Understanding the cloud shared responsibility model

Over the past year, we witnessed a transition to the cloud as companies had to quickly adjust to the almost instantaneous move to a remote work environment. But in many cases, they prioritized practicality over security to avoid business disruption, leaving many organizations vulnerable.

A significant reason for these vulnerabilities is that many organizations rely on default security offerings from their cloud providers, which are often provided as do-it-yourself toolkits and guidelines, leaving the actual configuration to the user.

In a cloud-first environment, organizations now operate under a shared responsibility model with cloud providers, which lays out what responsibilities belong to the cloud provider and what responsibilities belong to the user. While the concept of a shared responsibility model is relatively easy to understand, implementing it requires a great deal of coordination.

In many instances, a shared responsibility model dictates that cloud providers are responsible for the security “of” the cloud, and organizations are responsible for security “in” the cloud. The differentiation can be a little confusing. Think of it this way: A home security provider can install a protection system, but it is up to the homeowner to identify where the sensors are located and ensure that it is armed before leaving the house. Similarly, a cloud provider protects the cloud’s infrastructure to reduce intrusion risk, while the organization protects the data if a breach occurs.

The challenge grows more complex when you consider that most organizations are working in multiple cloud environments. According to Accenture, 93% of organizations are operating with a multi-cloud strategy, utilizing an average of 3.4 public clouds and 3.9 private clouds per organization. Not only are companies constantly analyzing and assessing their own security posture, but they must also do the same for their cloud providers.

As companies rely more heavily than ever on the cloud, organizations must create an environment that addresses their responsibilities under a shared responsibility model. The following steps can help prepare organizations to protect their data at all times:

• Identify sensitive data: Use advanced data discovery methods to find sensitive data in their repositories before moving them to the cloud. Privacy regulations must be top of mind due to the rapidly expanding scope of what is considered sensitive. For example, IP addresses and geolocation information are now regarded as sensitive in addition to personally identifiable information (PII) such as Social Security numbers and birth dates.
• Determine the usage of data: Identify the purpose of collecting data to comply with privacy regulations such as GDPR and CCPA. Next, they should map out how they will process the data and if they will need to share it with a third party. The critical element is to make sure that this data does not land into unauthorized hands, which can result in hefty fines.
• Assign access control: Outline who is allowed to access that data for processing. Using dynamic masking tools, it is possible to create customized views for individuals based on their persona. For example, an application developer needs a different view than a data scientist who accesses the same dataset in the cloud.
• Research the cloud provider’s security qualifications: Like any service, cloud service providers should have quantifiable evidence that demonstrates a commitment to cloud security. Conduct due diligence in researching their industry-specific, cloud security certifications, and if they publish regular reports associated with compliance and audits.
• Seek out advanced protection: Transitioning data repositories to the cloud brings many advantages in terms of scale and availability, but it does require giving up control of where the data resides. Organizations should always be asking, “Can the cloud service provider see my data?” Or, more importantly, “Can someone impersonating my cloud service provider’s administrator see my data?” Bring Your Own Key (BYOK) is an increasingly standard technology solution that helps organizations maintain control of their data on infrastructure that they do not own.

BYOK enables encryption or tokenization of sensitive data records so that only the data owner has access to them. These methods prevent the cloud service provider from ever being able to see the data. And if someone pretending to be the cloud service provider’s administrator exfiltrates the data, all they will get is encrypted data, rendering the breach useless.

Traditional “at rest” encryption methods require data to be deposited in the cloud and in the clear before the protection kicks in. Adopt techniques where the data protection task is built into the data movement task, thus eliminating that vulnerability.

Cloud computing is an accepted reality of doing business. As such, understanding the shared responsibility model outlined by a cloud provider and taking the necessary steps to protect data throughout its lifecycle, in transit, at rest, and in use, should be top priorities before any cloud migration. In doing so, organizations will reduce the risk of costly breaches and non-compliance, while unlocking the many benefits the cloud has to offer.