Cloud Security & The Shared Responsibility Model:
The iceberg threatening your digital transformation journey
2018 has been a landmark year for cloud services with cloud consumption revenue surpassing server sales for the first time in history; analysts predict that by the end of this year companies will have relocated 60% of all server workloads from on-premise infrastructure to Public Cloud. We will likely look back at 2018 as the inflection point in the technology adoption lifecycle that cloud services “crossed the chasm” between the early adopter and early majority phase. We did it!
Now that we are here, it’s about time we get down to brass tacks and talk security. With companies around the world sprinting to get to the cloud, I have conversations every day that remind me — most companies don’t understand cloud security. The number one fear I encounter from C suite teams at the onset of large digital transformation journeys — “the cloud isn’t as secure as our on-premise infrastructure.” The truth is that the security of your cloud infrastructure lies mostly on the shoulders of your company and not the cloud service provider. If this is new information for you, let me introduce you to the Shared Responsibility Model .
With companies around the world sprinting to get to the cloud, I have conversations every day that reminds me — most companies don’t understand cloud security… [t] he truth is that the security of your cloud infrastructure lies mostly on the shoulders of your company and not the cloud service provider.
Shared Responsibility Model
The shared responsibility model is nearly identical across the service provider landscape, and to break it down as simply as possible there are two distinct cloud security roles and responsibilities:
1. Security “OF” the cloud (CSPs)
2. Security “IN” the cloud (Your Company)
Microsoft, Amazon, Google, Oracle, etc. — all are responsible for the security “OF” the cloud. The scope is pretty limited and includes the physical security of data centres, and the infrastructure inside (CPU, Storage, Network). Your responsibility as a consumer of cloud services is the security “IN” the cloud, which is most of the work. This dichotomy is best represented as an iceberg, with the vast majority of responsibility falling on the customer and small scope of work for CSPs represented by the portion floating above the surface of the ocean.
Try and name a few recent cloud security breaches; major global news stories like Equifax, Sony, and Uber, were all incidents where customers failed in the fulfillment of their responsibilities for security “IN” the cloud. It is why although the IaaS (Infrastructure-as-a-Service) workloads for those incidents were hosted in Azure, and AWS respectively, Amazon and Microsoft were seldom named in reports and were never attributed responsibility. If we are honest with ourselves; companies with information security issues in the cloud have information security issues outside of the cloud. If your managed IT service provider tells you that the cloud isn’t as secure as your on-premise servers, it’s time for a third-party audit.
Know Your Role!
The customer scope in the shared responsibility model is significant, so it’s important to critically evaluate internal capabilities and determine whether or not these are duties your organization is honestly able to deliver in-house. Whether you have adopted a multi-cloud strategy or a single vendor solution, the customer responsibilities for security will include but may not be limited to these roles:
- Customer Data (Storage, Security & Protection)
- Identity Management & Access Control
- Platform, Application & OS Level Security
- Network Traffic Routing & Management
- Network Traffic Protection (Private Connectivity, Encryption, Integrity, Identity)
- Network & Firewall Configuration (Cloud, Hybrid & On-Prem)
- Client-Side Security (Data Encryption, Integrity & Authentication)
- Sever-Side Security (Encryption — Filesystem And/Or Data)
To backfill IT bench depth most Canadian enterprises are turning to cloud integration partners like Sourced Group, Scalar, Pythian, and Arctiq for cloud security and digital transformation expertise. The IT service industry is undergoing a radical transformation, with cloud service adoption driving IT service outsourcing market growth. The cloud integration service provider market is already undergoing a period of consolidation; legacy managed IT service providers and internal IT resources will become less likely sources of the required experience or technical depth for cutting edge digital transformation initiatives. Companies should consider funding retraining initiatives for internal IT resources and be vigilant about evaluating whether or not their managed IT services providers are making those investments themselves.
Whether your company is planning a digital transformation initiative, or you have been in the cloud for sometime, a routine check-up never hurts. Have a frank discussion with your team about the shared responsibility model. With the bulk of the work on your shoulders, it is important you know your role in keeping your cloud secure. In the infamous words of the Notorious B.I.G —
And if you don’t know, now you know.
About the Author:
Daniel Simmons is the Director of Cloud Strategy at Beanfield Metroconnect, a cloud product manager, cloud evangelist, and a solution architect for cloud and data centre services. Daniel has spent the past year overseeing the launch of the Beanfield and Megaport partnership with the goal of bringing multi-cloud connectivity to every office building in the city. He lives in Toronto with his partner and dog.