Cloud Security and the Shared Responsibility Model

Cloud Security and the Shared Responsibility Model

Exploring Cloud Security and the Shared Responsibility Model: Navigating the iceberg that poses a threat to your digital transformation journey

Published Dec 7, 2023
šŸš€ 2018 marked a milestone for cloud services, surpassing server sales revenue for the first time in history. Analysts predict a significant shift, with companies relocating 60% of server workloads to the Public Cloud by year-end. This year is seen as the turning point, as cloud services 'crossed the chasm' from early adoption to the early majority phase. We made it!
Now that we're here, let's dive into the nitty-gritty and talk security. Amid the global rush to the cloud, daily conversations remind me ā€” most companies lack an understanding of cloud security. A common concern from C-suite teams embarking on digital transformation journeys is the perception that "the cloud isn't as secure as our on-premise infrastructure." The reality is that your company shoulders most of the responsibility for your cloud infrastructure security, not the cloud service provider. If this is new to you, let me introduce you to the Shared Responsibility Model
As companies worldwide sprint to the cloud, daily conversations underscore a common theme ā€” many companies lack an understanding of cloud security... [t]he truth is that the security of your cloud infrastructure lies mostly on the shoulders of your company and not the cloud service provider.
Shared Responsibility Model
The shared responsibility model is nearly identical across the service provider landscape. To simplify, there are two distinct cloud security roles and responsibilities:
  1. Security 'OF' the Cloud (CSPs)
  2. Security 'IN' the Cloud (Your Company)
Microsoft, Amazon, Google, Oracle, etc., are responsible for the security 'OF' the cloud, limited to physical data centre security and infrastructure (CPU, Storage, Network). Your responsibility as a consumer is the security 'IN' the cloud, which encompasses most of the work. Visualize this dichotomy as an iceberg, with the customer bearing the majority of responsibility beneath the surface, while the CSP's role is the smaller portion floating above the ocean's surface.
"šŸ’” Let's name-drop a few recent cloud security breaches: Equifax, Sony, Uber. These global headlines were incidents where customers fell short in fulfilling their security responsibilities 'IN' the cloud. Even though the IaaS workloads were hosted in Azure and AWS for these incidents, Amazon and Microsoft were rarely named or held responsible. Here's a truth bomb: Companies with information security issues in the cloud likely have them outside of the cloud too. If your IT service provider claims the cloud isn't as secure as your on-premise servers, it's high time for a third-party audit.
šŸŒ Know Your Role!
The customer's scope in the shared responsibility model is significant. Evaluate internal capabilities critically. Determine if these are duties your organization can honestly handle in-house. Whether you're into multi-cloud or a single vendor solution, customer responsibilities for security include (but may not be limited to) these roles:
1. Customer Data (Storage, Security & Protection)
2. Identity Management & Access Control
3. Platform, Application & OS Level Security
4. Network Traffic Routing & Management
5. Network Traffic Protection (Private Connectivity, Encryption, Integrity, Identity)
6. Network & Firewall Configuration (Cloud, Hybrid & On-Prem)
7. Client-Side Security (Data Encryption, Integrity & Authentication)
8. Server-Side Security (Encryption ā€” Filesystem And/Or Data)
To bolster IT bench depth, Canadian enterprises are turning to cloud integration partners like Sourced Group, Scalar, Pythian, and Arctiq for cloud security and digital transformation expertise. The IT service industry is in a transformational phase, with cloud service adoption fueling the growth of the IT service outsourcing market. The cloud integration service provider market is already consolidating. Legacy-managed IT service providers and internal IT resources may not be prime sources for the experience or technical depth needed for cutting-edge digital transformation initiatives. Consider funding retraining initiatives for internal IT resources and stay vigilant in evaluating whether your managed IT service providers are making those investments themselves.
Whether your company is gearing up for a digital transformation or has been in the cloud for a while, a routine check-up never hurts. Have an open discussion with your team about the shared responsibility model. With the bulk of the work on your shoulders, it's crucial to know your role in keeping your cloud secure. In the immortal words of the Notorious B.I.G.: 'And if you don't know, now you know.' šŸš€šŸ”’ #CloudSecurity #DigitalTransformation"
Detailed source : (https://lnkd.in/daN4b48)
Credit: Daniel