Migrating IT assets to the cloud produces a wealth of clear-cut business benefits — that’s why 96 percent of companies use the cloud for at least some of their operations, according to RightScale’s 2018 State of the Cloud Survey. Nonetheless, there remains a surprising lack of understanding about the cloud’s basic security framework.
Cloud providers operate on a shared responsibility model. In essence, this means that providers and their customers are responsible for both different aspects of security. Most providers state explicitly in their terms and conditions that they are responsible for managing the security of the cloud infrastructure and for maintaining uptime, and that customers are responsible for protecting their data and applications.
Somehow, that message is missing the mark. A variety of studies indicate that companies aren’t protecting data in the cloud with anywhere near the care they use with on-premises data. This is due to widespread misconception that service providers assume full responsibility for securing customer data.
A recent Spiceworks poll of IT decision-makers illustrates the confusion. Although 81 percent describe data stored in their cloud-based apps as “very to extremely important,” 52 percent said they don’t currently back up that data and have no plans to do so in the future. Why? Because 79 percent believe their application data is being backed up by their cloud provider.
According to the Cloud Standards Customer Council (CSCC), an advocacy group for cloud users, each cloud service model — Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS) and Infrastructure-as-a-Service (IaaS) — comes with its own shared responsibility model. Users’ responsibilities generally increase as they move from SaaS to PaaS to IaaS.
In the SaaS model, providers assume responsibility for cloud infrastructure components such as virtual machines, disks and networks, as well as the physical security of the data centers that house their infrastructure. Most important, they provide and fully manage the actual applications. Customers are responsible for data security, endpoint protection and some of the access management.
Customers have more responsibility in the PaaS model. Providers are responsible for the physical infrastructure and software components such as application servers and database servers. In addition to their responsibilities under the SaaS model, PaaS customers are responsible for developing, managing and operating their own applications.
IaaS involves the highest level of customer responsibility. The cloud provider manages and secures the physical infrastructure, while IaaS users are generally responsible for the security of the operating system and software stack required to run their applications, as well as their data.
Because responsibilities shift depending on the cloud service model and provider, there is no standard shared responsibility model — you have to check each provider’s terms and conditions to sort out the details. That likely contributes to widespread misconceptions. Organizations are increasingly adopting multi-cloud strategies to address different workloads, meaning they must evaluate a variety of service agreements.
Organizations using multiple clouds alongside their on-premises infrastructure must take great care to understand their shared responsibilities. Failure to do so can lead to a wide range of risks. At one end of the spectrum, you could assume the provider is taking care of everything and wind up leaving critical data unsecured. At the other end, you could try to manage everything in-house, wasting time, money and other resources duplicating processes that are already being handled by cloud providers. Either way, you won’t be using the cloud to your best advantage.