Let’s have a look at which aspects of security is the responsibility of customers and which fall into the responsibilities of the provider.
The Shared Responsibility Model
The simplest way of understanding this concept is that providers are responsible for the security of the cloud, while customers are responsible for the security in the cloud. This is how both these stakeholders of the transaction can work together to meet the objectives of cloud security.
To understand this concept further, the spectrum of security requirements needs to be understood. The customers of cloud services are required to employ their business, industry and regulatory requirement into the mix – which constitutes to their part in the cloud’s security. This includes contracts, DSS, PCI, GDPR, etc. These requirements tend to ensure whether the data keeps its integrity, stays confidential and is always available.
While all of the above is the responsibility of the customer, the rest falls in the spectrum of the provider. If both the customer and the provider meet their part of the deal’s requirements, then data will be efficiently protected.
With respect to the shared responsibility model, the importance of understanding this shared responsibility model is essential for customers who are moving to the cloud. Cloud service providers offer considerable advantages for security and compliance efforts, but these advantages do not absolve the customer from protecting their users, applications, and service offerings.
Best Practices With Respect To the Shared Responsibility Model
Cloud providers should be able to employ the customer’s perspectives on how to consider and mitigate risks and then implement controls. Alongside this, the service provider should also implement their own internal controls on how risks can be managed.
Other than this, providers should be able to provide documentation of their security features and form a matrix of responsibilities that list varieties of risks and their respective solutions. Lastly, they should turn to CCM, CAIQ, and CSA for the starting point of their share of the responsibility model.
Cloud customers, on the other hand, should be able to define what they expect off their security providers. If they can do this, they can make an informed decision of services providers in the first place with respect to their needs.
Next, cloud customers should be able to harmonize their cloud and traditional IT delivery systems. While doing so, they should also be able to develop clarity of responsibilities and roles through a contract. It should clearly state how far the service provider’s responsibilities go and who is responsible for what.