Who does what? That isn’t always crystal clear when it comes to security under the Shared Responsibility Model (SRM), and one thing you definitely don’t want is a blurry understanding of your organization’s security posture. To guard against risks and avoid leaving the door open to vulnerabilities in your cloud environment – whether it’s public, hybrid or multi-cloud – it’s critical to clearly define the responsibilities of your own IT team and those of your cloud service provider (CSP). 

The ultimate goal under the SRM is to operate a highly secure environment while lightening your operational load.

Defining the Shared Responsibility Model and its security component

The SRM was developed by major cloud service providers to lay out exactly who is responsible for carrying out operational tasks in the cloud. In relation to security, some functions are taken on by the customer’s internal security team and others by the CSP. It sounds simple, but it can actually be quite complex; how responsibilities are allocated varies greatly across different cloud providers and deployment types. Responsibilities may change as cloud services evolve – and if your organization uses more than one CSP it can become even more confusing.

Generally speaking though, the CSP is responsible for the security of the cloud (the infrastructure) and your organization – the cloud consumer – is responsible for security in the cloud (data and resource configuration). 

There is doubt about data 

There is, however, some ambiguity around which party should be responsible for protecting data in the cloud; under the SRM, data is the cloud consumer’s responsibility, yet many organizations – and even some cybersecurity experts – believe that it falls to the CSP, as is evidenced by these findings:

  • A report by McAfee indicates that 69% of CISOs trust their cloud providers to keep their data secure and 12% believe cloud service providers are solely responsible for securing data.
  • A Gartner report states, “In nearly all cases, it is the user—not the cloud provider—who fails to manage the controls used to protect an organization’s data.” The report goes on to predict that, through 2025, 95% of cloud security failures will be the customer’s fault.
  • In CISO MAG’s recent Cloud Security survey, 76% said the cloud service provider is entirely responsible for the security of the cloud and 40% said it is the responsibility of the cloud consumers.

The key takeaway here? Better to have security overlaps than security gaps.

How security responsibilities are divvied up between your organization and the cloud service provider

The CSP always takes full responsibility for these two aspects of security:

  • Virtualization Layer –  controlling the provisioning of physical resources to protect users, applications and data.
  • Hardware – protecting physical hosts, network and the data center through software and physical means. This also includes back-up, restore and disaster recovery measures.

As stated earlier, protecting organizational data is always up to you – the cloud consumer. That includes data classification and accountability. 

From there, the areas of responsibility become dependent on which cloud service provider(s) you are using and your deployment model of choice (IaaS, PaaS, SaaS, FaaS). This grid from Center for Internet Security provides a general idea of the division of duties in the Shared Responsibility Model.

As more and more organizations rely on the cloud as a foundation for future growth,  it’s critical to clearly define roles and responsibilities for security and ensure best practices are in place.

If you are planning a cloud adoption initiative but have concerns over the role your organization has to play in the shared responsibility model, reach out to our Advisory team. Our Advisory practice offers a range of consulting services that will help build your cloud strategy and support the development of governance, security, and compliance policies.