Chapter 23. The Key to Success in Your Cloud Journey Begins with the Shared Responsibility Model
Dominique West
Whether you are new to the cloud or a seasoned technology professional, fully understanding the shared responsibility model and how this framework plays a role in your organization’s digital transformation is paramount. Rest assured you are not alone if hearing about this framework is new or understanding it has been confusing—many studies, including one by Help Net Security, have indicated that 7/10 organizations have suffered a public cloud security incident in 2020 with 66% of them being the result of an exploited misconfiguration. So how can you make sure your organization is not part of this growing statistic? Let’s take a look at what this framework is and how to put it into action.
What Is This Framework and Why Should It Apply?
Many organizations and security professionals have been following the perimeter-based model for quite some time (probably since the dawn of cybersecurity) and it makes sense as to why. Security largely has to do with control and pre-cloud era control involved everything inside of the organizational perimeter. Unfortunately, this model does not apply to our current digital age, as the cloud shatters your perimeter into a thousand pieces that can be difficult to keep up with. Alas, the shared responsibility model emerges as a way to help security professionals understand how security controls apply in the cloud.
The shared responsibility model is a framework that defines who is responsible for what when it comes to security in the cloud. Put simply, you, as the cloud user, and your cloud service provider (CSP), are accountable for different aspects of security for the cloud products you use. The level of accountability varies greatly depending on the service—for example if you utilize a SaaS product you are typically only responsible for the data you use with this product, whereas the CSP is responsible for all other aspects of security across the tech stack needed to use the product. Conversely, if you use a IaaS product your level of security responsibility can increase exponentially and can cause potential data exposure if your responsibility is not fully understood. In fact, in a study by KPMG they found only 8% of IT security leaders felt they fully understood the shared responsibility model. Not understanding cloud service functionality and placing your sensitive data in these products is one of the leading causes of misconfigurations and human errors. So to be on the safe side, make sure you know the different cloud computing service models and how security is managed in each.
How to Put This Framework into Action
Now that you know what the shared responsibility model is, and hopefully understand the different cloud service models as well, how can you put this framework into action as you accelerate your organization’s journey to a cloud-first transformation? Begin by making sure you communicate your needs to your cloud service provider and understand the solutions being presented to solve them. Most cloud providers are transparent about their security responsibility with their products and if you are unsure, ask questions! Additionally, leverage tools as a way to mitigate human error in the cloud—both this framework and actual technologies that can manage, monitor, and alert for misconfigurations. Lastly, make sure your teams are getting the resources they need to be successful in this journey. Cloud digital transformations present a great opportunity to upskill your teams and get them engaged so leverage them! Overall, beginning with this model will help you stay out of the headlines and keep your data secure.