Shared Responsibility: Who’s responsible for securing your data in the cloud?

Written by Ian Tinney

December 6, 2021

Are you doing enough to protect your data in the cloud? We look at where responsibility lies.


Initial concerns over securing data in the cloud have in many ways been assuaged as cloud models have matured. If anything, the pendulum has now swung the other way, and there’s now a sense of overconfidence.

We routinely hear the assumption that the cloud ‘is secure by default’ and the objection that ‘our cloud service provider offers me cloud-native security tools, so I don’t need a third-party security solution’. But do you really know where your responsibilities for data security begin and end and how much protection you are afforded by your CSP’s solutions?

Who is responsible for cloud security?

The shared responsibility model for security is standard. Essentially, this means that cloud providers such as Amazon Web Services (AWS), Google Cloud Platform (GCP) and Microsoft Azure all subscribe to the concept and that they consider themselves to be responsible for the security “of” the cloud while security “in” the cloud is the responsibility of the enterprise.

The cloud provider’s responsibilities can be summed up as follows:

  • Protecting the cloud provider’s physical premises, software, network, and hardware.
  • Server-level security, i.e. protection against attacks that would affect the entire cloud server
  • Ensuring their systems are continually updated and have the necessary patches in place
  • Providing business continuity services and contingencies in case of an accident or system failure

The customer is responsible for the following:

  • Ensuring systems are properly configured
  • Security of traffic coming in and out of the server
  • Maintenance and protection of all platforms and applications running on the cloud
  • Patching their OS and applications
  • Configuring their OS, databases, and applications
  • Managing and handling all matters related to login, authentication and access permissions
  • Protection of the data that enters and exits the cloud service
  • Controlling what data is loaded to the cloud and ensuring an appropriate level of encryption
  • Enforcing security best practices for the cloud

The cloud provider protects the underlying infrastructure of the cloud from vulnerabilities, intrusions, fraud, and abuse and provides its customers with adequate security capabilities. However, it is the customer’s responsibility to ensure that they make the most of these security capabilities. E.g., in the case of AWS, it is the customer’s responsibility to enforce necessary access control policies using AWS IAM, configure Security Groups, enable CloudTrail, etc.

What about native tools?

At the same time, the cloud service providers all offer their own native security tools that can be easily configured and deployed. These tools normally reside within the same console as the infrastructure services so that they can be easily used. For an organisation with minimal security aspirations, such a tool works perfectly. However, for an organisation that has greater security aspirations and perhaps has the added complexity of operating in a regulated industry, such tools are not effective.

In many respects, the native tools offered by cloud providers are more of a feature as they do not offer the depth or reach of a third-party security solution. They are limited to operating within the CSP’s environment, meaning they cannot be used cross-cloud to enforce security in the multi-cloud. They have limited automation and customisation capabilities. And they aren’t integrated with compliance standards, for example.

Establishing if you’ve fulfilled your responsibilities

Determining how effectively you are protecting your data in the cloud can be difficult if you are using cloud provider security tools. To do so, you’ll need to carry out a penetration test or cloud assessment to benchmark security processes, identify issues or gaps in provisioning and any breach of compliance regulations.

Unlike the tests or checks typically offered by CSPs as part of onboarding which can prove resource-intensive and take weeks, a Cloud Security Posture Assessment is agentless, automated and can be performed in a matter of minutes. This makes it suitable for start-ups as well as small, medium and large enterprises who can use the assessment to quickly establish their cloud security and compliance posture. Armed with this information, the business can then begin to explore the security solution/s needed to protect data more effectively.

At 4Data, we are offering our customers the opportunity to sign-up for the C3M Cloud Security Posture Assessment to help them build out their cloud security provisions. To find out more about taking the assessment, please email info@4datasolutions.com and we will get straight back to you.. Or to find out more about the concept of Cloud Security Posture Assessment, why not download the datasheet or check out our Cloud in Crisis whitepaper.

 

Follow Us