Understanding the Shared Security Model for Cloud-Centric Data Protection

Jeremy Wittkop, CTO


With uncertain times ahead, many organizations are continuing to enable remote work for a large percentage of their workforce. In this operating mode, the flexibility, redundancy, and accessibility of cloud environments is appealing to many businesses. To maximize that value, many organizations are undergoing significant digital transformation at an accelerated pace.

Enterprise leaders often cite security as a concern when moving to a cloud-first posture. However, moving workloads into the cloud is not inherently less secure; it simply changes the methods required to secure communications and information.

For many organizations, moving to the cloud may actually improve their security posture if they:

  1. Understand the shared security model
  2. Focus data protection on the portions of the model that they are responsible for

Why is understanding the shared security model important?

When you ran a traditional, on-premises data center, your company was solely responsible for every aspect of data security. You provided both physical and virtual perimeter protections including building security, network firewalls, application security, and server protection.

When your organization moves applications, infrastructure, and databases to the cloud, your leaders may expect that the cloud services provider (CSP) assumes responsibility for data security. That is only partially true.

CSPs have created highly secure environments for the infrastructure and products they provide, and they take that security responsibility seriously. However, they are responsible only for the systems and products they provide; you are still responsible for protecting the sensitive information that matters to your company and customers.

The overlap is called the shared security model. Understanding the shared security model responsibilities

To understand the model, organizations need to understand four areas of responsibility:

  • Universal responsibilities
  • Software as a Service (SaaS) responsibilities
  • Platform as a Service (PaaS) responsibilities
  • Infrastructure as a Service (IaaS) responsibilities

Note that these responsibilities are cumulative. When addressing data protection at any level, you must be cognizant that each level includes the data protection responsibilities of the layers beneath it.

Shared Security Model Definitions

When you establish a partnership with a CSP, it’s important to define data security requirements and establish a clear understanding of your shared responsibilities.

As an Information Security professional, you’ve likely heard these terms before. Here is how we’ll use them in our current context.

  • Universal Responsibilities refer to security responsibilities that are inalienable for organizations. Regardless of how an application or workload is delivered, these responsibilities can never be wholly transferred to the CSP. These responsibilities form the foundation of any security program because the organization is always responsible for them.
  • Software as a Service (SaaS) refers to cloud applications that are delivered as a package. Common examples are Microsoft Office 365, Box, Dropbox, or Salesforce. Since SaaS applications are delivered as complete solutions, organizations have few responsibilities beyond their universal responsibilities.
  • Platform as a Service (PaaS) refers to a complete deployment and development infrastructure in the cloud. The infrastructure and the platform for building applications is provided, but the applications themselves are developed by the customer. Examples include the Force.com platform on which Salesforce is built, Amazon Web Services Elastic Beanstalk service, or the Google Application Engine.
  • Infrastructure as a Service (IaaS) refers to infrastructure, usually in the form of virtual machines, hosted in the cloud for use either in a reserved instance or through elastic, on-demand compute resources. The three most popular IaaS platforms are Amazon Web Services, Microsoft Azure, and Google Cloud Platform.

Universal Data Protection Responsibilities

Regardless of how an application is delivered or where it is hosted, your organization is responsible for core elements of data protection and data privacy compliance. Since these responsibilities are universal, they should form the basis of a comprehensive data protection program.

Your organization is universally responsible for data protection, data classification and accountability, and identity and access management. In all scenarios, you are responsible for your data and for the sensitive and personally identifiable information (PII) of your customers. You are responsible for determining who may access your data and workloads. This responsibility is inalienable because the data is essential for the operations of your business. It is impossible for a CSP to know which data should flow where and who should and should not have access to it.

Most organizations encounter challenges when they begin to move business operations to the cloud because their security program has been built around network and perimeter technologies. These solutions do not translate well to the cloud. When you’re operations are no longer inside your defined perimeter, managing your universal data protection responsibilities can become significantly more complex.

Software as a Service (SaaS) Responsibilities

When your users are working with SaaS applications, the software provider handles the application security. However, you are responsible for device-level control. It is your responsibility to ensure the devices accessing your SaaS applications are secure and that access is appropriate for each user.

Cloud Access Security Broker (CASB) technologies allow organizations to fulfill their universal responsibilities and SaaS-specific responsibilities for a variety of popular SaaS applications.

For example, you may decide that only corporate devices with updated antivirus software can access document repositories in the cloud. Or you may implement a rule that allows documents to be downloaded only by devices with data loss prevention (DLP) controls deployed; all other devices should be set to read only. Your CASB solution helps you establish and manage these rules.

Platform as a Service (PaaS) Responsibilities

PaaS offerings provide additional flexibility beyond SaaS applications, allowing you to create, host, and manage proprietary software applications for your business. PaaS also adds another layer of security that is necessary for you to address. Since the applications themselves are created by your developers, those developers are responsible for the application-level controls. Capabilities like role-based access control (RBAC) should be built into the application.

Most PaaS offerings include the tools necessary to provide application-level security. However, it’s up to your teams to ensure security is ingrained in the application development process.

Infrastructure as a Service (IaaS) Responsibilities

IaaS is essentially virtual machines hosted in someone else’s data center. Therefore, an organization consuming IaaS is responsible for most elements of security—apart from physical security and perimeter security for the data center itself.

In an IaaS environment, network security and host security from the operating system up is the responsibility of the customer. However, because you do not own the network, traditional security controls are challenging (if not impossible) to deploy. Virtual environment controls, such as virtual versions of Next Generation Firewalls, are available but are relatively useless in the cloud environment.

Emerging tools such as Cloud Security Posture Management (CSPM) solutions or Cloud Workload Protection (CWP) solutions are available to help you meet your responsibilities in a cloud-native fashion. For an example of a forward-thinking approach specifically designed to solve this problem, check out the offerings from Open Raven.

Shared security requires a data protection strategy shift

Outside of physical security—depending on which flavor of cloud service you are consuming—you may be responsible for the same elements of security that you were when your workloads were deployed on premises. However, the tools you used on premises are ineffective or obsolete in the cloud world.

To reduce complexity and provide truly comprehensive data protection, you must change your perspective. Instead of buying technologies and building a program to use them, start by build a program that focuses on the data. Understand your data protection and identify requirements. Then, apply modular capabilities to meet your responsibilities in each deployment mode.

This approach isn’t radical—it’s highly practical. But it’s new to many organizations. A modular, data-centric security strategy is an effective way to meet your organization’s security responsibility in a flexible way—regardless of where that data resides. Better yet, it’s an adaptable approach that does not require a redesign of the security apparatus every time you change the way applications are built and delivered inside your organization.

Start where you are—but start today

The cloud is already part of how your business operates. Whether you are embracing digital transformation or being dragged into it, it’s essential to get a handle on your data protection responsibilities. InteliSecure can help. Contact us for a no-risk whiteboard session and let us help you understand your security posture.