Cloud security breaches are not uncommon in today’s digital landscape. And when these breaches occur, it is often followed by a game of finger-pointing, with both cloud users and cloud service providers (CSPs) attempting to determine who should bear the blame. However, there is an opportunity for these two parties to work together to transcend the limitations of the established shared responsibility model of cloud security. By building upon the foundations of this model and addressing its shortcomings, a more secure cloud future can be achieved.
The shared responsibility model is the prevailing framework for cloud security. Under this model, the responsibilities of both the cloud user and the CSP are clearly defined. The CSP is responsible for defending against threats to the cloud infrastructure, while the customer is responsible for protecting the security of the data and applications they manage in the cloud. This model has served as a practical guideline for cloud security for many years.
However, as cloud adoption has grown and evolved, the limitations of the shared responsibility model have become evident. It is not realistic to maintain a strict delineation between areas of responsibility in many aspects of security. Additionally, customers often assume that the CSP will take on more cybersecurity responsibility than they actually do. In reality, the most effective way to defend against and respond to cyber threats is for the customer and CSP security teams to work together collaboratively.
There are several ways in which the shared responsibility model can break down. One key limitation is the lack of technical expertise on the customer side. Many customers simply do not possess the necessary skills and knowledge to handle their side of cloud security without significant assistance. Relying solely on the customer to handle these responsibilities can lead to costly cybersecurity incidents and strain the relationship between the customer and the CSP.
Another challenge arises when more than two parties are involved in a cloud environment. This is particularly true when resellers and managed service providers enter the equation. The lines of responsibility become blurred and the complexity of the security model increases. The shared responsibility model lacks clear guidelines for managing the multifaceted configurations commonly found in modern organizations.
Confusion regarding default security settings is yet another issue. Many cloud security partnerships stumble over the question of who is responsible for adjusting these settings. New cloud customers may not fully understand what adjustments need to be made, even if they have the ability to make them.
Recognizing these limitations, the industry is moving towards an updated cloud security paradigm known as the shared fate model. Google’s shared fate model is an example of this collaborative approach to handling cloud risks. In this model, the CSP takes a more proactive role by providing guidance and tools for ongoing security, even at the deployment stage. The shared fate model acknowledges the areas where the shared responsibility model falls short and seeks to bridge those gaps.
The shared fate model eases the security burden on customers’ teams by incorporating secure-by-default infrastructure, security foundations, and secure blueprints. It provides guidelines for organizing workflows and responsibilities in complex cloud environments involving multiple stakeholders. Additionally, the shared fate model emphasizes the importance of cyber insurance, which can offer support to cloud customers in the event of a cyber incident.
By adopting the shared fate model, cloud service providers aim to meet customers where they are in terms of cybersecurity and help them progress towards their desired security goals. While customers will always have some level of responsibility for cloud security, the shared fate model presents a more practical and cooperative approach to managing cyber risks. Ultimately, the goal of cloud security is not solely about assigning responsibilities but rather about working together to achieve better security outcomes.