Have you ever been working on a project and missed a deadline or deliverable simply because there was a miscommunication about who would take the lead on getting it done? Divvying up responsibilities can be efficient and effective, but only when both parties have a complete understanding of what they are responsible for. The same principle applies to your cloud environment.
Utilizing a public cloud service provider (CSP), such as Microsoft, Google, or AWS, does not mean that these CSPs are taking full responsibility for the security of your cloud. The Shared Responsibility Model is employed by service providers to define what falls under the purview of the CSP vs. what the business utilizing their services is responsible for. The distribution of responsibility will depend on the service you have selected. If you opt for Software as a Service (SaaS), the CSP will be responsible for more of the operating system, network controls, and applications. If you choose Infrastructure as a Service (IaaS), all you’re receiving from the CSP is security for the infrastructure required to run the cloud, such as the physical data center and network.
Each CSP defines its shared responsibility slightly differently. To fully understand what you are responsible for, you should pay close attention to your service-level agreement. At a minimum, you can think of CSPs as being responsible for the security of the cloud while you are responsible for security in the cloud. Even in a SaaS service, you as the cloud user are responsible for the security of your own data, devices, and identity and access management. Additionally, keep in mind that if you are utilizing a hybrid cloud environment, you are responsible for everything outside the public cloud portion, including ensuring that data is secure while moving between the two environments.
Data Compliance in the Shared Responsibility Model
The shared responsibility model can also be applied to who is responsible for consumer data complying with key privacy laws such as GDPR. Business leaders who are new to the cloud may assume that it is up to the cloud service provider to ensure that their data meets compliance requirements, but that is not the case. Cloud service providers specify that they are, once again, responsible for the security of the cloud, while the cloud consumer is responsible for security in the cloud.
CSPs must make sure that their infrastructure is in compliance. They’ll provide documentation of compliance certificates and audit reports demonstrating the compliance of their services. They also offer various resources to assist you as the consumer in your own compliance, such as AWS’s CloudTrail, which can be used to assist in generating audit reports by monitoring and recording account activity. At the end of the day, however, it is up to you to ensure that your data, networks, operating systems, etc., are compliant with any applicable industry or regional regulations.
One of the benefits of having a hybrid cloud/on-premises environment is the ability to store data either in a public cloud or in a private cloud/on-premises server, based on the security and compliance requirements of the data and the level of control you need over the data’s accessibility. Modern data privacy laws, such as GDPR and new U.S. state laws, require data holders to be able to easily access and delete data upon request from the consumer, which means it is essential for you to understand where specific data resides. This may be difficult if your hybrid cloud is not managed correctly, so having a proper data/information governance policy in place is essential.
California’s data privacy law, the California Consumer Privacy Act, and others such as the Virginia Consumer Data Protection Act specify that businesses must use “reasonable administrative, technical and physical data security practices to safeguard the confidentiality, integrity, and accessibility of personal data.” California’s law offers consumers the right to sue if businesses do not meet this security practice requirement. Under the shared responsibility model, it is most likely you, as the user of the cloud, that will be responsible in a violation of these privacy laws, placing a heavy burden on companies to put in place data protective security measures.
RH-ISAC members have access to exclusive resources to help implement hybrid cloud best practices, such as this recorded webinar, Elevating Security to the Cloud, from the 2021 Cyber Intelligence Summit.