What is the Shared Responsibility Model in Cloud Security?
Cloud service providers (CSPs) adhere to a “shared responsibility model” that delineates what responsibilities belong to cloud customers and CSPs. Defining the line between the responsibilities of cloud customers and CSPs helps to reduce the risks of introducing vulnerabilities into public, hybrid, and multi-cloud environments. The definitions of the shared responsibility model can vary among CSPs, but there are some aspects of security that are clearly owned by the CSP and others that are always retained by the cloud customer1.
Cloud Customer Cloud Security Responsibilities
Information and data. Cloud customers retain control over their information and data and its use. Cloud providers have zero visibility into cloud customer data and data access is fully controlled by the cloud customer.
Application logic and code. Cloud customers are responsible for securing and controlling proprietary applications throughout the application lifecycle, including securing code repositories, application build testing, secure production access, and connected system security.
Identity and access. Cloud customers are responsible for all aspects of identity and access management (IAM), which includes authentication, authorization, single sign-on (SS0), multi-factor authentication (MFA), certificates, access keys, user creation processes, and password management.
Platform and resource configuration. Cloud customer responsibility over cloud environments depends on whether they are server-based or serverless. Server-based cloud resources require more hands-on control over security, while serverless resources provide a control plane to access the setup of the configuration, giving cloud customers the responsibility of knowing how to construct secure configurations.
CSP Cloud Security Responsibilities
Virtualization layer. CSPs are responsible for ensuring segmentation and isolation of CPU, GPU, storage and memory to protect users, applications, and data through control over the provisioning of physical resources through virtualization.
Physical hosts, network, and datacenter. CSPs are responsible for ensuring that servers are protected from physical intrusion and tampering. Cloud vendors protect hardware through a variety of means using both software and hardware elements that perform critical functions such as backup, restore, disaster recover solutions, and more.
Some cloud security responsibilities are dependent upon selected services and terms of service. These may include:
- Identity and directory infrastructure
- Network controls
- Applications
- Operating systems
1 CloudPassage, 2020, “Shared Responsibility Model Explained”