Who Keeps Your Cloud Infrastructure Secure? Understanding the Shared Responsibility Model

Over time more organisations have moved infrastructure from physical on-premises systems to the cloud. This brings many benefits including cost savings, increased system scalability, reliability. However, it also introduces new security challenges and complexities. Therefore understanding where your organisation’s security responsibilities end and the cloud service provider’s begins is critical.

What is a shared responsibility model?

The shared responsibility model outlines the security responsibilities that are held by both the cloud service provider and their customers.

The balance of this responsibility depends on the type of service and the provider. For example, the provider will almost always be responsible for the physical security of the infrastructure, but the identity/access controls will always place at least some responsibility on the customer.

Other areas where the customer will typically always have some responsibility include:

  • Configuring chosen services: This includes selecting the appropriate settings, features, and integrations based on your specific needs and requirements.
  • Ensuring that the service meets your requirements: This involves implementing security measures such as strong passwords, encryption, and regular security audits to protect your data and prevent unauthorised access.
  • Choosing the data that’s stored in the service you use: This means carefully evaluating the type of data you need to store in the service and taking steps to ensure that it is protected and managed securely.

Types of cloud services

Within cloud infrastructure there are three distinct types of cloud services each requiring a different balance of security responsibility between the cloud provider and the customer:

  • Infrastructure as a Service: IaaS allows you to access computing resources like servers or networking. While the provider maintains the physical hardware, you’re responsible for managing the operating systems, applications, and configurations running on that infrastructure.
  • Platform as a Service: PaaS provides a platform for developing, testing, and deploying applications without managing the underlying infrastructure. The provider handles operating systems, middleware, and infrastructure while you focus on your application code and data.
  • Software as a Service: SaaS offers fully-developed software applications delivered over the internet. The provider manages all aspects of the application including infrastructure, maintenance, and updates, while users simply access the service through a web browser or client application.

It’s crucial to understand which kind of model you are using so that you can understand the responsibilities you have. Below is a table created by the National Cyber Security Center (NCSC) which conveys the typical responsibilities well.

 

Source: https://www.ncsc.gov.uk/collection/cloud/understanding-cloud-services/cloud-security-shared-responsibility-model

As you move from IaaS to SaaS, the cloud provider takes on more responsibility, however, the customer always retains a level of security responsibility, and every cloud provider will operate differently.

To determine your exact level of responsibility you can often find documentation which is provided by your cloud provider that outlines this. We’ve copied links to the most common providers below.

Why does it matter?

Failing to understand where the responsibilities lie can lead to certain security controls being neglected which can result in significant security issues, data breaches and compliance violations. For example, in 2019 100 million credit applications were stolen from Capital One in a data breach caused by a misconfigured AWS S3 storage bucket which could be accessed without authentication.

By clearly understanding the security responsibility boundaries between a provider and the customer, an organisation can better identify what actions need to be taken and what needs to be monitored to secure their data. Understanding the shared responsibility model is also key to be compliant with the NCSC’s Cyber Essentials Scheme.

Additional Best Security Practices

Understanding the shared responsibility model is only the first step. Below are key practices that organisations should implement to strengthen the security of their cloud environments.

  • Least privilege: Only grant users and services the minimum permissions needed to perform their responsibilities. Regularly review the permissions to ensure they remain appropriate and remove unnecessary rights when identified. This helps to prevent unauthorised access and limit the impact of a successful cyber-attack.
  • Logging and monitoring: Set up logging wherever possible and regularly review the logs for suspicious activities. You can configure alerts for unusual behaviour or security incidents. This is often built-in by most cloud providers but can be tailored to your needs.
  • Secure configurations: Review your cloud configurations against security benchmarks like the Center for Internet Security (CIS) Benchmarks. These provide industry-standard guidelines for securing cloud environments across different providers. Use infrastructure as code to ensure configurations remain consistent and can be version controlled, making it easier to track changes and maintain security standards.
  • Encryption: Implement encryption for both data in transit and at rest. Understand your responsibilities around encryption key management and maintain a clear process for key rotation. Ensure you’re using appropriate encryption methods for different types of sensitive data.

 

Predatech is a cyber security consultancy that offers a range of services including CREST accredited penetration testing, Cyber Essentials/Cyber Essentials Plus assessments, ISO 27001 Certification Support, as well as Cloud Security Reviews. What makes us different? We combine expert cyber security with great customer service and value for money. If you’d like to better understand your security posture, and how to strengthen it, please contact us for a free consultation.

Latest Posts

Predatech Turns Four

As we get ready to wrap-up a busy 2024, I’m happy to share that Predatech is now four years old! Writing this blog is one…
READ MORE

Predatech Turns Four

As we get ready to wrap-up a busy 2024, I’m happy to share that Predatech is now four years old! Writing this blog is one…
READ MORE

Get a Quote

Book a Free Consultation