What Is the Shared Responsibility Model?

The shared responsibility model is one of the most important features of effective cloud security. This applies whether you use a Software as a Service model such as Microsoft 365 or an all-encompassing Infrastructure as a Service model. There are always responsibilities shared between you and the cloud service provider.

The model defines the individual responsibilities of the cloud service provider (CSP) and the customer. It also covers shared accountabilities where both parties have a role to play. Benefits of the shared responsibility model include an improved security posture, greater accountability and lower costs.

One aspect that is never shared is the customers’ responsibility to secure their data, accounts and identities. As a customer, you’re responsible for your data security and making certain you have safe, secure, and reliable backups when you need them.

Introduction to the Shared Responsibility Model

When you move workloads to the cloud, your responsibilities change. The cloud service provider becomes accountable for the provision of certain services, while you retain responsibility for the balance. In some cases, you and the cloud provider share specific responsibilities. This is known as a cloud shared responsibility model.

It’s vital to fully understand the contents and context of the shared responsibility model that applies to your application. Responsibilities differ depending on the CSP and the type of service you use. In each instance, you, the user, have specific responsibilities regarding cloud security and compliance. You’re always responsible for the security of your data and your backups. By taking the time to fully understand these requirements and implementing appropriate security measures, you can allay concerns regarding cloud security.

Shared Responsibility Model Basics

The division of responsibilities depends on the cloud solution you employ. At one extreme is the bare-bones IaaS model, where all the CSP provides is a cloud-based host structure. At the other extreme is the SaaS model, which includes everything from the basic hardware up to a complete software application.

It’s important to note the nuances of each CSP’s offering. For example, not all SaaS applications are the same. In some instances, the CSP claims responsibility for everything except the client’s data, while in others, customer responsibility includes access control, application configuration and data security.

Shared Responsibility Service Models

The three main cloud service models are:

Variations not covered here include Network as a Service, Database as a Service, and Storage as a Service.

Infrastructure as a Service

IaaS is the closest equivalent to having an on-premise data center, except that it’s in the cloud. The CSP’s responsibility is the provision of a physical or virtual host, network and data center. This includes the security, management and software maintenance of these facilities. As the user, you’re responsible for the security of the operating system, software applications, network management, data storage, backups, application configuration, accounts, and identity controls.

Platform as a Service

The main difference between IaaS and PaaS is that the CSP provides the operating system. The customer’s responsibilities include the application software, data management tools, backups, and access management. PaaS often includes a greater proportion of shared services than other models, and the actual division of security responsibilities differs across providers. The user is responsible for data security and storage.

Software as a Service

With the SaaS model, the provider provides and is responsible for the infrastructure, operating system and application. As a user, all you have to do is initialize and configure the application to your needs and start using it. Examples include Microsoft 365, Salesforce, Dropbox, and Slack. It’s important to understand that you, as the user, remain responsible for the security of your data. While the CSP has a shared responsibility to make certain the infrastructure and applications are secure, you have to do your part by maintaining secure accounts, user identities and data integrity. Actual responsibilities differ depending on the application and the freedom you have to alter its configuration.

Cloud Service Provider Responsibilities

CSP responsibilities vary depending on the cloud model. In all instances, the CSP is responsible for the provision and security of the physical data center, host software and internal networks. They do this through physical measures together with robust security software, firewalls and protocols. They protect against unplanned downtime through rapid failover services to mirror data centers, comprehensive internal backups and sophisticated disaster recovery solutions. CSPs manage virtualization layers that allow users to access and provision resources. The CSP is responsible for protecting individual customer accounts and partitions from malicious intrusions.

In the case of SaaS and PaaS solutions, the CSP manages all resources up to an agreed level related to the service provided and the customer’s needs. These include software updates, security patches and all aspects of operational security for services provided by the CSP.

Your Responsibilities

You are responsible for every aspect of the service that’s under their direct control. This always includes full responsibility for the security and safety of their data. Aspects include controlling access, identity and user authentication and password management. A crucial aspect is that the user or client is responsible for encrypting, backing up and protecting their data, as well as meeting regulatory requirements such as retention periods.

