Enterprises actively adopt new digital technologies to rethink their operations. The top three cloud giants—Amazon Web Services (AWS), Microsoft Azure, and Google Cloud—continue to compete for dominance in the growing cloud market. This growth demonstrates that cloud services are effective and meet ongoing business demands for easily deployable, rapidly scalable computing and network resources.
However, cloud adoption also raises a set of security challenges and requires reconsidering traditional approaches to handling data and securing environments. Adopting the cloud, organizations often “lift and shift” their on-premise workloads and infrastructures with a little refactoring. However, it is impossible to migrate to the cloud by using only the legacy security tools. The cloud environment requires rethinking all security processes and developing new security approaches.
To ensure the security of cloud-based data, one must understand and follow a shared responsibility model. In short, this model means that the cloud provider is responsible for the cloud’s physical and network infrastructure (security of the cloud). The user is responsible for the security of their data, applications, and other assets (security in the cloud).
Let’s dig deeper into the cloud shared responsibility model to understand who is responsible for what in the cloud.
Common misconceptions regarding cloud security
All cloud providers offer the same level of security
Not all cloud providers are created equally when it comes to security. Each provider offers different security features, settings, and controls. For example, Google Cloud encrypts data storage by default, while AWS requires customers to explicitly configure the encryption. Another example is Identity and Access Management (IAM). AWS holds a robust IAM system allowing granular control over user permissions and roles, with support for IAM and integration with SAML for single sign-on (SSO). Google Cloud, in contrast, provides IAM with a focus on simplicity, offering basic roles, predefined roles, and custom roles, but it does not offer as many granular controls as AWS.
In addition, different cloud providers may have different security and compliance certifications. Most modern cloud service providers hold a wide range of compliance certifications, including ISO 27001, SOC 1/2, and HIPAA, making them a preferred choice for industries with strict compliance requirements. However, it is still necessary to review the certification to ensure your cloud service providers are certified, as some may lack industry-specific certifications.
“Set it and forget it” myth
Businesses that adopt cloud services should not only have sufficient expertise for their initial cloud setup but also for the ongoing management process. Unfortunately, it rarely occurs in practice. Many organizations believe that once service settings are configured, the ongoing maintenance will require less attention. This assumption is one of the most common reasons why companies have difficulties with ensuring security for their cloud-based data.
As part of the initial cloud service adoption, organizations must define key configurations and maintenance processes for the service. This would help avoid cloud misconfiguration, unsanctioned data access, and exfiltration. Among other things, organizations should define specific security requirements, such as complexity and rotation of credentials, privilege settings for users and administrators, users’ access to applications, administrators’ hierarchy, etc. Although organizations should regularly check for the state of these configurations, they often drift away from them to focus on supporting the overall business. Some enterprises defer configuration checks to audits.
Cloud security is only the provider’s responsibility
A key misconception regarding the cloud shared responsibility model is the belief that the cloud provider is fully responsible for all aspects of security. Many organizations assume that once they move their data and applications to the cloud, the cloud provider will handle all security-related tasks, including data protection, access management, and compliance.
In reality, the cloud shared responsibility model divides security duties between the cloud provider and the customer. While the provider secures the cloud infrastructure, including the physical data centers, networks, and hardware, the customer is responsible for securing their own data, applications, user access, and configurations within the cloud. Neglecting the customer’s role in this model can lead to vulnerabilities, such as misconfigurations, weak access controls, and unpatched software, making the organization susceptible to cyber threats.
Cloud shared responsibility model explained
The above challenges and misconceptions support the idea that security is one of the greatest concerns of the cloud environment. So both cloud providers and their customers should properly bear their burden and ensure security in the cloud. A shared responsibility model was articulated to define the boundaries of responsibility for securing data in the cloud.
The shared responsibility model outlines the provider’s responsibility for maintaining a secure and continuously available service and the organization’s duty to ensure secure use of the service. There are two main approaches for defining the shared responsibility model in the cloud security context:
- security OF the cloud vs. security IN the cloud
- boundaries of responsibility
These approaches demonstrate the best practices of top cloud service providers such as AWS, Microsoft Azure, Google Cloud, and IBM Cloud. Let’s see these approaches in more detail.
