There’s a common misconception that as soon as a business signs up for a solution from a cloud service provider (CSP), that the CSP will automatically ensure all their dealings in that cloud environment are safe and secure. As dedicated as Cloud Service Providers are to cybersecurity, that’s simply not possible.
Your cloud provider has no control over the customer data you share, the aptitude of your employees, or how you optimize your own on-premises security and firewalls. So how do cloud vendors set security expectations with their users? By using a security model based on shared security, where the CSP and the subscriber both commit to their own roles in ensuring effective security management.
Table of Contents
- What is a Shared Responsibility Model?
- A Familiar Example: The AWS Shared Responsibility Model
- CSP Responsibilities
- End-User Responsibilities
- SaaS Shared Responsibility
- Integrate.io’s Shared Responsibility Model
- Making ETL Work for You and Your Business
What is a Shared Responsibility Model?
According to documentation for Microsoft Azure, shared responsibility for security is a division of responsibility between you and your CSP. When your data is dealt with on-premises, you own all the responsibility for any security, including physical security. That might include security passes to ensure only authorized employees have access to certain rooms like server centers, or it might mean a CCTV system.
When you use one or more cloud vendors to help you manage or integrate your data, you know you need more security than you’re likely to find on public cloud services. Cloud-based platforms as a service (PaaS) tend to have the highest standards of cybersecurity, but they can’t and they shouldn’t control everything you do. The same goes for SaaS providers.
A Familiar Example: The AWS Shared Responsibility Model
We’ve already mentioned Azure, but of course, it’s not just Microsoft that offers SaaS, Paas, and other cloud-based solutions. Another notable and successful example of the shared responsibility security model is the one laid out by Amazon Web Services (AWS). AWS cloud services include cloud compute solutions like AWS EC2, classed as an Infrastructure as a Service, or IaaS. Other services are more abstract, like AWS S3 which focuses on storage, availability, and data delivery to a dedicated endpoint.
The responsibilities of your cloud provider will depend on the service or solutions they’re offering. In general terms, you can think of your responsibility as being how securely you work in the cloud, and your cloud provider is responsible for the security of the cloud environment itself.
In the AWS model, Amazon takes responsibility for the security of:
- AWS Software
- AWS Hardware
- The AWS Global Cloud Infrastructure
The software includes cloud computing solutions, storage solutions, networking services, and storage options. AWS is responsible for making sure all those pieces of software run to certain security standards.
The infrastructure includes regions, availability zones, and Edge locations.
You or your business take responsibility, broadly, for how you manage your data, what you do with it, and how you configure any software you’re using. The AWS shared responsibility model defines this as:
- Customer data
- User’s choice of platforms, apps, plus identity and access management – more on that below
- User’s choice of operating system, network, plus any firewall configuration
Common cloud security failures include problems caused by cloud security misconfigurations. You or your devops need to ensure you’ve set the right security configuration to avoid unintended access. Although your AWS firewalls, or security groups, might be provided by Amazon, it’s up to you to configure them correctly for each instance.
On a similar note, identity and access management have to be the responsibility of the user. A CSP cannot know who has access to your data or data centers. Ensuring only authorized employees have access to relevant data can prevent data breaches that could damage your company brand or your customer. In 2018, the Ponemon Institute reported that employee (permanent and contract) negligence caused 64% of breaches within companies. Some of these included employees being able to download and store data on their own, personal devices – hardly reassuring news for customers or clients.
Users are also responsible for managing their own data with appropriate encryption, managing and classifying assets as appropriate, and making use of IAM tools to regulate permissions. The list isn’t exhaustive, as for each service, there will be slightly different things the user needs to take responsibility for.
SaaS Shared Responsibility
Of course, the AWS model largely focuses on shared responsibility within an IaaS. How do these responsibilities change for SaaS vendors and customers?
CSPs have to be responsible for the security of the cloud environment they’re providing. That’s no different for SaaS vendors. SaaS users take responsibility for security in the cloud, including the security of their own data, the platforms they choose to use, their own networks, and any additional applications used within their own infrastructure.
While large cloud infrastructure providers like AWS provide the blueprint for a shared responsibility model, each SaaS will tailor this to its own users. Key points might include highlighting to users that their configurations need to be correct, or specifics around IAM. SaaS customers and SaaS vendors that understand their responsibilities are empowered to use the cloud to its maximum potential, plus confidence in these responsibilities builds trust between vendor and client.
Integrate.io’s Shared Responsibility Model
We love the shared responsibility model as it takes some of the pressure off you without micromanaging your business data. You get plenty of control over the crucial aspects of your data management, such as:
- Setting your own unique and strong passwords
- Setting up additional security for your own apps and platforms such as 2FA
- Dealing with your own Identity and Access Management protocols
- Managing your apps
- Checking your package versions, compatibility, and updates
- Encrypting your own data and ensuring its integrity
We’re here to help you integrate and make the most of your business data, but we’re not here to tell you who can access it, what sort of security groups to set, or tell you how to run your business. We make sure all our cloud-based services are functioning as securely as possible, and are happy to provide guidance when it comes to helping you out with what your responsibilities are in terms of data pipeline creation and pooling or warehousing your business data.
Our responsibilities include ensuring that the services we provide work within a safe and secure network, including managing our own operating system and network configuration, plus making sure that Integrate.io’s global data centers have the highest standards of security. You manage how you use Integrate.io, while we take responsibility for the security of Integrate.io.
Making ETL Work for You and Your Business
Knowing you can share your cybersecurity responsibilities with an experienced cloud service provider provides peace of mind. This is why we encourage businesses to switch to cloud-based ETL, using easy to create pipelines to merge all your relevant data into one, convenient endpoint. Find out more by scheduling a conversation and trying the Integrate.io solution for yourself for 14 days.