Cloud security: is it a provider responsibility?

The adoption of cloud services may require safeguards you might not be fully aware of.

Question your beliefs: it’s almost never a cloud provider's responsibility. Sometimes your assumptions could lead to huge risks, as in this case.

When organizations adopt cloud services to help make their business more efficient, they are also facing new environments that require safeguards they might not be fully aware of. 

The boundary between the security measures implemented by the Cloud Service Provider (CSP) and the client is often blurred, and this could lead to huge risks. Many organizations think that the CSP is responsible for the entire cloud environment and believe that, once service settings are configured, they can forget about maintenance. This is one of the most common reasons why companies have difficulties with ensuring security for their cloud-based data.

Thomas Bolliger

Director, Information Management & Compliance

KPMG Switzerland

How can we solve the cloud responsibility riddle?

Whether the client is just adopting a cloud solution or has years of deployments under his belt, it is worth taking the time to make sure which aspects of security fall to the CSP and which are in the domain of the client organization.

The cloud provider is responsible for handling some of the security layers, but never the full pack. The client itself must then define and implement the remaining layers to match its regulations, risk assessments and policies.

To help the understanding of the delineation of responsibility for securing data in clouds and to solve this alliance riddle, the Shared Responsibility Model has been established. There are two main approaches for defining the Shared Responsibility Model in the cloud security context:
 

  • The first approach, which pertains to AWS, conveys how the cloud provider is responsible for managing the security of the cloud while the client is responsible for securing what is in the cloud. The CSP is responsible for protecting the services infrastructure in the cloud, including software, hardware, networking, and facilities. To ensure security within the cloud, the client configures and manages the security controls for the guest operating system (including updates and security patches), application software or utilities installed by the client, as well as network security management tools provided by the cloud vendor. The client is also responsible for encrypting data in-transit and at-rest.
  • Regardless of the type of deployment, the second approach delegates the management of data, endpoints, accounts and access entirely to the client. Following Microsoft’s Shared Responsibility Model, responsibility splinters depending on the service: infrastructure as a service (IaaS), platform as a service (PaaS) and software as service (SaaS). In IaaS, the provider is completely responsible for the physical layer and shares responsibility with the client for the security of the host infrastructure and network; all the rest is the client’s responsibility. In PaaS, the provider also takes full responsibility for host infrastructure and network security, but it also shares responsibility with the client at the application and access control levels. In SaaS, the provider takes full responsibility for application controls while sharing responsibility with the client for access control as well as client/endpoint protection. 

Understanding the borders of the Shared Responsibility Model is essential while moving to the cloud or, at worst, when already in the cloud. We should then analyze and comprehend the key points of the related Shared Responsibility Model in order to implement the appropriate safeguards and to reduce the risk.

Solution found? Not yet

Unfortunately, the existence of the Shared Responsibility Model is not enough to fully mitigate the risks. The client’s commitment should be intense and ongoing.

First of all, the client should take the necessary time to understand the boundary between the organization and the CSP as well as the related responsibilities. It’s not an immediate grasp and it might turn out to be demanding and onerous.

The costs of adopting a cloud solution are substantial. The client should allocate adequate funds to implement the appropriate security measures and to provide training courses to its staff. An effective cloud security model requires that the organization commits a budget to its security measures and employee training.

Complex structures further complicate the shared responsibility because it is easier to blame the other party when something goes wrong. The duties should be clearly delineated, and collaborating is fundamental. If teams don't communicate in a cloud operations environment, the disconnect only worsens.

Sometimes the IT department is able to speed up the cloud implementation by neglecting cyber security safeguards. Compliance, security and governance could be sacrificed in a rush to launch cloud services. To counteract any such tendency, there should be a common control and decision-making process over the entire project and, again, permanent communication.

Our area of involvement is meant to support the client in minimizing the risks associated with the adoption of a cloud service. With our expertise we can support clients from the initial phase of a cloud service provider engagement and through the entire maintenance of the solution.