Cloud security has many aspects and it is easy to miss the scale of the issue by taking a simple view. For example, people may trust a particular cloud service provider and think that all security responsibility belongs to them, some people just look at the technical aspects (is data encrypted) or certifications (do they conform to ISO 27xxx) or forget the human aspect – sadly, any of these viewpoints can mean insecure cloud use and data loss for the company.
To explain the breadth of securing cloud, we have created a new white paper “The Cloud Security 3600 Shared Responsibility Model” that splits cloud security requirements into nine areas and discusses how to ensure each different area is being addressed.
In other areas of life, we also have a shared responsibility, even if it is usually seamless and so we don’t think about it much, for example when renting a car.
Firstly, when the car is new the manufacturer has the responsibility that it is roadworthy; has good brakes and tires, the airbags work and it’s not going to fall apart at the first corner. During the lifetime, the rental company and the renter are hopefully not going to test the airbags, they just assume that they will work as originally installed.
Once the car gets older, the owner (the rental company) is responsible for checking the tires, the brakes, servicing the car and keeping it roadworthy, the renter simply assumes that this is the case. The renter needs to have the appropriate driving license for the vehicle, this is checked by the rental company before the car is handed over.
The car includes seat belts, installed by the manufacturer, but it is the driver’s responsibility to wear their own, and ensure that all the family members wear them too. For young children, it is the driver’s responsibility to ensure that they have appropriate child seats and for the older kids, the parent has to ensure that they do not take off their seat belt.
General insurance is shared between the rental company and the renter (who, perhaps isn’t the only driver). Ultimately, the driver is responsible for driving the car appropriately for the conditions, driving more slowly in rain and snow and not speeding around corners.
Renting a car safely is a responsibility where five groups of people all have their part to play: car manufacturer, rental company, renter, passengers and the driver. If one area is ignored, there could be an accident with tragic consequences, and it is no good saying “but I checked the other areas” – all need to be considered together.
Cloud computing is similar – you are not safe just because the cloud service provider has invested a lot in security. You are not safe just because you have anti-malware systems installed. The service provider, enterprise, IT security team and user all have a part to play and if any one of the areas are not addressed, then security is compromised.
Cloud computing needs to be considered across each row of the diagram. The cloud service provider is responsible for the lowest levels of security (power, connectivity, server infrastructure etc.), and provides some security functions, but the enterprise is responsible for turning these on (for example think of the number of data loss incidents caused by misconfigured S3 buckets), only the enterprise can truly decide which data is confidential, while it is users who typically decide to share and collaborate via the cloud with external parties.
The paper discusses all of this in detail and suggests ideas and technologies to address each roe – just like renting a car, you need to address every row to be secure.