What Is Cloud Security & The Shared Responsibility Model?
In a time when cyber attacks are increasingly of concern with the average data breach costing $4.45 million, overall security — and specifically cloud storage security — is more important than ever. More than 60% of corporate data is stored in the cloud, and almost half of data breaches are cloud-based, which means the right security solutions are essential to keeping your business or organization’s data safe and secure.
With cloud security also comes the important consideration of shared responsibility. In other words, who is ultimately responsible for security — the user or the cloud service provider (CSP)?
How Does Cloud Security Work?
Let’s first review the differences between security in the cloud versus a traditional data center.
A traditional data center, which houses information onsite, includes physical infrastructure such as servers, routers, hardware and cooling systems. These centers are secured through a variety of ways, including physical steps such as alarms and security staff and software measures such as the implementation of firewalls and multi-factor authentication. In this type of model, the business or organization is responsible for the data.
The cloud, on the other hand, allows for the storage of data on a network of remote servers that are hosted by a third party, such as Amazon, Google or Microsoft.
Cloud security refers to technology that protects this data from internal and external risks; it’s important to note that some of these measures may also be used in traditional data centers. Examples of cloud security include anti-virus software, multi-factor authentication, cloud-based archiving solutions, encryption, data compliance solutions, software-as-a-service (SaaS) and virtual private networks (VPNs).
When it comes to cloud security, a shared responsibility model is often a beneficial solution; this refers to an agreement between the hosting provider and the business or organization that outlines which entity is responsible for what when it comes to security.
What Is the Cloud Shared Responsibility Model?
In a cloud shared responsibility model, the cloud provider is responsible for the security of the cloud itself, whereas the user is responsible for the security of the data stored within the cloud.
This, however, is a general definition, and the specifics of a shared responsibility model may differ depending on the provider. Even then, there may be some gray areas of responsibility that can lead to some confusion.
For example, Amazon’s Shared Responsibility Model details the following responsibilities between the cloud service provider and user:
- Amazon Web Services — Responsible for protecting the infrastructure, which includes hardware, software, networking and facilities that run the cloud services
- Customer/user — Responsibilities are determined by the type of services that are selected. For example, Amazon Elastic Cloud Compute (EC2) is an Infrastructure as a Service (IaaS); customers are responsible for security configurations, management tasks, updates, security patches and software or utilities installed by the customer.
Determining Accountability in the Shared Responsibility Model
Responsibilities will differ depending on the type of cloud service model.
Software as a Service (SaaS)*
In this popular model, vendors are typically responsible for infrastructure, application management and security, including access, servers, networking, data storage, updates and patches. The customer is responsible for the information and data, the devices on which the applications are accessed and any accounts and identities. Examples of SaaS models include Salesforce, Microsoft 365, Google Workspace, Zoom and Shopify.
Infrastructure as a Service (IaaS)
The IaaS model enables customers to access on-demand computing resources that are easily scalable. The cloud service provider manages the infrastructure, and users only pay for what they need.
Cloud security is a shared responsibility with the provider handling the resources, hardware, patches, storage and other aspects of the physical network. Customers are responsible for user access, data security, applications, the operating system and virtual network controls.
Platform as a Service (PaaS)
PaaS provides a model that enables users to develop, test and deploy applications to scale without investing in the hardware or software needed. PaaS provides everything in a “pay-as-you-go” model — including the infrastructure, operating systems and tools.
|
SaaS |
IaaS |
PaaS |
Cloud Service Provider Responsibilities |
- Application code
- Infrastructure
- Updates, bug fixes and overall maintenance
- Operating system
- Scaling
|
- Infrastructure
- Billing management
|
- Hardware and software resources
|
User Responsibilities |
|
- Operating system
- Middleware
- Data
- Applications
- Virtual network controls
- Scaling
|
- Code
- Data
- Applications
- Scaling
|
*This section includes information from Microsoft, Google and IBM.
Benefits of the Shared Responsibility Model
A cloud service provider brings specialized knowledge, expertise, experience and resources to the table, all of which users can leverage to ensure their data is as safe and secure as possible.
CSPs focus 24/7 on the cloud, which means they not only devote significant resources to maintaining security, but they are up to date on the latest technology, patches, potential risks and security measures.
A shared responsibility model can also remove some of the burden from your IT team, which can free up employees to tackle other important projects or challenges.
One of the best ways to ensure the safety and security of your data is through a comprehensive archiving solution. We encourage you to request a free copy of our eBook How to Choose the Best Email Archiving Solution for more information, and don’t hesitate to reach out to a member of the Intradyn team with any questions.
Azam is the president, chief technology officer and co-founder of Intradyn. He oversees global sales and marketing, new business development and is responsible for leading all aspects of the company’s product vision and technology department.
Questions to Ask
Before Buying an Archiving Solution
Get My Copy