This post was originally published on The New Stack.

When organizations decide to move their applications’ workloads to public cloud providers, they need to understand that there are responsibilities shared with the providers. In other words, this move is not a “set it and forget it” kind of situation. Organizations will need to think about areas including:

  • Software or application updates and patches
  • Security concerns (including security software)
  • Networking (including policies and firewalls)
  • Resource access

Along with resource management, the shared responsibility model helps ensure that the organization’s infrastructure is configured correctly and secured. In order to protect your applications and important information, all relevant members of your organization must know who is responsible for what according to the shared responsibility model.

Understanding the Shared Responsibility Model

Before we define the shared responsibility model, let’s take a look at a simple, real-life analogy that can be used to illustrate it.

I’m guessing that you’ve probably rented an apartment or a hotel room at some point. In either case, you probably expected the management to provide a basic level of security. You also likely realized that you couldn’t just leave your windows and doors open and expect your property to be secure all the time. Further, I’m sure you knew that parking your vehicle in an assigned spot didn’t protect you against theft, a breakdown or getting booted due to your unpaid parking tickets.

The same concept applies to cloud providers (who are analogous to the hotel owner or apartment manager in the scenario above) and the customers who use their cloud technology (who are akin to the renters). While this scenario illustrates the basics of the shared responsibility model, it’s important to note that responsibilities can shift based on the type of infrastructure service you adopt. For example, you might use a Platform-as-a-Service (PaaS), Software-as-a-Service (SaaS), Infrastructure-as-a-Service (IaaS) or serverless setup.

It’s All About Security

In the end, the shared responsibility model is all about security. Organizations need to know who is responsible for what, and the answer to that question depends on whether you use IaaS, PaaS, SaaS or serverless. The following image will help you understand where the line is drawn in relation to your setup:

Shared Responsibility by Cloud Service Type (from Orca’s 2022 State of Public Cloud Security Report)

As you can see in the image above, you are responsible for securing your applications regardless of the type of service you use. In this case, your information, data and endpoints are all considered part of your applications.

This means that you, the customer, are responsible for how your applications handle SQL injection, brute force attacks and similar events. You are also responsible for the way your passwords are stored in the system or database (whether they’re plain text or encrypted) as well as for upgrading or patching your existing programming language version. It would be irresponsible to keep using PHP 5, for example, when there’s a better and more secure version available.  

On the other hand, the cloud provider is responsible for providing and patching the operating system (if you use PaaS, at least) and for using the latest version of Kubernetes, for example. However, organizations still have to come up with their own workflows for using these features, such as selecting which release channel will allow the organization to schedule the update. Some cloud providers might “force” the updates (for security reasons) and also set an End of Life (EOL) date for the operating system, Kubernetes version and more.

Take storage, for example. The cloud provider provides the storage (either archival or easy-access storage). The customer, meanwhile, is responsible for securing the data (using something like a key management service) and for data accessibility. The same concept applies to other resources, such as virtualization, servers and networking.

Conclusion: Applying the Shared Responsibility Model

Prior to the advent of cloud technology, organizations were fully responsible for their own compute resources – from software and hardware to peripherals like cables, patch panels, power supplies and even building access codes.

With today’s modern cloud technology, organizations don’t have to worry about those things anymore. True, organizations are responsible for securing their information, data and endpoints. However, depending on the type of infrastructure they use (IaaS, PaaS, SaaS or serverless), they now share responsibility for certain aspects of security with their cloud providers. This shared responsibility model helps guarantee that your cloud infrastructure is fully secured.

To learn more about cloud security gaps and how to prevent them, you can download Orca’s 2022 State of Public Cloud Security Report or sign up for a free cloud security risk assessment.

Further Reading