You’re off to the cloud, and the first thing you run into before you can reach altitude is a wall. That wall is your organization’s security requirements.
Fortunately, it’s easy to break through that wall when you understand how security works in the cloud.
We’re lucky because the model for security in any cloud is the same. It’s the shared responsibility model.
It’s a very simple model to understand at a high level. You share the responsibility for the security of your deployment with your cloud service provider.
While the model itself is simple, it can be nuanced in its application.
The simple summary of the model is:
I recently attended a talk by Mark Ryland from AWS on the application of the shared responsibility model. In the talk, he explains the model via a matrix to explain how the model changes depending on the type of cloud service you are using.
I prefer a simpler summary: “The closer you are to the hardware, the more responsibility you have.” — by me… just now.
Areas of Responsibility
The areas that need securing generally fall under the following categories/descriptions:
- Physical infrastructure
- Network infrastructure
- Virtualization layer
- Operating system
And in real-world applications, the cloud service provider is almost always responsible for everything up to–and including–the virtualization layer.
The real question that you (as a user of a cloud service) must answer is: “Who is responsible for the security of the operating system, application(s), and data?”
What this means is that, depending on the type of cloud service that you are using, security responsibilities are applied on a sliding scale.
Regardless of what you have to implement, it is always your responsibility to verify the security of the cloud service provider. Both AWS and Microsoft are leading in their level of transparency when it comes to their security.
Fortunately, other providers have taken note and are quickly ramping up their transparency efforts. That’s a win for everyone, as clarity & communications are key when sharing anything.
Managed Service Providers
One caveat to note is how this model works when you’re dealing with a managed service provider. In these types of scenarios, the division of responsibility between the cloud service provider and you (the client), doesn’t change.
What happens is that you’re now relying on your managed service provider to fulfill your side of the model.
If you’re starting on a cloud project and looking for help, CDW (a Trend Micro partner) has set up a fantastic cloud team that can help.
I recently spoke to Jason Hart at CDW about the new team. He mentioned their “Planning Service,” which is a structured approach to cloud projects and migrations. They set up clients with a realistic plan designed to minimize risk and to make sure that the project is in line with their business goals.
Jason explains the approach as “a structured methodology that helps mitigate the risks of cloud projects and migrations.”
One of the first steps is to identify the cloud services that will be used and how the shared responsibility model applies to each of those services. This approach has been “a key part of our success in the emerging world of Cloud,” Jason explained.
The team at CDW is proof that this works in the real world. You can have a more secure deployment in the cloud if you truly understand and embrace how security works in the cloud.
How has the shared responsibility model affected your approach to security in the cloud?