With traditional, on-premise infrastructure, an organization is responsible for its security from end to end. From the physical data center, to the network, to its applications and data, an organization must manage all layers of its security.In contrast, in the public cloud security is a shared responsibility between the customer and the cloud service provider (CSP). That means that there are less security controls for the customer to worry about because the CSP shares the load.
The Shared Responsibility Model illustrates the breakdown of these responsibilities. As AWS puts it, the CSP is responsible for security 'of' the cloud, while the customer is responsible for security 'in' the cloud.
The model looks like this:
Here’s a quick rundown of who owns what responsibilities:
Security 'of' the Cloud: CSP Responsibilities
- Physical premises security: The CSP is responsible for the security of its physical points of presence, including its data centers as well as other points of presence, such as edge locations in the provider’s content delivery network. The CSP is responsible for perimeter security, including locks and doors, video surveillance and guards, and strict access control on facilities such as key cards or access codes.
In addition, the CSP makes sure that all supporting systems are secure and fault-tolerant. This includes maintaining a reliable power supply, HVAC systems, and natural disaster protection. It is also responsible for failover to another physical location in case of disaster.
- Hosted infrastructure: The CSP ensures that compute, storage, and internal networking infrastructure is protected. They make sure customers are isolated from neighboring customers in a multi-tenant architecture. CSPs also undergo various compliance audits, ensuring that the services they deliver to customers are compliant. In addition, they maintain infrastructure in multiple geographic locations to accommodate regulations that require data to be hosted in a specific area.
In summary, the CSPs security responsibility extends up to through hypervisor level, after which the customer assumes responsibility for everything else.
Security 'in' the Cloud: Cloud Customer Responsibilities
- Operating System: The customer owns responsibility for the security of the operating systems (OS) they install on their instances. They manage OS updates and security patches, as well as the security configuration of the OS.
- Network: The customer is responsible for the security of the virtualized networks they deploy for communications between their resources and the outside world, including all network supporting services such as firewalls, ACLs, gateways, DNS servers, and DDoS protection.
- Application: The customer is responsible for protecting its applications from various attacks such as SQL injection, cross-site scripting, and even brute-force penetration attempts.
- Identity and access management (IAM): Cloud customers are responsible for configuring and managing their identity and access controls for services, virtual networks, and virtual machines. Organizations should assign role-based access controls and require MFA for access keys.
- Data protection: It is the customer’s responsibility to secure the data they put in the cloud, using encryption and IAM policies, both at rest (stored in the cloud) and in transit. Organizations must protect against data exposure to both the outside world, as well as internal teams. A least-privilege access policy should be implemented across all teams, and user behavior should be monitored for anomalous activity using machine learning models. Customers can use a combination of IAM policies and audit logs to review events that have happened across the environment.
Most experts today agree that the cloud is more secure than on-premise infrastructure. CSPs have invested heavily in security and have extensive experience monitoring the behavior of millions of active customer accounts, plus they have a lot at stake.
Sharing Responsibility with an MSP, MSSP
When you partner with a managed services provider (MSP) and managed security services provider (MSSP) the Shared Responsibility Model changes, since the responsibility is now divided between three stakeholders instead of two.
Here’s what the Shared Responsibility Model looks like when you partner with an MSP like Cloudticity:
(Note: the gradient represents shared controls between Cloudticity and the customer)
- Operating system: Cloudticity is responsible for the security of the OS, managing OS updates and security patches, and OS hardening.
- Network configuration: Cloudticity is responsible for the security of the virtual networks deployed on behalf of customers, for communication between resources and the outside world, and for all network supporting services such as WAFs, ACLs, gateways, DNS servers, and DDoS protection.
- Networking traffic protection (encryption, integrity, identity): Cloudticity is responsible for ensuring networking traffic protection, including identifying and investigating anomalous behavior from within the organization and the outside world.
- Server-side encryption: Cloudticity encrypts all data at rest for our clients.
Since partnering with an MSSP allows companies to delegate even more security responsibilities, many organizations are choosing to leverage CSP capabilities via an MSSP in order to reduce the security burden on the organization and free up IT bandwidth that can be invested in activities that move the needle on product or business initiatives.
But not all MSSPs are created equal. If you want to learn how to evaluate MSSPs for your healthcare business, check out this tip sheet. Or schedule a free consultation to learn how Cloudticity might be able to help you increase security and reduce risk in the public cloud.