Authored by Gaurav Ranade, CTO, RAH Infotech
Traditional or legacy structures have nearly become redundant. The digital transformation push driven by the pandemic has led to the modernization of operations. With many organizations shifting towards hybrid or remote work, there has been a movement of operations, data and applications from in-house to cloud infrastructure i.e public cloud. Modernization of infrastructure brings in modernized problems and security is one of the headaches the IT teams need to focus on. The biggest threat to an organization utilizing cloud services is the lack of clarity on who is responsible for cloud security. As the cloud is here to stay, so are security threats and this is why organizations need a solution to counter this problem.
Shared responsibility model the ideal solution?
Data says that 81% of organizations experienced cloud-related security incidents in 2021-22. Numbers on the higher scale indicate the inevitability of having the right cloud security strategy. There is a shared responsibility between the Cloud Service Provider (CSP) and the customer when it comes to cloud security. To generally define the shared responsibility model - the cloud provider is responsible for the security of the cloud, while the customer is responsible for security in the cloud. But the clear definition of ownership when planning security strategy is often lost or misunderstood. When a clear definition is set, the security loopholes can be covered and this helps in formulating a robust security structure.
“Shared responsibility model became a hit when the cloud service models - SaaS, IaaS and PaaS took the center stage post-pandemic. According to a forecast by Gartner, 99% of cloud security failures will be the customer’s fault. So, the problem when considering the shared responsibility model is assuming that cloud workloads, applications, data or activities associated with them are fully protected by the CSP. It is why this notion should be discarded and only then will a secure cloud setup exist,” says Gaurav Ranade, CTO at RAH Infotech.
Is there are standard plan for tracking the role of CSP and customers in the shared responsibility model?
There are three entities in play when utilizing the shared responsibility model. While some aspects may vary based on the CSP being roped in, this is a generalized security function IT teams and organizations need to be aware of:
1. Responsibilities of Cloud Service Providers:
· Physical / Building Security
· Provider Services & Software
· Operations and Availability
2. Responsibilities of Customers:
· Data Backup
· Identity And Access Management (IAM)
· Access Security Controls
· Awareness & Training
3. Responsibilities of Customers and/or CSPs: This is a case where, as said earlier, the responsibilities are either shared or taken care of by just one entity.
· Virtualization Layers
· Audit Logging and Monitoring
· Storage and Encryption
· Drivers, Firmware, Software
The roles and responsibilities in this are also dependent on whether the service a customer is utilizing is SaaS, PaaS or IaaS. Only by protecting the data can companies keep themselves secure from threats and their ramifications. A business can only be protected when it is wholesomely protected from threats. Cloud providers are constantly investing in innovative solutions to strengthen their security profiles. By understanding the shared responsibility model, companies with the help of CSPs can ensure the security of the cloud infrastructure and improve overall security posture.