What is the Cloud Shared Responsibility Model? Understanding cloud data security

Suppose you’re using or considering a cloud-based service.

In that case, you’ll already know that the data is no longer stored or running on a local piece of IT infrastructure, such as a server in the office or on someone’s personal computer.

The simple truth is you don’t know exactly where it is at any point in time as it will be running on the provider’s equipment, somewhere out there on the vastness of the internet.

It’s a common misconception that when you move data or an application to the cloud, the service providers are solely responsible for security, and while they have some responsibility, the truth is it’s effectively a shared effort, and it can vary depending on which cloud services are being used. As such, it’s important to understand exactly where the security responsibilities lie between the cloud service providers and us, the customers, to keep our data protected and secure. Enter the Cloud Shared Responsibility Model.

Let’s dig a little deeper into this model to understand what it means for your cloud data security. 

Understanding the Cloud Shared Responsibility Model 

The Cloud Shared Responsibility Model clearly defines who is responsible for securing various aspects of data and infrastructure in the cloud environment. The specifics may vary depending on the cloud service provider, but at a high level, the model will typically divide responsibilities into two main categories. 

Service Provider Responsibilities 

Infrastructure and Physical Security: 

The cloud providers are responsible for securing, updating and maintaining the underlying IT infrastructure, including the physical data centres and IT hardware such as all network and server equipment. This is one reason many companies use cloud-based services. 

Platform Security: 

They also manage the general security of the cloud platform itself, including the underlying virtualisation layer and the web portals that are used to access them. 

Global Compliance: 

Cloud providers adhere to industry standards to ensure compliance with regulations governing data protection and privacy. These can vary between regions of the world to accommodate local laws. 

Customer Responsibilities 

Data Protection: 

Whether you’re using a full cloud software service like Microsoft 365 or Gmail or have a custom in-house application deployed on a virtual server in the cloud, it’s critical to know that we, the customer, are ALWAYS responsible for the data, including any data classification. 

Identity and Access Management (IAM): 

Managing user access, accounts and permissions is a responsibility of the customer, though some cloud offerings may have these as a shared responsibility. Typically, these are managed by the customer but the provider makes tools available to enable this. 

Device Security and Endpoints: 

The security of mobile devices such as smartphones, and PCs that are accessing cloud services is managed by the customer, though some service providers have tools to help manage these effectively. 

Responsibilities and Type of Cloud Service 

The responsibilities vary whether you’re using Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS) or Software-as-a-Service (SaaS) cloud services, as typically when you move through these levels, the service provider takes on more responsibility.

If you’re not sure what these services are and want to know more, please get in touch.

We are currently updating our Comparison Article, which will be added soon.

As a high-level example, 

Why Does the Cloud Shared Responsibility Model Matter? 

The model clarifies any accountability by defining who is responsible for various aspects of data security. It helps businesses and individuals understand where any gaps may lie in security coverage including skills, policies and procedures. It also allows customer to assess and manage risks much more effectively as they understand their specific security obligations. It also promotes compliance as it is a shared responsibility between the provider and its customers. 

Best Practices for Navigating the Cloud Shared Responsibility Model 

Be sure to understand the model for any cloud service you are using, whether it be using Microsoft 365/Azure, Amazon Web Services, Google Cloud or others. Each of these will have a website packed full of information dedicated to this topic. You also want to educate key people in your business, including business leaders and any IT and development teams, so they understand their respective security responsibilities. As always, you’ll want to regularly review your security posture and the Cloud Shared Responsibility Models as they adapt and change over time. Use the model as a framework for safeguarding your digital assets in the cloud. 

As a final note, always remember that while cloud providers play a crucial role, protecting your data in the cloud ultimately remains your responsibility.