The reality of the shared responsibility model

June 17, 2021

Last year spending on public cloud IT infrastructure surpassed spending on traditional IT infrastructure for the first time, according to IDC. It’s easy to see why: Companies “born in the cloud” and more traditional organizations are migrating to the cloud not only for their remote work needs, but also as a way to gain speed, reliability, and flexibility. Benefits aside, there are plenty of pitfalls from cloud adoption that can undermine security and negatively impact operations. Some organizations believe that the use of public cloud services allows them to outsource all of their security needs; while there are great tools from cloud service providers like AWS, Microsoft, and Google, they don’t cover the entire threat surface. Organizations adopting cloud need to know where their security responsibilities lie.

The shared responsibility model delineates the obligations of cloud computing providers and their customers to assign security responsibilities and accountability. Cloud providers and their customers each own various elements of security. In short:

The cloud provider is responsible for the security of the underlying cloud infrastructure.
Customers are responsible for securing the workloads that run on that infrastructure.

At the end of the day, it’s the organization’s responsibility to secure and maintain compliance for their applications and data. Further, it’s important for organizations to understand that each cloud provider has its own unique interpretation of the shared responsibility model. It may not always have been the case, but today we’re seeing cloud providers becoming more transparent in the way they handle security. Amazon and Microsoft each have clearly outlined their views on the shared responsibility model and it’s critical to understand the subtle, though important, differences.

It’s essential for security teams to have an in-depth understanding of these nuances to ensure they have adequate coverage.

To fully account for the shared security responsibility, it’s necessary to maintain complete visibility into the cloud environment. Some businesses avoid moving to the cloud because they fear it would offer them less visibility when, in fact, it’s quite the opposite. The right cloud intrusion detection platform can effectively protect workloads and offer broad and deep visibility across IT infrastructure and applications, by collecting telemetry across the entire stack, to include hosts, containers, container orchestration, and cloud management consoles. Efficiently gathering a comprehensive range of security data helps businesses monitor, audit, and alert on potential security and compliance threats in real time.

Despite rightfully holding the cloud provider accountable to secure the overall cloud infrastructure, it’s still necessary for organizations to ensure the proper policies and controls are in place to protect the applications and services running on that infrastructure. For example, access controls are a best practice because they enable security teams to set and enforce rules and policies regarding when, where, and how cloud hosted services can be accessed and by whom. That said, to be truly effective, access controls must be coupled with monitoring and detection capabilities that surface anomalies and deviations from set policies, so that can be actioned.

Likewise, when it comes to cloud security, organizations must stay laser-focused on maintaining full observability across their workloads. After all, you can’t know what’s happening to your files and data and who’s accessing, modifying, and deleting it, if you don’t have visibility into the events taking place on the host.

While cloud providers are required to hold up their end of the bargain, organizations must also ensure their side of the responsibility equation is met by maintaining full security and compliance visibility and coverage for their entire infrastructure and application stack, and efficiently addressing issues as they surface. The reality is that the shared responsibility model comes with a degree of empowerment. Having control over the security of your cloud workloads makes your organization better equipped to quickly detect threats and remediate issues. With the right policies and controls in place, you can ensure that you uphold your end of the bargain when it comes to shared responsibility of cloud security, and strengthen your security posture.

Chris is the Vice President of Product at Threat Stack, where he is responsible for Product Management and User Experience. He brings more than 20 years of experience leading product teams and building security solutions, including Data Loss Prevention, Enterprise Mobility Management, and Secure Cloud Collaboration. Prior to joining Threat Stack, Chris was Chief Product Officer at Blue Cedar Networks and Senior Vice President of Product Management at Intralinks, a secure cloud collaboration platform. (Image courtesy of Ford)

With the advent of Internet of Things (IoT) technology and Industrial Internet of Things (IIoT), the cyber security practices are increasingly getting integrated with the physical security practices.

We will provide insight on NDAA Section 889 and how the act has evolved and impacted business, so that organizations can better mitigate risk and stay compliant.