Intro to Cloud Security & the Shared Responsibility Model
Updated: Jan 5, 2022
What does cloud security really mean and who is responsible for it?
For the past decade, the use of “the cloud” has become more and more prominent both in organizational infrastructure and our own personal lives. We all use the cloud every day: Google Drive, Google Photos, iCloud, OneDrive, and the list goes on.
But what exactly is the cloud? And what impacts does it have on information security practices?
In this article, I’ll be discussing the various aspects of cloud security and how the Shared Responsibility Model helps us understand who is responsible for cloud security.
What is the Cloud?
In simple terms, the cloud is a software-based approach to infrastructure that is accessed via the Internet. It makes our lives easier in more ways than one, but above all else, it’s more efficient and scalable than hardware-based solutions.
Consider local storage versus cloud storage. A 100 GB USB drive costs from 10–12 US dollars. 100 GB of cloud storage on Google costs $2. This is a very simple example of cost savings as it relates to cloud storage, but we can also consider scalability.
Purchasing the USB would require either going to a local store to purchase one or ordering it online and having to wait a few days for it to be delivered. On the contrary, purchasing cloud storage takes seconds and is available to you right away. This enables individuals to purchase more and more storage as needed and without the added hardware requirements.
Hardware-based storage solutions hinder scalability because of the cost and additional hardware. If we consider a corporate environment, additional hardware means rack space and rack space costs more money, so you can see how that would make it harder to scale.
Rack space is simply the space within a data center meant for “racking” storage appliances, servers, network equipment, and other pieces of hardware that exist in an organization’s infrastructure.
So considering the above scenario, we can understand why so many companies are ditching on-premise solutions and moving to the cloud.
Unfortunately, many organizations move to the cloud without fully considering what that means from a security perspective. And what’s worse is some companies think by moving to the cloud, they’re essentially washing their hands of all security responsibilities and transferring them to the provider.
A Brief History of Cloud Security
The cloud was born in 2006 when Amazon announced its first cloud service: EC2. Shortly thereafter, organizations began adopting this new technology leading information security professionals to start asking questions related to the security of the cloud including, how are we going to secure it?
In 2008, Jim Revis presented at a conference in Las Vegas and, after discussing emerging technology trends, included a call to action for securing the cloud.
It was then that the Cloud Security Alliance was born. This group continued to develop over the next three to four years, creating the foundations of cloud security best practices and models for organizations to follow, like the Cloud Controls Matrix (CCM).
Naturally, as the cloud security best practices were developed and early cloud adopters began implementing controls to better secure their platforms, questions around who was going to be responsible for what started cropping up.
Enter: The Shared Responsibility Model
Who Is Responsible For Cloud Security?
With the rise in the use of cloud computing two things were happening:
People were moving to the cloud and doing zero to ensure the security of their data, applications, and systems running within their platform.
Threat actors were taking advantage of this new, very insecure technology.
To help combat this, cloud providers began creating their own versions of what’s now referred to as the Shared Responsibility Model. This model was a way to eliminate the blurred lines and confusion around who was responsible for securing what.
For example, if I build a virtual machine in the cloud, inadvertently expose it to the Internet, and it gets compromised, is the cloud provider liable because the server is running on their platform, or is the customer liable because they built a server and exposed it to the Internet?
The shared responsibility model helps us answer questions like that and determine who may be held liable for any number of cyberattacks or data breaches that can occur in the cloud.
As I mentioned, each cloud provider has adopted its own model, so let’s look at the three big ones: AWS, Azure, and Google Cloud.
In the diagram above, we can see Amazon has broken out some overarching categories: Hardware/Global Infrastructure, Software, Operating System, Network/Firewall, Platform, Applications, Identity Management, and Data.
Underneath some of those broader categories, they clarify what those entail, for example, Hardware and Global Infrastructure encompasses the various regions, availability zones, and edge locations within the AWS infrastructure.
Now looking at this, we can clearly see the top half defines the areas a customer is responsible for securing, and the bottom half covers what AWS is responsible for.
