What is the cloud shared responsibility model and why is it important?

The cloud may seem like magic, but companies’ data protection obligations don’t go poof and disappear when it’s up and running.

Enterprises and cloud vendors like Amazon Web Services (AWS) and Microsoft’s Azure are each accountable for specific components of the digital infrastructure under the shared responsibility model.

It’s a well-accepted framework that designates exactly what businesses need to do to remain compliant with regulations like GDPR, HIPAA, NIST and ISO, among others. Here’s what you need to know about it.

What is the cloud shared responsibility model?

Cloud services are simple: Businesses rent space on servers hosted by third-party vendors to manage their proprietary data and processes on.

While it can vary based on the Service Level Agreement (SLA), the shared responsibility model generally follows that same architecture. Companies are responsible for securing what their employees do in and how they interact with the cloud, while third-party vendors like AWS and Azure are held accountable for the security and upkeep of that infrastructure.

Enterprises are usually responsible for the following:

  • Data encryption and site-to-cloud user traffic
  • Policies and tools for identity and access management
  • Configuration of the storage container

An organisation’s obligations can change depending on the type of cloud service they’ve chosen. Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS) and Software-as-a-Service (SaaS) all require more or less of vendors’ and customers’ time and resources under the shared responsibility model.

IaaS service plans will closely mimic the burdens of on-premise servers, apart from the hardware upkeep. SaaS, on the other hand, shifts most of the accountability to cloud providers besides data security, which is always held by the customer.

Ultimately, this amounts to companies assuming full legal responsibility surrounding their sensitive data – the same as they would with on-premise servers.

On the other hand, organisations are able to devote their full energy to ensuring that data is protected given that AWS and Azure are obligated to safeguard the integrity of the infrastructure.

Why is the shared responsibility model important?

We’re quickly heading towards a world where data lives solely off-premise. In fact, it’s estimated that nearly 83 percent of corporate workloads will reside in the cloud by 2020, according to a survey from LogicMonitor.

Businesses are earnestly buying into the value of cloud computing and the enthusiasm surrounding it is rightly deserved. Whether it be a public, private or hybrid architecture, organisations are gaining unparalleled agility for IT services and it’s allowing them to stay competitive in industries that are notoriously difficult to succeed in.

Along the way to digital transformation, many businesses have forgotten that they still have the responsibility to protect data that’s stored off-site. The absentmindedness leads to storage components that are either vulnerable to cyber-attacks or publicly accessible to anyone who spends the time to find them.

The problem isn’t about a lack of resources being devoted to cyber security; roughly one out of every five of the world’s largest companies have a cloud storage container that was publicly detectable, according to a study by High-Tech Bridge.

Instead, the issue lies in the fact that many companies only try to achieve the bare minimum in their cloud migration strategies. While the basic protections can offer some type of security, it can often turn out to be a false sense of one.

Opting to apply basic rather than essential security controls is one reason why roughly half of all respondents to CyberArk’s Global Advanced Threat Landscape Report 2018 believe their organisations’ data is vulnerable to an attack. Forty-two percent believe that storing data on the cloud is the No. 1 cyber-threat to their enterprise.

Data security in the cloud isn’t a myth. The companies that are accomplishing it will attribute their success to following security best practices and complying with the shared responsibility model.

How your company can comply with the shared responsibility model

AWS and Azure provide businesses with valuable tools to protect their infrastructure, but they won’t hold their hands while they implement them. Half the battle of protecting data in the cloud is simply understand which security controls are most effective and how to best implement them across the architecture.

It’s a reason why cloud readiness assessments and cloud security assessments have become vital components of any cloud migration strategy. The former helps guide a business through integration and implementation to ensure that best practices are in place before anything goes live. The latter plays an essential role in establishing an ongoing maintenance routine to alter configurations based on the latest developments in the industry.

In both cases, leveraging the experience of cloud consultants can enable organisations to get the most out of the tools that are available to them. Running diagnostics on cloud storages that are critical to daily operations and must comply with various regulations will help a business fulfil their part of the shared responsibility model.

Interested in learning more about your enterprise’s obligations under the shared responsibility model? Contact an Integrity360 representative today to learn more.