Security OF the cloud vs. security IN the cloud
The first approach conveys how the cloud provider is responsible for managing the security of the cloud, while the customer is responsible for securing what is in the cloud. Such differentiation of the shared responsibility model pertains to AWS and includes the following:
- To maintain the Security of the Cloud, cloud providers are responsible for protecting the infrastructure that runs services offered in the cloud. This infrastructure involves software, hardware, networking, and facilities.
- Security in the Cloud is the organization’s responsibility, which is determined by the services that the organization selects. This, in turn, defines the amount of configuration work that must be performed. Configuration usually involves security controls for the guest operating system (including updates and security patches), application software or utilities installed by the customer, as well as network security management tools provided by the cloud vendor.
Responsibility models typically provide a list of control types based on how control responsibility is assigned.
- Inherited controls – physical and environmental controls that the organization inherits from its cloud provider.
- Shared controls – the cloud provider and the customer are responsible for certain aspects of the control. Examples of shared controls may include configuration management, patch management, training & awareness.
- Customer-specific – controls in which customers have full implementation and management responsibility. For instance, organizations are responsible for managing access and protecting external communications.
Boundaries of responsibility: SaaS, IaaS, and PaaS
The second common approach to the shared responsibility model is based on the boundaries of responsibility. Namely, responsibility shifts depending on the level of the cloud deployment between the platform as a service (PaaS), infrastructure as a service (IaaS), and software as a service (SaaS). This approach is commonly used by Microsoft Azure, Google Cloud, and IBM Cloud:
- In an IaaS, the provider is responsible for the physical layers and shares responsibility with the customer for the security of the host infrastructure and network. All the rest is the customer’s responsibility.
- In a PaaS, the provider also takes full responsibility for host infrastructure and network security, but it also shares responsibility with the customer at the application and access control levels.
- In a SaaS, the provider takes full responsibility for application controls while sharing responsibility with the customer for access control as well as client/endpoint protection.
Limitations of the cloud shared responsibility model
While the cloud shared responsibility model brings clarity into the critical security responsibilities within the cloud environments, there are some critical areas where it falls short. Some specific ways that the shared responsibility model can break down include:
Lack of technical expertise on the customer side
First, there is often a lack of technical expertise on the customer side. When a model shifts critical responsibilities onto customers who may not have the capacity to manage them, it can be problematic. Overworked IT departments and a shortage of cloud security skills could leave some customers unable to fulfill their security obligations. This scenario risks leading to costly cybersecurity breaches and could damage the trust between the customer and the cloud service provider.
There are always more than two parties involved
Second, there are always more than two parties involved in the shared responsibility model. A cloud environment encompasses more than just the customer and the cloud service provider. When third-party service providers are involved, the lines of responsibility can become significantly more complex. The traditional shared responsibility model falls short of providing clear guidelines for the complex cloud configurations many organizations manage.
Misconfiguration issues
A common mistake in the shared responsibility model is using default settings and configurations for cloud services or applications without changing or reviewing them. Default settings and configurations can be problematic for several reasons. They can enable unwanted features that consume resources or disable important security services. They can also leave some options open or unclear, resulting in confusion or inconsistency.
The shared fate model
The next stage of the evolution beyond traditional shared responsibility for cloud security is Google's shared fate, a collaborative model for handling cloud risks. Under the shared fate model, the Google Cloud takes a much more proactive role, including providing guidance at the deployment stage as well as recommendations and tools to ensure ongoing security. Shared fate sees the cloud provider accepting the reality of where shared responsibility breaks down and steps up to close the gaps.
Secure-by-default infrastructure, security foundations, and secure blueprints are elements of the shared fate model that take some of the security burdens off of customers' teams. In complex cloud environments involving multiple stakeholders, the model provides guides for how workflows and responsibilities should be arranged rather than leaving it up to the customer to figure it out alone. Shared fate places a greater emphasis on cyber insurance, a crucial aspect of responsible security that is there to help a cloud customer in the case of a cyber incident.
Understanding the key points of the shared responsibility model is essential while moving to the cloud. Cloud providers offer substantial advantages for ensuring security and compliance, but these advantages do not absolve organizations from protecting their applications and services.
The best ways to improve cloud security
Customers’ data and other sensitive information are the most important assets. And the worst is to think that data privacy and security are the cloud provider’s responsibility. SaaS does provide physical security, host infrastructure, network, and application-level controls of the solution. However, the responsibility for access controls and other security configurations, such as back-ups, often lies with the customer.
