aws shared responsibility model
Article Security September 26, 2019

Understanding the Shared Responsibility Model for Cloud Security

Shared Responsibility in the Cloud

 

Public cloud providers, like Amazon Web Services (AWS) and Microsoft Azure, have no choice but to take their security and compliance responsibilities very seriously. In the early days of cloud, there were initial concerns about the data security in multi-tenant architectures, as well as within infrastructures outside of the enterprise’s direct control. Since then, Amazon and Microsoft have done a good job of assuring users that their environments are as secure as on-premises data centers, if not more so. As a result, we are seeing an uptick in highly-regulated sectors, such as financial services and healthcare, deepening their cloud profiles. Perhaps the strongest endorsement for the security capabilities of today’s leading cloud providers is the CIA’s strategic decision to go all-in on the cloud, using a private AWS cloud deployment.

However, Amazon has notably drawn a line in the sand over how far they’ll go to monitor and regulate security and compliance on behalf of their end-users. AWS did this by developing a shared responsibility model, structured in such a way that puts the onus on customers to close the data security loop in their own environments. Essentially, your cloud provider is responsible for making sure your infrastructure built within its platform is inherently secure and reliable. On the flip-side, customizable cloud capabilities like application management, network configuration, and encryption are the responsibility of the end-user. This shared security model—illustrated in the chart below—has been adopted by other prominent cloud providers as well.

 

What is the Shared Responsibility Model?

Cloud provider vs. End-user

 

So what is Amazon’s shared responsibility model? Simply put, Amazon is responsible for the security of the cloud, while the customer is responsible for security in the cloud.

To provide a secure cloud, the cloud vendor manages and controls the host Operating System (OS), the virtualization layer, and the physical security of its facilities. To ensure security within a given cloud environment, the customer configures and manages the security controls for the guest OS and other apps (including updates and security patches), as well as for the security group firewall. The customer is also responsible for encrypting data in-transit and at-rest.

 

Shared Responsibility Model
 

According to a 2017 Gartner report, it is expected that over the next three years, at least 95% of cloud security failures will be the customer’s fault. Based on the European Union’s GDPR data privacy legislation that came into effect May 25, 2018, we can also say that regulators place the onus of securing personal data squarely on the shoulders of the data owner, i.e. the entity that collects the data. It is the data owners who are liable for data security breaches. It is also their responsibility to ensure that the cloud providers they invest in support suitable security and compliance guardrails.

 

How to protect your cloud environment from security threats

 

Next-generation automated cloud monitoring and security management tools like CloudCheckr are essential for providing effective protection as a company grows its cloud usage. Scaling often increases complexity and dilutes visibility into your cloud environments. A single cloud governance platform, like CloudCheckr, offers a single-pane-of-glass to manage all data, analytics, and users in one place. Our cloud management platform (CMP) delivers self-healing automation capabilities that can detect and remedy security misconfigurations, leveraging “Fix Now” and “Always Fix” buttons to correct issues as they’re detected—without human intervention. For example, if a user makes an S3 bucket public, automated Best Practice Checks will detect any permissions issues, correct them, and the administrator will be alerted of the correction. Alerts can be enabled to notify appropriate personnel of any specific configuration change via email.

Cloud providers are constantly investing in innovative solutions to strengthen their security profiles. In order to hold up their end of the shared responsibility model, their customers must do the same. Learn more in this webinar or by downloading our Shared Responsibility white paper.

 

Watch the WebinarGet the White Paper

Todd Bernhard
Todd Bernhard is a Product Marketing Director at CloudCheckr. He has earned his AWS Solutions Architect Associate, AWS Certified Cloud Practitioner, Microsoft Azure Fundamentals, and Google Cloud G-Suite certifications. He has been administering, teaching and developing on Unix systems since 1984 including 16 years at Sun Microsystems, now part of Oracle. In 2010, Todd founded the award-winning app development firm NoTie.com. This photo is the last known image of him wearing a tie!
Subscribe to our Blog
Sign up now to get more great content.

Related Resources

TRY CLOUDCHECKR FREE FOR 14 DAYS!
Learn how CloudCheckr can help you optimize and automate your cloud.
WANT TO SEE CLOUDCHECKR IN ACTION?
 
 

Are You Subscribed to the Check List?

 
 
 

The CloudCheckr Newsletter

Our Best Articles and Insights Direct to Your Inbox

 

SUBSCRIBE

 

Get What You Need to Succeed—Download our White Papers

 
 
 

NEW
WHITE
PAPER

Your Role in the Shared Responsibility Model
A Guide to Understanding and Taking Control

 

DOWNLOAD

 

Free Webinars Await—See What's Next

 
 
 

NEXT
WEBINAR

Defend Your Clouds

Make Your IT Team Your Strongest Security Asset

 

LEARN MORE