Traditionally, organizations are responsible for their data security from end to end. They have to manage the physical datacenter center, like locks and keycards, as well as their network security, applications security, and data security. But managing so many layers of security is complex. The more pieces there are to manage, the more places there are to make a mistake that a bad guy can exploit.
When you use a Cloud Service Provider (CSP), like Amazon Web Services (AWS), Microsoft Azure, or Google Cloud, security becomes much simpler. That's because your CSP takes care of many of the components of security that you would traditionally have to manage yourself. That means less security tasks on your plate!The Shared Responsibility Model illustrates the breakdown of these responsibilities. As AWS puts it, the CSP is responsible for security 'of' the cloud, while the customer is responsible for security 'in' the cloud.
Here's the breakdown of security responsibilities, when shared with a CSP:
Here’s a quick rundown of who owns what responsibilities:
Security 'of' the Cloud: CSP Responsibilities
- Physical premises security: The CSP is responsible for the security of its physical points of presence, including its data centers as well as other points of presence, such as edge locations in the provider’s content delivery network. The CSP is responsible for perimeter security, including locks and doors, video surveillance and guards, and strict access control on facilities such as key cards or access codes.
In addition, the CSP makes sure that all supporting systems are secure and fault-tolerant. This includes maintaining a reliable power supply, HVAC systems, and natural disaster protection. It is also responsible for failover to another physical location in case of disaster.
- Hosted infrastructure: The CSP ensures that compute, storage, and internal networking infrastructure is protected. They make sure customers are isolated from neighboring customers in a multi-tenant architecture. CSPs also undergo various compliance audits, ensuring that the services they deliver to customers are compliant. In addition, they maintain infrastructure in multiple geographic locations to accommodate regulations that require data to be hosted in a specific area.
In summary, the CSPs security responsibility extends up to through hypervisor level, after which the customer assumes responsibility for everything else.
Security 'in' the Cloud: Cloud Customer Responsibilities
- Operating System: The customer owns responsibility for the security of the operating systems (OS) they install on their instances. They manage OS updates and security patches, as well as the security configuration of the OS.
- Network: The customer is responsible for the security of the virtualized networks they deploy for communications between their resources and the outside world, including all network supporting services such as firewalls, ACLs, gateways, DNS servers, and DDoS protection.
- Application: The customer is responsible for protecting its applications from various attacks such as SQL injection, cross-site scripting, and even brute-force penetration attempts.
- Identity and access management (IAM): Cloud customers are responsible for configuring and managing their identity and access controls for services, virtual networks, and virtual machines. Organizations should assign role-based access controls and require MFA for access keys.
- Data protection: It is the customer’s responsibility to secure the data they put in the cloud, using encryption and IAM policies, both at rest (stored in the cloud) and in transit. Organizations must protect against data exposure to both the outside world, as well as internal teams. A least-privilege access policy should be implemented across all teams, and user behavior should be monitored for anomalous activity using machine learning models. Customers can use a combination of IAM policies and audit logs to review events that have happened across the environment.
Most experts today agree that the cloud is more secure than on-premise infrastructure. CSPs have invested heavily in security and have extensive experience monitoring the behavior of millions of active customer accounts, plus they have a lot at stake.
Sharing Responsibility with an MSP
When you partner with a cloud managed services provider (MSP) and managed security services provider (MSSP) the Shared Responsibility Model changes, since the responsibility is now divided between three stakeholders instead of two.
Here’s what the Shared Responsibility Model looks like when you partner with an MSP like Cloudticity:
(Note: the gradient represents shared controls between Cloudticity and the customer)
MSP Responsibilities
- Operating system: Cloudticity is responsible for the security of the OS, managing OS updates and security patches, and OS hardening.
- Network configuration: Cloudticity is responsible for the security of the virtual networks deployed on behalf of customers, for communication between resources and the outside world, and for all network supporting services such as WAFs, ACLs, gateways, DNS servers, and DDoS protection.
- Networking traffic protection (encryption, integrity, identity): Cloudticity is responsible for ensuring networking traffic protection, including identifying and investigating anomalous behavior from within the organization and the outside world.
- Server-side encryption: Cloudticity encrypts all data at rest for our clients.
Since partnering with an MSP allows companies to delegate even more security responsibilities, many organizations are choosing to leverage CSP capabilities via an MSP in order to reduce the security burden on the organization. Then, you can free up IT bandwidth from "keeping the lights on" activities and instead invest it in activities that move the needle on product or business initiatives.
But not all MSPs are created equal. In fact, some are better suited to manage sensitive healthcare data than others.
If you want to learn how to evaluate MSPs for your healthcare business, check out this tip sheet. Or schedule a free consultation to learn how Cloudticity might be able to help you increase security and reduce risk in the public cloud.