The shared responsibility model

Cloud security is a tricky area. There are many myths about securing the cloud. Some think that once you have moved to the cloud, it is the cloud provider’s responsibility to protect everything in the cloud, while others think that nothing is secure in the cloud and it is not safe to move to the cloud, especially when you are dealing with sensitive data. The fact is security and compliance in the cloud is a shared responsibility between cloud providers and cloud customers.

This brings a lot of questions to our minds. Who is responsible for what? How do you define the responsibility matrix between cloud providers and customers? Who defines those responsibilities and on what basis?

Let us understand this with a simple and fun analogy of a Pizza-as-a-Service model. The cloud’s shared responsibility model can be explained using the analogy of ordering pizza in different ways: making it at home, ordering a Take and Bake pizza, ordering a pizza for delivery, or dining out at a restaurant:

Figure 1.3 – Pizza-as-a-Service model

• Making pizza at home is like managing your IT infrastructure. You are responsible for everything, including buying the ingredients (hardware and software), preparing the dough and toppings (setting up the infrastructure and applications), cooking the pizza (maintaining the infrastructure), and cleaning up afterward (managing security, backups, and disaster recovery).
• Ordering a Take and Bake pizza is like using IaaS. You order the pizza with the toppings you want, but the pizza is not cooked yet. You must take it home and cook it yourself. Similarly, with IaaS, you are provided with a virtual infrastructure that you configure and manage yourself, including installing and configuring the operating system, middleware, and applications.
• Ordering a pizza for delivery is like using PaaS. You order the pizza with the toppings you want, and it is delivered to you fully cooked. You do not have to worry about the cooking process, but you still have control over the toppings. Similarly, with PaaS, you are provided with a platform for developing and deploying applications, and the CSP takes care of the underlying infrastructure.
• Dining out at a restaurant is like using SaaS. You order the pizza, and it is delivered to you fully cooked and ready to eat. You do not have to worry about cooking or toppings as the restaurant takes care of everything. Similarly, with SaaS, you use a cloud-based application that is fully managed by the cloud service provider, and you do not have to worry about the underlying infrastructure, security, or backups.

In all these scenarios, the shared responsibility model applies. You, as the customer, are responsible for selecting the pizza toppings you want, just as you are responsible for configuring and securing your data and applications in the cloud. The cloud service provider is responsible for providing a secure and reliable environment for your data and applications, just as the restaurant is responsible for providing a clean and safe dining experience.

Now that you have understood shared responsibility via an interesting analogy, let’s understand the concept with the help of an actual responsibility model provided by every cloud provider for their customers. This responsibility is also known as security of the cloud versus security in the cloud:

Figure 1.4 – Shared responsibility model

Let us quickly discuss what security of the cloud and security in the cloud mean:

• Security of the cloud: Security of the cloud means protecting the infrastructure that runs all the services offered by the cloud provider, which is composed of the hardware, software, networking, and facilities that public cloud services use. Cloud providers are responsible for the security of the cloud, which includes protecting the cloud environment against any security threats.
• Security in the cloud: This refers to the responsibility held by customers and is solely determined by the cloud services that customers choose for consumption and where those workloads are hosted, such as IaaS, PaaS, SaaS, Database-as-a-Service (DBaaS), Container-as-a-Service (CaaS), or even Security-as-a-Service (SECaaS).

Customers must carefully consider the services they choose from different providers as their responsibilities vary depending on the services they use, the integration of those services into their IT environment, and applicable laws and regulations.

The responsibility model makes responsibility clear. When an organization does not have a cloud footprint, the organization is 100% responsible for the security and compliance of the infrastructure. When an organization moves to the cloud in a hybrid or cloud-native setup, the responsibility is shared between both parties.

Division of responsibility

Let us understand how the division of responsibilities varies from one service model to another:

• On-premises data centers: In an on-premises infrastructure (hardware and software), the customer is responsible for everything, from the physical security of data centers to the encryption of sensitive data.
• IaaS: Virtual machines as services, which are offered by cloud providers such as Azure VM, AWS EC2, and Google Compute Engine, can be taken as examples of IaaS. If a customer decides to use VMs in the cloud, the cloud provider is responsible for the security of the physical data center, physical network, and physical host where the VM is hosted. As per Figure 1.4, security to the operating system (vulnerabilities and patches), network controls, applications hosted in the VM, identity and directory infrastructure, devices through which VMs are accessed, and information and data in the VM are all the customer’s responsibility.
• PaaS: A wide range of services is offered by cloud providers under the PaaS category. Azure Web App, Logic Apps, Azure Functions, Azure SQL, Azure Service Bus, AWS Lambda, AWS Elastic Beanstalk, and Google App Engine are a few services under the PaaS category. As the service name suggests, PaaS provides an environment for building, testing, and deploying software applications. The most useful benefit of PaaS for its customer is that it helps create an application quickly without the need to manage the underlying infrastructure, such as hardware and operating systems. This becomes easy for customers as they are only responsible for securing the application and data.
• SaaS: SaaS is a readymade, subscription-based application made available by cloud providers for its customers. Microsoft 365, Skype, Google Workspace, ERP, Amazon Chime, Amazon WorkDocs, and Dynamics CRM are some common examples of SaaS offerings. Out of all the service offerings, SaaS requires the least security responsibility from customers. The cloud provider is responsible for everything except data, identity access, accounts, and devices.

Important note

No matter which service is availed by the customer, the responsibility to protect accounts and identity, devices (mobile and PCs), and data is always retained by the customer.

The shared responsibility model is one of the most important topics to understand in the cloud security domain. Now that you understand it, let us understand another important topic – defense in depth.