We are not questioning the reliability of the SaaS providers. However, even though SaaS companies do their best to ensure they are part of cloud security, they can’t guarantee security when it comes to user-driven controls. They are also powerless when customer data leaves the cloud to interact with other systems or when the user’s cloud credentials get compromised.
So, consider the primary actions YOU can take to ensure your part of cloud security responsibility.
Use multi-factor authentication
Your business’s cloud-based assets are as vulnerable as your employees’ credentials. Stolen credentials are one of the most common ways hackers access cloud-hosted data. With stolen or guessed user credentials, hackers can log into applications and services that businesses use.
First, better protect all your cloud-based accounts with multi-factor authentication (MFA), which is not typically enabled by default. With MFA, you would ensure that only authorized personnel can access sensitive data. It is one of the cheapest security controls that requires users to provide at least two verification factors to access a resource. These include at least two of the following: knowledge (password or PIN), possession (e.g., hardware MFA tokens, smartphones), and inherence (fingerprints or voice recognition).
The most frequently used are one-time 4 to 8-digit passcodes, generated at every authentication request and received via email, SMS, or a mobile app.
Manage your user access
Are you sure your employees need access to those specific applications or data? Providing excessive access to an account puts more at stake if that account is compromised.
Managing access is challenging, especially if you are a large organization. Grinding and maintaining proper data access can be messy with many existing accounts and the conveyor of new hires, promotions, relocations, etc.
However, we are here not to look for excuses. We gathered to make results. Despite the complexity of the task, employees’ roles should be defined based on their job needs. The best way to do it is to think of roles as labels attached to an identifiable access pattern.
Setting proper authorization levels is your business’s responsibility. It ensures that your employees can only access the data necessary to do their job. Assigning access controls reduces opportunities for hackers. Furthermore, many regulations and standards, such as HIPAA, PCI DSS, and ISO 27001, require strong access controls.
Protect against ex-employees
Are your former employees still having accounts on SaaS applications used by the business? Stop it immediately. At least one in four ex-employees is left with access to critical data, and 20% of organizations say they have experienced data breaches by former employees.
Workforce members typically have access to several applications and systems. Businesses must ensure that all accounts for departing employees are revoked as soon as possible. Also, conduct periodic access reviews to identify what information users can access so that any excessive access can be adjusted when necessary.
Train your employees
As we mentioned, hackers often gain access to secured information by stealing users' login credentials. Social engineering techniques such as phishing, spoofing, and piggybacking come in handy. Whether you maintain your part of the responsibility for cloud security, the human factor still remains one of your most significant weaknesses.
Cybersecurity awareness training plays a critical role in reducing cybersecurity threats, including phishing and social engineering. Key training topics typically include password management, privacy, email security, Internet security, and physical and office security.
Consider cloud backup solutions
Imagine a situation when a hacker obtains the account password of one of your employees and corrupts data in the cloud. Or visualize a case when the employee cleans out his inbox and folders. Compromising data availability is a serious oversight that negatively impacts an organization’s reputation and compliance.
Most cloud service providers can provide you with the possibility to store data. However, no one can ensure timeless storage. You are responsible for checking with your cloud provider the conditions and timeframes of data back-ups. Make sure to discuss back-ups with your SaaS providers.
Review cloud application audit logs for suspicious activities
Review cloud application audit logs for suspicious activities. SaaS solutions should write the logs that record administrative activities and access within your cloud resources. In short, the logs help you answer "who did what, where, and when?" within your system.
Reviewing cloud application audit logs for suspicious activity helps you monitor your cloud-based data and systems for potential threats, such as data misuse, password-guessing attacks, and other threats.
Entrusting part of the responsibility to a trusted partner
There is always much to be done to make your cloud-based assets more secure. Many businesses can’t manage this internally due to different reasons, such as a lack of resources, time, or skills.
Planet 9 team can take your part of the shared responsibility. Our cloud security experts will assess your cloud infrastructure and provide recommendations for addressing identified security and compliance gaps. Depending on the client’s internal resources, expertise, and availability, Planet 9 can perform all the remediation work, position the client to execute remediation on its own, or supplement the client’s team.
Planet 9 has experience in ensuring the security of cloud services, be it IaaS, PaaS, or SaaS. Our cloud security experts will assess your cloud management accounts and infrastructure and provide recommendations for addressing identified security and compliance gaps. Depending on the client’s internal resources, expertise, and availability, Planet 9 can perform all the remediation work, position the client to execute remediation on its own, or supplement the client’s team.
