Providing security of corporate data, systems and applications in the public cloud is a collaborative effort. It requires commitment, both on the service provider’s and the customer’s sides. Who is responsible for what in this duo? This is defined by the shared responsibility model.
Corporate data in the cloud can be a tasty morsel for cybercriminals. A single data leak can cost a company more than just reputational damage. This disruption to large enterprises causes cracks running into hundreds of millions or even billions of dollars.
The best-secured cloud environment cannot 100% guarantee corporate data security if the entrepreneur does not do so; a house will not be secured even by the best burglar-proof doors and windows if the owner himself leaves them ajar.
By 2025, up to 99% of all cloud security incidents will be due to user-side errors, Gartner analysts predict. Fortunately, such incidents can be effectively prevented.
A business using public cloud services needs to have a good understanding of the role it has to play in the security of its data stored in the cloud. The shared responsibility model helps with this.
What is the shared responsibility model?
Each public cloud provider has its shared responsibility model (SRM for short). It designates the spheres of activity for which the service provider is directly responsible. It also indicates the responsibilities of the customer using the service.
In a nutshell: the cloud service provider is responsible for the security of the cloud itself and the solutions they offer. The user is responsible for the safety of their data and applications in the cloud. They can progressively improve it by following best practices.
It is worth mentioning that the limit of this liability is not fixed. It depends, i.a., on the type of service chosen by the cloud user.
Remember that while migration to the cloud gradually shifts the responsibility from the company to the provider, the business never fully gets rid of it. The following diagram will help you understand the division of responsibilities.
Let’s trace the lines between the cloud provider and business responsibilities for each type of cloud solution (IaaS, PaaS and SaaS). We omit the on-premise model, when the company does not use any cloud solutions; it bears full responsibility for ensuring the security and monitoring of its infrastructure and stored applications and data.
Shared responsibility in SaaS applications
In a cloud service based on the SaaS (software as a service) model, the customer is solely responsible for the content, making it available to other users and using the application following best practices.
An example of a SaaS-provided application could be the online document editor, Google Docs. Responsibility for the correct operation of all tools and the availability of the application itself falls on the cloud provider, in this case, Google.
Shared responsibility model in PaaS services
A cloud service based on the PaaS (platform as a service) model imposes additional responsibilities on the user. According to the scheme for Google Cloud services, it adds, for example, responsibility for the implementation and security of the app.
App Engine can be used as an example of a service available on Google Cloud offered in a PaaS model. GAE is a development and hosting environment for running custom applications in Google’s public cloud. Clearly, it is up to the app developer to secure the product in such a way as to protect it from cyber-attacks effectively.
Shared responsibility in the case of IaaS
The cloud solution that requires the most customer attention is the IaaS (Infrastructure as a Service), where the user takes care of the operating system and its operation, logging, data, access authorisation, or network configuration and maintenance.
At Google Cloud, Compute Engine is an example of a service offered in an IaaS model. It is a solution for creating and running virtual machines on the provider’s infrastructure.
- High availability – explanation and best practices
- Disaster Recovery Plan – how to keep applications available when a failure strikes
- What is serverless, and how does it work?
What is the cloud provider’s responsibility, and what is the user’s?
In each of the above scenarios, the user is always responsible for the security of the data they store in the cloud environment. It is up to them to develop an effective mechanism for securing data, including controlling access, based on the solutions provided by the cloud provider.
When using services with a higher degree of responsibility on the client side (PaaS and IaaS), the business must also take care of the proper configuration of the used cloud solutions. This includes, i.a., controlling access authorisation for employees.
In any case, the responsibility for the viability and security of the hardware lies with the cloud provider. You can find out more about Google’s multi-level data centre protection in the clip below.
How to keep company data secure in the cloud?
It is necessary to configure the cloud environment correctly. The cloud is perfectly secure on the provider side; the provider passes on best practices to users but cannot interfere with architecture and security on the client side.
Even if you are already using google cloud, it is worth following the ten steps to ensure that your environment is set up correctly.