Cloud Security & The Shared Responsibility Model:

The iceberg threatening your digital transformation journey

Daniel Simmons
Oct 11, 2018 · 5 min read
Don’t let the “Shared Responsibility Model” sink your digital transformation journey!

2018 has been a landmark year for cloud services with cloud consumption revenue surpassing server sales for the first time in history; analysts predict that by the end of this year companies will have relocated 60% of all server workloads from on-premise infrastructure to Public Cloud. We will likely look back at 2018 as the inflection point in the technology adoption lifecycle that cloud services “crossed the chasm” between the early adopter and early majority phase. We did it!

Now that we are here, it’s about time we get down to brass tacks and talk security. With companies around the world sprinting to get to the cloud, I have conversations every day that remind me — most companies don’t understand cloud security. The number one fear I encounter from C suite teams at the onset of large digital transformation journeys — “the cloud isn’t as secure as our on-premise infrastructure.” The truth is that the security of your cloud infrastructure lies mostly on the shoulders of your company and not the cloud service provider. If this is new information for you, let me introduce you to the Shared Responsibility Model [1][2].

With companies around the world sprinting to get to the cloud, I have conversations every day that reminds me — most companies don’t understand cloud security… [t] he truth is that the security of your cloud infrastructure lies mostly on the shoulders of your company and not the cloud service provider.

Shared Responsibility Model

1. Security “OF” the cloud (CSPs)

2. Security “IN” the cloud (Your Company)

Microsoft, Amazon, Google, Oracle, etc. — all are responsible for the security “OF” the cloud. The scope is pretty limited and includes the physical security of data centres, and the infrastructure inside (CPU, Storage, Network). Your responsibility as a consumer of cloud services is the security “IN” the cloud, which is most of the work. This dichotomy is best represented as an iceberg, with the vast majority of responsibility falling on the customer and small scope of work for CSPs represented by the portion floating above the surface of the ocean.

Try and name a few recent cloud security breaches; major global news stories like Equifax, Sony, and Uber, were all incidents where customers failed in the fulfillment of their responsibilities for security “IN” the cloud. It is why although the IaaS (Infrastructure-as-a-Service) workloads for those incidents were hosted in Azure, and AWS respectively, Amazon and Microsoft were seldom named in reports and were never attributed responsibility. If we are honest with ourselves; companies with information security issues in the cloud have information security issues outside of the cloud. If your managed IT service provider tells you that the cloud isn’t as secure as your on-premise servers, it’s time for a third-party audit.

Know Your Role!

  • Customer Data (Storage, Security & Protection)
  • Identity Management & Access Control
  • Platform, Application & OS Level Security
  • Network Traffic Routing & Management
  • Network Traffic Protection (Private Connectivity, Encryption, Integrity, Identity)
  • Network & Firewall Configuration (Cloud, Hybrid & On-Prem)
  • Client-Side Security (Data Encryption, Integrity & Authentication)
  • Sever-Side Security (Encryption — Filesystem And/Or Data)

To backfill IT bench depth most Canadian enterprises are turning to cloud integration partners like Sourced Group, Scalar, Pythian, and Arctiq for cloud security and digital transformation expertise. The IT service industry is undergoing a radical transformation, with cloud service adoption driving IT service outsourcing market growth. The cloud integration service provider market is already undergoing a period of consolidation; legacy managed IT service providers and internal IT resources will become less likely sources of the required experience or technical depth for cutting edge digital transformation initiatives. Companies should consider funding retraining initiatives for internal IT resources and be vigilant about evaluating whether or not their managed IT services providers are making those investments themselves.

Conclusions

And if you don’t know, now you know.

About the Author:

Daniel Simmons is the Director of Cloud Strategy at Beanfield Metroconnect, a cloud product manager, cloud evangelist, and a solution architect for cloud and data centre services. Daniel has spent the past year overseeing the launch of the Beanfield and Megaport partnership with the goal of bringing multi-cloud connectivity to every office building in the city. He lives in Toronto with his partner and dog.

Beanfield Metroconnect

If you think beanfield Metroconnect is like other telecommunications companies, think again. With a 100% fibre-optic network — that we own, build and operate — we’re solely in control of our network. That allows us to set our sights high. And give your business more power.

Daniel Simmons

Written by

Daniel Simmons is the Director of Cloud Strategy at Beanfield Metroconnect, a cloud product manager, cloud evangelist, and a solution architect.

Beanfield Metroconnect

If you think beanfield Metroconnect is like other telecommunications companies, think again. With a 100% fibre-optic network — that we own, build and operate — we’re solely in control of our network. That allows us to set our sights high. And give your business more power.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade