The Truth behind Cloud Security and Shared Responsibility Models

Cloud adoption is now a pervasive trend. Gartner projects the worldwide public cloud spending to reach $397.5 billion by the end of 2022, almost doubling from 2020. IDG’s 2020 cloud computing research found 92% of organizations host at least part of their IT environment in the cloud. 

Hybrid cloud environments, where IT infrastructure, applications, and data are hosted across on-premises data centers and the cloud, are increasingly common. Multi-cloud architecture is another growing trend. IDG research found 55% of organizations (more than half) use multiple public clouds, with 21% saying they use three or more. However, truth be told. These trends have a costly counterpart – new vulnerabilities and attack vectors that threat actors exploit routinely.

The State of Cloud Security

While the cloud fast-tracks business growth with its lower entry barriers, agility, and scalability, the intricate layers of cloud services expose organizations to new threats. Massively interconnected and fluid cloud environments are ripe grounds for attackers to launch sophisticated attacks and hide their tracks, evading detection for months. What does that mean to cloud security?

1. As more businesses adopt cloud services, cybercriminals are switching their focus from on-premises to the cloud.
2. Cloud incidents are increasing in both frequency and complexity. According to Verizon’s 2021 Data Breach Investigations Report (DBIR), external cloud assets were more common targets in breaches than on-premises assets.
3. In public, hybrid, or multi-cloud environments, your IT and security teams are no longer in complete control of the computing environments, causing security gaps and vulnerabilities. Cyber-criminal organizations and nation-state actors are investing resources to exploit these gaps.
4. While advanced cloud-native technologies and security controls make the cloud more secure and reliable, the complexity of these innovations often confuses engineers causing misconfigurations. An IDC research found every 8 in 10 companies in the United States experienced a data breach due to cloud misconfigurations.

Unlike traditional cybersecurity, cloud security involves multiple moving parts and intricate interdependencies. While the cloud service providers (CSPs) are the vanguards of the cloud-native infrastructure, vulnerabilities are not limited to the infrastructure alone. The security vigilance of third-party PaaS and SaaS vendors, the security of the interconnections between the cloud applications, and the security controls that your IT team implements to secure your cloud-hosted applications and data collectively determine the overall cloud resiliency. 

 As more businesses adopt cloud services, cybercriminals are switching their focus from on-premises to the cloud.

Securing the Cloud is a Shared Responsibility

 

An enterprise with on-premises IT infrastructure within its own data center is entirely responsible for securing its infrastructure and the applications and data running on it. When that enterprise transitions its infrastructure, applications, and data to the cloud, either partially or entirely, the security responsibility gets divided among the cloud provider and the enterprise (now a cloud tenant or customer). Each party is accountable for different aspects of cloud security which collectively ensures full security coverage. 

 

The division in responsibilities varies according to the cloud service level agreement between the customer and cloud provider, as specified in the ISO/IEC 17789 standard. The three common models of cloud service offerings are:

• Infrastructure-as-a-Service (IaaS) 
• Platform-as-a-Service (PaaS) 
• Software-as-a-Service (SaaS) 

Since the customer is always in control of its applications and data, separation of duties is essential for ensuring the implementation of the proper security controls. The ISO/IEC 27017 standard recommends a cloud service agreement between the customer and the provider to enumerate these shared security responsibilities to avoid any ambiguity. 

Since the customer is always in control of its applications and data, separation of duties is essential for ensuring the implementation of the proper security controls.

The type of cloud service model decides which party is responsible for which security tasks. According to the Cloud Standards Customer Council (CSCC), customers’ responsibilities usually increase as they move from SaaS to PaaS to IaaS. This is evident in the illustration below of the shared responsibility model from the Microsoft Azure platform.

Figure 1: Microsoft Azure – Division of Responsibility

For example, according to CSCC, in the IaaS service model, the customer is typically responsible for the security of data, application software stack, operating systems, networks, and security elements such as firewalls and identity and access management. The cloud provider is responsible for securing essential cloud infrastructure components, such as virtual machines, disks, and networks. The cloud provider must also be responsible for the physical security of the data centers housing the cloud infrastructure. IaaS customers, on the other hand, are generally responsible for the security of the operating system and software stack required to run their applications and their data.

In a PaaS service model, the cloud provider secures the platform, including OS, middleware, runtime environment, and DevOps. The customer is responsible for secured configurations, user roles, access management, and application life cycle management.

Conversely, in a SaaS model, most security functions are configured and controlled entirely by the cloud provider. The provider is responsible for the infrastructure and software stack, as the customer has less control over these components, according to the CSCC.

Amazon Web Services (AWS), a leading cloud service provider, explains its shared responsibility model as users being responsible for security in the cloud — including their data — while AWS is responsible for the security of the cloud, meaning the compute, storage, and networks that support the AWS public cloud.

Security “of” the Cloud versus Security “in” the Cloud

Amazon Web Services (AWS), one of the major cloud providers, commonly refers to the differentiation of responsibility as Security “of” the Cloud versus Security “in” the Cloud. In any model, AWS is always responsible for protecting the infrastructure, including hardware, software, networking, and facilities that run AWS Cloud services.

Customer security responsibility is determined by the cloud services that a customer selects. For example, Amazon Elastic Compute Cloud (Amazon EC2) is categorized as infrastructure as a Service (IaaS), requiring the customer to perform all necessary security configuration and management tasks.

According to Microsoft Azure, regardless of the type of cloud deployment, the customer is always responsible for its data, endpoints, identities, accounts, and access management.

Figure 2: AWS Shared Responsibility Model

Conclusion

Customers should carefully consider the cloud services they choose as the service model determines their security responsibilities. Customer responsibilities are also determined by the mode of integration of those services into their IT environment and applicable laws and regulations.