Customers are responsible for endpoint security, account management, and external network connections. Other points to consider include system configurations, software updates, and the implementation of security patches for all software managed by the user.

Veeam’s 2023 Report on Cloud Protection Trends highlights that many cloud users don’t fully appreciate these responsibilities. These concerns extend to data retention periods and data security.

Shared Responsibilities

In most instances, you need to clearly define shared responsibilities. Areas where this can occur include directory infrastructure, applications, and network controls. For example, with IaaS, users often select the operating system. This decision raises issues such as who is responsible for OS configuration, updates and patches. With SaaS, the vendor may provide a firewall, but the user configures it.

Benefits of the Shared Responsibility Model

At a time when many companies’ IT departments are stretched, the shared responsibility model is an attractive option. CSPs, with their larger budgets and technical depth, can relieve your team of significant responsibilities. Benefits include an improved security posture, a clear division of responsibilities, greater flexibility, and reduced costs.

Shared Responsibility Best Practices

Whether you’re new to the cloud or an experienced user, it’s useful to define a set of shared responsibility best practices. These will help you manage your relationship with your CSP and help you better understand your responsibilities.

Shared Responsibility Models in Leading Cloud Providers

To gain a better perspective on the shared responsibility model, let’s look at three popular cloud platforms: AWS, Microsoft 365, and Salesforce. Each is distinctly different. AWS is primarily an IaaS model, but it offers PaaS and SaaS services. Office 365 and Salesforce are both SaaS cloud models.

AWS Shared Responsibility Model

AWS is currently the largest cloud service provider. The company has three main cloud platforms. These are:

Amazon EC2 is an IaaS solution that uses Glacier and Amazon S3 for storage. AWS provides the hardware and hypervisor layers over which customers install their guest operating systems and applications. The AWS Shared Responsibility Model specifies that customers are responsible for managing their data and applying identity access and management tools.

Office 365 (Microsoft 365) Shared Responsibility Model

Office 365 is an extremely popular cloud version of Microsoft’s Office Suite. Microsoft 365 is a SaaS service built on the Microsoft Azure cloud service. One of the attractive features of 365 is its built-in data replication service, which ensures your data is safe should something go wrong at one of Microsoft’s data centers. Many users assume the data replication service is the same as a backup service. It’s not, nor is Office 365’s recycle bin, which only offers short-term recovery options. The Microsoft 365 Shared Responsibility Model states that it’s the customers’ responsibility to secure (backup) their data, account information and identities. 

Salesforce Shared Responsibility Model

Salesforce is a company offering a comprehensive suite of sales, marketing and commercial software products under the Customer 360 brand name. It was the first company to offer a true SaaS cloud service. Today, the company has one of the most customizable CRM platforms in the cloud. Like Microsoft, Salesforce operates multiple data centers with full failover capabilities. But this service does not constitute a backup; it simply means you can recover your working data in the event of a disaster. It doesn’t protect against inadvertent deletion, corrupted data or ransomware. The Salesforce Shared Responsibility Model makes it clear that it’s the customers’ responsibility to secure their Salesforce instance.

Future Trends in Shared Responsibility

The shared responsibility model has demonstrated the effectiveness of shared cloud security. CSPs and customers who fully understand and apply these models create safe and secure cloud environments. However, cloud security is a moving target, and new requirements and threats are continually emerging that impact shared responsibility models.

Future trends in shared responsibility models include:

Secure Your Cloud Environment With Veeam

Shared responsibility models are the foundation for building successful cloud environments. These models clearly delineate the responsibilities of the CSPs and their clients. CSPs are responsible for the security of the underlying cloud infrastructure. Other responsibilities are shared, depending on the cloud implementation model.

One constant is that the customer is always responsible for the security of their data, backups, identity and account management, and configurations. Retain full control and ownership of your data with Veeam’s platform native Hybrid Cloud Backup Solutions.

Related Content

HYBRID CLOUD BACKUP ESSENTIALS
The Definitive Guide
to Staying Prepared
Exit mobile version