What is the Shared Responsibility Model?
The Shared Responsibility Model is an aspect of cloud computing that’s not often talked about, but can have a dramatic impact on your agency’s success.
The Shared Responsibility Model is a key concept in cloud security. The model outlines where a cloud provider’s role and responsibility ends and the customer’s begins. And regardless of whether you use IaaS, PaaS, or SaaS – the Shared Responsibility Model is part of the mix.
For many public sector organizations, this is navigating new waters, especially for those who are early in the cloud adoption journey. I lived through this firsthand as a CTO and CISO for a large state government organization. We were early in our cloud journey, and enthusiastically adopting a new operating model. With that in mind, I can offer some best practices. Understanding and properly executing this model can help you secure your data and realize the full benefits of cloud migration.
Defining who does what
In simplest terms, the customer is responsible for securing their own data and applications. This includes ensuring that data is encrypted, access controls are in place, and that the applications are designed and implemented securely. The customer should also monitor their part of the system for security events.
The cloud provider is responsible for securing the infrastructure that they provide. This includes ensuring that the data center is secure, the network is secure, and that the virtualization platform is secure. The cloud provider should also monitor their part of the system for security events.
One important note is that depending on the cloud service you use: IaaS (Infrastructure as a Service), PaaS (Platform as a Service) or SaaS (Software as a Service), the shared responsibility model will be a little different. All three models are active across the public sector, and adoption is growing. Approximately one-third of agencies’ mission-critical applications utilize IaaS, PaaS, and SaaS instead of on-premises infrastructure. According to Gartner, the worldwide infrastructure as a service (IaaS) market grew 40.7% in 2020.
IaaS (Infrastructure as a Service)
IaaS, or cloud infrastructure services, is a type of cloud computing that allows organizations to purchase resources on demand rather than investing in and maintaining physical infrastructure.
PaaS (Platform as a Service)
PaaS, or cloud platform services, is a type of IaaS that provides developers with a framework, software, and tools to create apps and software. PaaS offers its customers more access to servers, storage, and networking than IaaS does.
SaaS (Software as a Service)
SaaS, or cloud application services, is a popular service within the cloud industry. SaaS platforms allow users to access software over the internet for a monthly subscription fee. They are often pre-built and can be used straight from a user’s browser, eliminating any additional downloads or installations.
If we use a sliding scale, SaaS assigns the most responsibility to the provider, and least to the customer. As you move to PaaS and IaaS respectively, the customer takes on more responsibility and the provider’s role is reduced.
Understanding the Overlap and Working Together
Both the customer and the cloud provider are responsible for ensuring that their respective parts of the system are properly configured and that the appropriate security controls are in place. Both the customer and the cloud provider should also monitor their part of the system for security events. Organizations should look to reduce complexity where possible, leveraging workflow automation and security policies as a best practice. Visibility and situational awareness are also paramount when building out your cloud security program.
4 Best Practices
There are several best practices that organizations should follow when adopting the Shared Responsibility Model:
1. Define roles and responsibilities: Organizations should clearly define the roles and responsibilities of each party involved in the Shared responsibility model. This will help to ensure that everyone understands their part in keeping data and resources secure. Cloud providers have their own models, each with similar frameworks, but also some nuances. I always found it useful to build out a RACI chart so that my internal teams clearly understood the lines of delineation.
2. Implement, review, and test security controls: Enact security controls at all levels, including physical, logical, and administrative. This will help to protect data and resources from unauthorized access. Review the controls regularly and test them following your organization’s change management program.
3. Educate employees: Teach your team about the Shared Responsibility Model and their role in keeping data and resources secure. This will help to ensure that everyone understands the importance of security in the cloud.
4. Monitor activity: Monitor activity in the cloud to detect any potential security threats. This will help to identify any issues early and take appropriate action to mitigate them.
By following these best practices, organizations can help to keep data and resources safe in the cloud. For more on cybersecurity for public sector, check out this recent post on Zero Trust for government.