Secured Cloud: Whose Responsibility is it – Cloud Provider’s or Your’s?
Today, Cloud, with its strong value proposition of agility, scalability, and flexibility, has become a mainstream technology. It is hard to imagine building a technology solution without consuming cloud services. On the flip side, it heightens up security risks in ways never imagined earlier. It is certainly possible to security-harden cloud services to make them a lot less vulnerable to the cyber attack. However, when Amazon or Microsoft or Google owns the infrastructure, and you own the data and applications, where does the buck stop?
Simplistically speaking, cloud security is a shared responsibility. For instance, AWS explains this to its customers. The cloud service provider (CSP) is responsible for the ‘security of the cloud.’ This means, the CSP is responsible for protecting the infrastructure – hardware, software, network, and the physical facilities housing them – which runs all its cloud services. Cloud customer is responsible for ‘security in the cloud.’ Meaning, everything customer puts into the cloud – data, application, their encryption, identity, and access management – is customer’s responsibility.
We have worked extensively with enterprise customers and also cloud service providers to help fortify the digital landscapes. Our key learning has been that different cloud models – SaaS, public cloud, hybrid cloud, and multi-cloud – will have very different risk and control ramifications. Within one public cloud itself, the security features provided by the CSP differs for IaaS and PaaS. In fact, the extent of security configurations varies within IaaS services itself, for example, AWS EC2 vs. S3.
The Gartner illustration below succinctly captures the essence of the shared responsibility model and how it varies across different cloud models.
Irrespective of who does what, it is worth underscoring that, if your IT systems are breached, your brand is tarnished, you face massive penalties, and your customers hold you accountable. Aren’t these consequences compelling enough for you to take the primary responsibility? If yes, then the next logical question to ponder upon is – How? To effectively answer this question, you need to peep into the future – As you navigate the cloud journey, it is just a matter of time before you decide to move the majority of your workloads to the cloud. It doesn’t stop here. To build the next-generation business solutions your customers demand, you will inevitably need advanced features offered by multiple CSPs. Multiple CSPs, their associated security features, third-party supporting tools, amidst the continuous pressure to be agile, and cost-effective while innovating at full throttle. We hope you now got a clue to figure out the ‘How’. If not, please feel free to contact us here.