Shared Responsibility Model
Last updated
Last updated
Understanding the security and compliance structure in cloud environments can be challenging. In a cloud model, there is a shared responsibility for security:
Shared Responsibility Model: Security is divided between the cloud provider and the customer.
Customer's Responsibility (Security "in" the Cloud): Customers are responsible for securing what they put on the cloud, including data, applications, and operating systems. The level of responsibility varies depending on the cloud services used; more control over configuration requires more security management from the customer.
Provider's Responsibility (Security "of" the Cloud): The cloud provider is responsible for securing the underlying infrastructure, which includes the hardware, software, networking, and facilities that run the cloud services.
Think of it like building a house. The builder ensures the structure is sound and safe (the cloud provider's role), but what you put inside and how you arrange it (your data and applications) is up to you to secure and manage.
Provider Responsibilities:
Physical Facility: Managing the physical data centers, including the space, power, and physical security.
Infrastructure: Handling the hardware, networking, and storage.
Virtualization: Managing the virtualized resources and infrastructure components.
Cloud Management Plane: Overseeing the management and orchestration of cloud services.
Customer Responsibilities:
Identities and Subscription Access: Managing user identities, permissions, and access to their cloud resources.
Customer Responsibilities:
Virtual Machine (O.S.): Managing the operating system on virtual machines.
Services: Configuring and maintaining software and services running on VMs.
Workload: Managing applications, data, and service configurations.
Customer Responsibilities:
Workload: Managing applications, data, and service configurations deployed on the platform.
Customer Responsibilities:
Customizations: Handling data customizations, service configurations, and usage.
Identity and Access: Managing user identities and access within the application.
Good Practices & Compliance: Ensuring adherence to best practices and compliance within the application’s usage.
Cloud Service Provider (CSP) is Responsible For
Physical Security: Protecting the physical data centers and hardware.
Infrastructure Security: Securing the underlying hardware, networking, and storage.
Platform Security: Managing the security of the virtualized environment and cloud management plane.
Standards Compliance: Ensuring the cloud infrastructure meets relevant compliance standards and regulations.
Customer is Responsible For
Identity Security: Managing and securing user identities and access controls.
Data Security: Protecting data at rest and in transit, and ensuring data privacy.
Application Security: Implementing good security practices for applications and services.
Standards Compliance: Ensuring their use of the cloud services adheres to relevant compliance standards and regulations.
Cloud Service Provider (CSP) Responsibility
Infrastructure Resiliency: Ensuring the underlying infrastructure is designed to handle failures and maintain service continuity.
Uptime Service Level Agreement (SLAs): Providing guarantees regarding the availability and uptime of the cloud services.
Service Availability: Maintaining the availability of cloud services across the infrastructure.
Disaster Recovery: Implementing measures and processes for recovering services in the event of a disaster.
Customer Responsibility
Build Resilient Applications: Designing and developing applications that can handle failures and integrate with the CSP’s built-in availability and resiliency features.
Implement Data Backup and Replication: Ensuring data is regularly backed up and replicated to prevent loss and facilitate recovery.
Business Continuity Planning: Developing and maintaining plans to ensure business operations continue in the event of disruptions or failures.
Cloud Service Provider (CSP) Responsibility
SaaS Out-of-the-Box Workload Failures: Handling issues related to default configurations and failures in SaaS applications that are used as-is, without any customization.
Effective Software Lifecycle Management: Ensuring that lifecycle management practices are in place to maintain and update the SaaS application effectively.
Customer Responsibility
Workload Configuration: Customizing and configuring the applications, services, and data within the workload.
Application and Data Security: Securing the applications and data managed within the workload, including access controls and encryption.
Monitoring and Performance: Overseeing the performance and health of the applications and services, and implementing monitoring tools to track and manage workload efficiency.