Shared responsibility model: The complicated relationship between customer and provider in cloud security

Moving IT assets to the cloud offers many benefits to organizations. It can save costs, it can increase convenience for users, and it shifts some (but not all) of the burden of administration and security from the cloud customer to the cloud provider. Defining that division of responsibilities can be tricky, though, especially when it comes to security.

Before you entrust the cloud with your data and applications, it’s important to know just what security measures your provider does and doesn’t provide and what your own responsibilities are, especially in a hybrid cloud environment. Of course, if you’ve already moved to the cloud without thoroughly investigating this aspect of the transition, it’s even more important to do so as soon as possible since you might have security gaps of which you aren’t aware.

Shared Responsibility: What does it mean?

Major cloud providers such as Microsoft Azure and Amazon Web Services (AWS) provide statements on their web sites regarding their shared responsibility models.  This became necessary to clarify that contrary to what some customers might think, moving to the cloud doesn’t mean you put it all in someone else’s hands and never have to worry about security again.

Obviously, the sharing of responsibility means that the customer and the provider each have specific duties when it comes to protecting the customers’ virtual machines and data that are stored on the servers in the provider’s datacenters. But exactly where does one party’s responsibility end and the other’s begin? Do they ever overlap?

To some extent, that depends on the agreement that you have with the provider. There are certain security tasks that logically can only be handled by the customer, such as securing the client computers that are used by its employees to connect to the cloud. There are other duties that very obviously fall on the shoulders of the provider, such as ensuring that physical access to the datacenter is restricted to authorized personnel only.

However, there are also some security measures that might be a little less clear-cut in regard to whose job it is to see that it’s done. To further cloud the matter (pun not intended), different cloud providers may have different policies when it comes to the division of responsibilities, so it’s important to ferret out the details of your provider’s shared responsibility model.

In addition, the division of responsibility will differ depending on the cloud computing model – that is, whether you’re using a Platform as a Service (PaaS), Infrastructure as a Service (IaaS) or Software as a Service (SaaS) offering.

Sharing control

In the early days of cloud computing, the top reason given by companies that were reluctant to embrace the cloud was uncertainty about the security risks. Today much of that concern has dissipated; it has become obvious that the major cloud providers have resources and experience that enable them to provide, in most cases, a higher level of security than most customers are able to do on premises.

However, another big reason for wariness about the cloud is one that probably won’t go away because has a psychological element as well as a practical one: the loss of control. We all know that an airline pilot is much more qualified to safely get us to our destination than we would be if we were sitting in the cockpit, and that our chances of dying in a plane crash are much lower than our chances of being killed in an automobile accident.

Nonetheless, many people feel much more uneasy in a plane (or even in a train or bus) than in their own cars when they’re behind the wheel. And much of that uneasiness has to do with having no control over what happens. Likewise, even though companies know that cloud providers are better equipped to secure their data and applications, they’re uncomfortable with giving up ironclad control over those business resources.

It may actually be a relief to realize that shared responsibility also means shared control; even with the cloud, you do have control over some aspects of securing your IT resources.

Customer and provider responsibilities

As mentioned, the security tasks that fall on you and those that are the province of the provider can vary, but here is a list of some of the primary security-related responsibility and who (customer or provider) is typically responsible for which.

• Data classification. This refers to the process of organizing data into categories. Data classification has multiple purposes; it makes data easier to find, but it also enables you to apply different levels of security to different types of data, as appropriate. Because the cloud provider doesn’t and can’t know which of your data you most need to protect, data classification is practically always the responsibility of the customer.

Cloud providers can make this easier, though, by offering data classification services, such as Microsoft’s Azure Information Protection that can define and implement your data classification schemes. Still, according to Microsoft’s Shared Responsibility chart, data classification and accountability is always the responsibility of the customer, across all computing models.

• Data security. The encryption of sensitive data is generally the responsibility of the customer. Whereas the provider may automatically encrypt data in transit and in storage, in an IaaS environment the customer is expected to configure both client-side and server-side (file system) encryption and protection of network traffic. Amazon states on their AWS site that “customers retain control of what security they choose to implement to protect their own content …”.
• Client security (endpoint protection). The physical security of the computers and other devices with which your users access cloud data is always the customer’s responsibility. The software on those endpoint systems is generally the customer’s responsibility as well, with one exception. In a SaaS environment, updating and patching the software is done by the provider.  When using a cloud-based device management solution, such as Microsoft Intune, you will have responsibility for defining security requirements for the devices and the MDM provider is responsible for enforcing those requirements.
• Application security. Security of managed applications may be handled by cloud provider services, but the customer is still responsible for configuring those services correctly. In an SaaS environment, applications are patched and maintained (and version upgraded) by the provider. In an IaaS environment, customers are responsible for securing the applications on their virtual machines, as well as the operating systems on which they run.
• Identity and access management. Security hinges on identity and access management (IAM). IAM in an IaaS environment, as in on-premises computing, is primarily the responsibility of the customer. The cloud provider may implement authentication services (such as Azure Active Directory services multi-factor authentication) but it’s up to the customer to configure them. Customers can also choose to use third-party SSO solutions.
• Network security. In an IaaS environment, as the indicates the cloud provider is responsible for the network infrastructure and its security. This includes the physical security of the servers, routers, switches and datacenters themselves as well as the logical networks created to connect the virtual machines and the connection of those networks to the Internet. Customers have limited ability to configure network settings.

Summary

Cloud computing takes some of the control, and some of the responsibility for security, away from customers and puts it in the hands of the cloud provider – by not all. There are still important areas of responsibility that are up to you. Some providers, notably Amazon, divide the responsibilities into two parts to simplify this: the provider is responsible for the security of its cloud, whereas the responsibility for security measures in the cloud is still very much something that the customer can and must handle.

For more information about Microsoft’s shared responsibility model, you can download the white paper Shared Responsibilities for Cloud Computing.

For more information about Amazon’s shared responsibility model, see the AWS Shared Responsibility Model web page.