Organizations of many different sizes and across many different industries are moving technology services to the Cloud at a rapid pace. The flexibility, cost efficiency and agility of cloud solutions is extremely appealing to organizations, particularly those who wish to avoid the large capital investments associated with traditional IT infrastructure. Organizations making these moves must fully understand the security risks associated with cloud computing and embrace the shared responsibility model that splits security responsibility between cloud service providers and the organization itself.
What is the Shared Responsibility Model?
The bottom line is that no organization can completely outsource responsibility for information security. Depending upon the type of cloud service procured, organizations can outsource security controls, but overall responsibility for information security rests within the organization. The unique nature of cloud computing places different obligations on cloud service providers and their customers, as each may take steps to either strengthen or weaken security controls. This environment, known as the shared security model, requires that everyone have a clear understanding of their responsibilities for safeguarding information and systems.
Understanding the shared responsibility model requires understanding the three different tiers of cloud computing. Many organizations use a hybrid mix of these services as they build their cloud computing strategies. The three tiers of cloud computing are Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS). In each of these environments, the split between vendor and customer security responsibility differs significantly.
SaaS Shared Responsibility
SaaS implementations occur when the vendor provides a fully functioning application to the customer as a service. The vendor is responsible for procuring, configuring, monitoring and maintaining all aspects of the computing environment, from the servers to the application. The customer provides the data and may perform some high-level configuration to customize the SaaS service for the organization's particular needs.
In this model, the vendor is responsible for most of the security controls because the customer has little control over the environment. The customer does retain control over what data moves into the SaaS service and may be able to configure some access controls, but must rely upon the vendor for most security requirements.
PaaS Shared Responsibility
In a PaaS approach, the vendor provides an application platform where the customer may run its own applications. For example, Amazon Web Services' Elastic Beanstalk and Google App Engine allow customers to develop software applications that run on the vendor's servers. The customer doesn't need to worry about the number of servers used or their configuration � the vendor handles all of that automatically as the application scales.
In a PaaS environment, the customer bears a greater burden for security, as it is the customer's responsibility to build and maintain secure applications. The vendor has no control over the code itself, as it was developed by the customer.
IaaS Shared Responsibility
IaaS vendors provide basic infrastructure components to their customers. The most common examples of this are compute services, such as Amazon's Elastic Compute Cloud (EC2) and Microsoft's Windows Azure, and storage services, such as Amazon's Simple Storage Service (S3) and Google Nearline Storage.
In this environment, the vendor is only responsible for the security of the underlying service. For example, when a customer purchases server instances through a computing-as-a-service offering, the vendor's responsibility is to ensure that the customer's server is appropriately isolated from other servers and that the underlying network and physical environment is secure. The customer is responsible for securely configuring the operating system, installing appropriate software and protecting data stored, processed and transmitted by the server.
Organizations that use or plan to use cloud services must understand how the shared responsibility model affects each service offering they use. This model allows customers to assess the security controls put in place by vendors and clearly understand their own responsibilities for security in a cloud computing environment.
Best Practices for Public Cloud Security
How can cloud computing customers better protect themselves from security threats when they operate under a shared responsibility model? There are a few best practices that improve the likelihood of a secure, successful cloud services implementation.
First, both the vendor and customer must clearly understand each other's security responsibilities and this understanding should be committed to writing. Most major cloud service providers already maintain this documentation and should be willing to share it with their customers. For example, customers may wish to review the Amazon Web Services Overview of Security Processes, the Microsoft Azure Security, Privacy and Compliance white paper, and the Google Security White Paper. Those documents are all good examples of the type of disclosures that cloud vendors should make to their customers.
Second, customers should maintain the contractual right to audit the security of their provider's infrastructure. For most customers, this does not mean the right to perform a direct audit. Vendors are reluctant to allow customers physical access to data centers because of the sheer number of customers they service and the security implications of such access. Instead, vendors typically engage independent auditors to perform assessments under the Service Organization Controls (SOC) standard as well as various other regulatory standards. Customers may review these reports to satisfy themselves that the vendor implements adequate security controls.
Finally, customers should pay particular attention to the credentials they use to access and modify their computing environment. If an attacker gains access to the vendor's service using your credentials, then all bets are off. Over the past couple of years, many cloud computing customers fell victim to attackers who gained access to their API keys and then used their account to ring up significant computing bills. Customers should safeguard any account-level credentials and rely upon multi-factor authentication to add an extra degree of security to their cloud computing accounts.
The cloud is an exciting place! Almost every organization is making some investment in cloud services and those investments seem likely to pay significant business dividends. As organizations move to the cloud, they must clearly understand how the services they adopt fit into the shared responsibility model and the actions that they must take to continue to protect their information in the cloud.