A shared responsibility model is a cloud security and risk framework that delineates which cybersecurity processes and responsibilities lie with a cloud service provider (CSP) and which lie with the customer. With more IT architectures moving to the cloud, a shared responsibility model promotes tighter security and establishes accountability as it relates to the security of the cloud.
In an on-premises data center environment, security responsibility rests solely with the owner. Accountability for maintaining security controls, patching, and physical infrastructure falls to the organization’s security team (or other responsible party, such as IT), never the hardware vendor(s). However, when portions of a network use or are composed of private or public cloud services, some security responsibilities fall to the CSP.
This is where a shared responsibility model comes in, outlining precisely which security duties, data states, locations, and so on are in the CSP’s domain and which are in the customer’s. Microsoft Azure, Google Cloud, Amazon Web Services (AWS), and other CSPs each have their own model, tailored to their specific offerings.
How Shared Responsibility Models Work
Most shared responsibility models hold you, the customer, responsible for anything under your direct control: data, credentials, and configurations, as well as any functionality that sits outside the CSP’s cloud resources, such as your organization’s firewalls and other internal network security.
A lack of clarity around responsibilities can contribute to misconfigurations that weaken your security posture and ultimately cause cloud security failures, so it’s critical that you understand where your organization’s security duties lie in relation to your providers’.
Different Types of Shared Responsibility Models
How responsibility is divided depends on the type of cloud service you’re using. You’ll always be responsible for securing your data, devices, accounts, and access management. Likewise, CSPs will always be responsible for securing the physical infrastructure—their hosts, data centers, and networks. Let’s look at where other differences come into play:
Software as a service (SaaS): The CSP assumes security responsibility for the operating systems, network controls, and applications that make up the service, as well as data generated in the service. Responsibility varies for identity and directory infrastructure.
Platform as a service (PaaS): Here, the onus is generally less on the cloud vendor, with the security responsibility for network controls, apps, and ID/directory infrastructure varying from one service to the next. However, they’re still responsible for the operating system.
Infrastructure as a service (IaaS): CSPs assume the least responsibility here, with the burden solely on the customer to secure everything except for the CSP’s physical infrastructure. The customer handles all OS and application patching as well as network controls.
Advantages of a Shared Responsibility Model
In itself, the reduced customer responsibility of a cloud service is a major benefit when compared to the total liability you take on with your private on-premises infrastructure, but there’s more to be had. Sharing cloud security responsibility with a service provider also lets you take advantage of:
Lower costs: Simply put, leveraging a provider’s security and infrastructure means less management on your end, which saves you the price of additional resources that could stretch your budget.
Improved cybersecurity: Clearly delineating security responsibilities in cloud infrastructure reduces the risk of mistakes that lead to vulnerabilities and data breaches.
Reduced operational burden: The more security responsibility your CSP takes on, the more time your team will have to focus on other priorities.
Challenges of Shared Responsibility
Adopting the cloud and sharing responsibility has plenty of advantages, but there are still certain potential challenges to consider.
Compliance and Ultimate Responsibility
First and foremost, you need to be able to trust your provider with your data. Your organization’s data security policies, be they internal rules or external regulations, carry a lot of influence here. If you’re selecting a provider, make sure you understand what you’re agreeing to. In many cases, your organization will still ultimately be culpable if those rules or regulations are violated in a data breach.
Understanding and Adapting
To keep up your end of the security bargain, you need to understand exactly where your responsibilities end and the CSP’s begin. Your personnel also need to know how to use the CSP’s tools and navigate their controls to avoid introducing vulnerabilities. Beyond that, you need to be able to adapt when architectures and systems change—like when new integrations are introduced—so you and your workloads stay secure.
Shared Responsibility Best Practices
The best practices specific to a given responsibility model come down to your unique needs and the provider’s offering, but there are some general practices to keep in mind in any shared security responsibility situation:
Prioritize data security and your other responsibilities. Since you’re responsible for securing your data, endpoint devices, user credentials, and access management no matter which type of cloud service you’re using, make it a priority to meet those obligations. This extends to outlining duties and responsibilities within your own organization.
Know what you’ve agreed to and be ready to respond to changes. A provider’s service-level agreement (SLA) will precisely lay out both their responsibilities and yours. However, they’re rarely written in stone, so it’s important to keep an eye out for updates a CSP may make to their SLAs and act accordingly if they affect your cloud environment.
Use modern security and visibility tools. Managing security in a cloud environment can get extremely complicated given the sheer amount of resources, levels of permission, APIs, potential attack vectors, and so on. Make sure you’re staying up to date on the latest innovations in security operations and threat hunting capabilities and how you could adopt them.
How Can Your Organization Stay Secure in the Cloud?
The cloud is where modern business lives. Few would debate that. What’s equally undeniable, though, is that using cloud services opens up your users, endpoints, and data to new risks. A crucial piece of protecting yourself from those risks is ensuring you completely understand your security responsibilities.
That’s only one piece, however. Holding up your responsibilities can be a daunting proposition when you’re dealing with third-party partners, multiple supply chains, and the growing risks of ransomware, phishing, and other advanced attacks that target your endpoints, credentials, and data. These facets of your security will always fall to you, and with so many possible avenues for attacks and data loss, it’s paramount that you choose the right security partners.
Secure Your Digital Transformation with Zscaler
Zscaler can help you take advantage of all the cloud has to offer—flexibility, scale, reach, ease of use, and more—securely.
Posture Control by Zscaler is a unified, high-performance, cloud native platform built from the ground up to prioritize infrastructure and application security risks in distributed clouds and across the development and DevOps lifecycles, helping you maintain:
Maintain comprehensive CSPM controls across cloud infrastructure, resources, data, and identities.