enterprise to deliver hyper-accurate detections, automated protection and remediation, elite threat hunting and prioritized observability of vulnerabilities. Learn more about CrowdStrike’s Cloud Security Solutions – including our services specific to AWS, GCP, and Azure, below:
Which task is shared between AWS and the customer according to the AWS shared responsibility model?Security and compliance are shared responsibilities between AWS and the customer. Depending on the services deployed, this shared model can help relieve the customer's operational burden.
Which of the following is the customer's obligation under the AWS shared responsibility model?Customer Responsibility: The customer is responsible for the security configuration or firewall (like security groups), Identity and Access Management (IAM), client and server-side encryption and customer data.
Which of the following is the responsibility of AWS under the AWS shared responsibility model select the best answer?Maintaining physical hardware is the responsibility of AWS under the shared responsibility model.
|