When it comes to protecting the public cloud, the provider and the company using the cloud share the responsibility. The shared responsibility model defines precisely how.
Text: Christoph Widmer, Images: tnt-graphics, 28 may 2019
Computing power at the touch of a button. Business-relevant applications that can be accessed at any time. Prefabricated development environments that are available to IT departments: The cloud has fundamentally changed the way IT is consumed. However, the issue of information security (IT security, information and data protection) has also become more complex as a result. The security of the public cloud in particular often leads to misunderstandings and false assumptions among cloud consumers. As much as they are used to classic outsourcing models and want to be unburdened in terms of security, they cannot simply pass on the issue of cloud security entirely to the cloud provider. Cloud consumers are jointly responsible for cloud security if they really want to obtain applications, development environments and/or virtualised server instances securely from the public cloud.
“In principle, the cloud provider is responsible for the security of the cloud infrastructure, while the cloud consumer is responsible for security within the cloud.”
Klaus Gribi, Swisscom Senior Security Consultant
The shared responsibility model defines the respective areas of responsibility of cloud users and cloud providers. Originally formulated by Amazon Web Services and Microsoft Azure, the division underlying this responsibility model for security and compliance is now also employed by other cloud providers. “Essentially, shared responsibility distinguishes between the security of the public cloud itself and security within the public cloud,” explains Swisscom Senior Security Consultant Klaus Gribi. “In principle, the cloud provider is responsible for the security of the cloud infrastructure, while the cloud consumer is responsible for security within the cloud”
Microsoft Azure shared responsibility model.
The responsibilities vary depending on the cloud service model that the cloud consumer is using:
Although the shared responsibility model is often merely a rule of thumb, the technical areas for which cloud consumers and providers are responsible can differ from case to case. “Although an IaaS customer is responsible for cloud security from the operating system level, some providers also install components in the operating system, e.g. to monitor the performance of virtualised instances,” Gribi explains. “Shared responsibility is therefore subject to provider-specific limits that may be dynamic.”
What’s more, a cloud consumer may also outsource individual tasks. If, for example, he chooses a managed OS of an IaaS instance, responsibility for the operating system no longer lies with him, but with the cloud provider or third-party provider. However, under certain circumstances, firewall management may remain a task for the cloud consumer. Shared responsibility is thus becoming more complex. The service level agreements (SLAs) of the cloud provider define exactly how the responsibilities are divided between the provider and the consumer in each case. That’s why cloud consumers must study the SLAs in detail. Only then can they take appropriate security measures themselves and provide the best possible protection at their end for the cloud services they use.
In addition to these technical aspects, shared responsibility also extends to other factors. For example, cloud consumers need to determine how their chief information security officer can collaborate with the cloud provider’s security organisation:
“The topic of cloud security thus does not end at the technical security level, but also affects cloud consumers from an administrative and organisational perspective,” Gribi notes. “These factors are therefore fundamental from as early as the evaluation and selection of a suitable cloud provider.”
More on the topic