Get startedGet started for free

The shared responsibility model

1. The shared responsibility model

The cloud offers many capabilities for securing resources. This gives security professionals the exciting opportunity to protect assets in a variety of ways. In this video, you’ll learn about the shared responsibility model, and how customers and cloud service providers, or CSPs, work together to protect the cloud and a business’s assets. A customer is an organization or user who pays a cloud service provider to host and run their cloud resources. Before diving deeper into shared responsibility, let’s examine the difference between on-premises and cloud responsibilities. In a traditional on-premises model, a business owns their own data center and servers. The business is responsible for securing their services against threats. However, if that business decides to use a CSP to run or store their resources in the cloud, then the CSP takes responsibility for some of the security of those assets. The amount of CSP involvement depends on several factors. Let’s explore these responsibilities further. The shared responsibility model is the implicit and explicit agreement between the customer and the cloud service provider, or CSP, regarding the shared accountability for security controls. In the shared responsibility model, the CSP is like a gymnasium. The gym provides the building and equipment, and ensures the equipment works properly. The customer is responsible for using the equipment safely and maintaining their own personal fitness goals. Before the customer starts using the gym, they sign a contract where they agree to use the equipment appropriately. Shared responsibility works in a similar way, where the customer and CSP agree on who is responsible for securing what resources. One way to think about shared responsibility is considering security of the cloud versus security in the cloud. Here are some common CSP responsibilities. The CSP must maintain physical infrastructure like servers and data centers. Additionally, CSPs need to ensure network and resource availability. These responsibilities provide the security of the cloud. The customer is responsible for configuring their services to meet their specific security and compliance requirements. The customer is also responsible for securing their data. Organizations have to consider the security requirements of the people using their apps and resources. In these cases, the focus is to secure data in the cloud. For example, imagine a customer uses a CSP’s network and wants to incorporate network controls. The CSP provides the network and firewall service, and is responsible for their maintenance and updates. The customer is responsible for configuring the firewall, monitoring traffic, and responding to incidents. CSPs usually provide each customer with a service-level agreement, or SLA, that quantifies the availability of services. For example, a service may offer an SLA of 99.99%, where that service must be accessible and available for the user 99.99% of the time. In the network example, the SLA outlines the customer’s terms for network controls, which eliminates guesswork for who is responsible for what. Although the customer and CSP are securing different aspects of the network, both parties work together to achieve better security. The customer’s workload and level of service —meaning infrastructure, platform, or software as a service— dictates how much responsibility the CSP assumes. The more the CSP manages, the more they are accountable for security. Responsibility levels also vary by industry type and regulatory frameworks. Within these frameworks, the customer should know the security controls they’re responsible for, what controls the CSP provides, and default inherited controls. Inherited security controls demonstrate security posture to auditors. The proper use of security controls is important, especially if a business must comply with specific regulations or other government and industry requirements. A business's location also impacts how they apply shared responsibility. Different countries may have different types of regulations and requirements for their data. In this video, you learned that implementing shared responsibility can come in many different forms. CSP customers have lots to consider, including the type of workload, industry, and location. Understanding how to manage these considerations will create a strong relationship with a CSP.

2. Let's practice!

Create Your Free Account

or

By continuing, you accept our Terms of Use, our Privacy Policy and that your data is stored in the USA.