Additionally, on the left, we can see Amazon is using some different verbiage to hammer home their security model:
The customer is responsible for security in the cloud
Amazon is responsible for the security of the cloud
What’s the difference?
Let’s start with the security of the cloud. This concept addresses the safety of the cloud. In other words, is Amazon doing its part to ensure customers can safely operate on its platform? This includes the physical security of Amazon data centers, the integrity of transactions being processed on the platform, and the availability and integrity of the data being stored on it.
On the contrary, security in the cloud addresses the need for security controls to be implemented within a customer’s tenant, like access control, data encryption, and firewall configuration.
Now let’s consider Microsoft and Google’s respective approaches. The first difference you may have noticed is both have their model split out by the type of cloud: IaaS, PaaS, and SaaS (Infrastructure, Platform, and Software-as-a-Service).
Each of those cloud models puts more or less security responsibility on the provider or customer due to the fact that more or less of the supporting infrastructure is controlled by them.
When leveraging an IaaS cloud model, the customer has control over their compute, storage, and networking resources therefore, some of the security responsibility falls on them. As you can see in Microsoft’s model, “Host Infrastructure” security is shared between them and the customer, and in Google’s model, Google’s responsibility for security stops at the Guest OS level.
PaaS is a little bit different because, in this cloud model, the cloud provider hosts the platform, usually the Operating System and any required middleware. As a result, less responsibility falls on the customer because the cloud provider is now fully responsible for the host infrastructure and network security.
Where Microsoft and Google differ, is Microsoft defines Application-level security and identity management as a shared responsibility between them and the customer, and Google has decided to fully own the security of authentication, operations, and identity management.
Finally, if we look at the SaaS security responsibilities, we can see in both cases the customer has the least amount of onus.
Again, Google seems to take on a little more of the responsibility with respect to the product deployment and usage, where Microsoft has defined identity management and client protection as shared responsibilities.
Taking a step back to consider each of these three providers' models, there is one crucial commonality that unfortunately many customers don’t pay attention to: in all cloud models, the customer is always responsible for the security of their data.
While the cloud provider has a duty to provide mechanisms for implementing cloud security best practices, the responsibility of actually applying those security mechanisms and controls falls to the customer.
Cloud customers must always perform their due diligence, just like they would for on-premise solutions, to classify their data, define levels of access, implement access controls, and of course, encrypt all sensitive data.
It’s also crucial for cloud users to continually assess their environment for misconfigurations. Misconfigurations are essentially human errors, both accidental and purposeful ones, that lead to inadvertently exposed data. This could be accidentally allowing more than just a specific IP range to RDP to a server, or incorrectly deploying a database that’s exposed to the Internet.
Given cloud misconfigurations are one of the leading causes for data breaches and cyberattacks, it’s imperative cloud customers fully understand that the security of their data in the cloud is wholly up to them.
What Does This Mean For Cloud Customers?
As I mentioned earlier, the point of the Shared Responsibility Model is to help clarify who is responsible for what when it comes to cloud security. These models also help us to understand the various aspects of security that need to be considered when operating in a cloud environment.
Too often, individuals and organizations think that going to the cloud will transfer all security responsibilities to the provider, which is far from the truth.
If the Shared Responsibility Model teaches us anything it’s the answer to the question I posed at the beginning of this article: Who owns cloud security?
The answer might be quite obvious by now: It’s shared.
For organizations considering moving the to cloud, it’s important to be aware of the fact that, although there is no hardware to secure, there is still plenty of other security considerations that exist, whether you’re operating in the cloud or not.
Prior to making the decision to adopt a full cloud model or even a hybrid one, it’s important organizations assess what the shared responsibility means for them in terms of cost, ROI, and administrative overhead. It’s also important to consider any industry regulations that may be applicable when operating in the cloud and how the provider can (or can’t) help you achieve compliance.
As I’ve said in previous articles, there’s no silver bullet to information security and the same holds true for security in and of the cloud. It’s up to us, the security professionals, to have a thorough understanding of the Shared Responsibility Model and what it means for our own companies as so many continue to adopt hybrid and full cloud operating models.