Shared Responsibility Model For Public Cloud Security

By: Aseem Rastogi | 7 Nov 2017

With proliferation of various delivery models, sometimes it becomes difficult to delineate the boundaries of accountability for Cloud Security. At the heart of it, Cloud is built on a shared security model in which Cloud Service Providers (CSPs) and users both have security responsibility.

In order to leverage cloud effectively, business strategy and compliance/security obligations needs to be aligned with shared security model of the cloud.

Historical Perspective

Before the advent of cloud, enterprises were running their own data center. Hence they were responsible for security of that infrastructure as well as the applications and data that ran on it.

Movement towards public cloud computing model, transfers some (but not all) of the IT security responsibilities to its cloud provider.  Both entities – cloud provider and cloud user- must work together and are responsible for various aspects of security.

Cloud Service Model Types – SaaS, PaaS, IaaS

There are three prevalent models of cloud service delivery – Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS). Each of the models have different Cloud Security requirements.

Software as a Service (SaaS)

SaaS is the most familiar form of cloud service for consumers where clients, in this case usually web browsers, provide the point of access to software running on servers.

Use of SaaS applications reduces the cost of software ownership by removing the need for technical staff to manage install, manage, and upgrade software, as well as reduce the cost of licensing software.

Most familiar SaaS applications for business are CRM applications, productivity software suites like Google Apps, and storage solutions like Dropbox.

Platform as a Service (PaaS)

PaaS functions at a lower level than SaaS, typically providing a platform on which software can be developed and deployed. PaaS is built on top of virtualization technology. Businesses can request resources as they need them, scaling as demand grows, rather than investing in hardware with redundant resources. Examples of PaaS providers include Heroku, Google App Engine, and Red Hat’s OpenShift.

Infrastructure as a Service (IaaS)

IaaS, the fundamental and most flexible building block, is comprised of highly automated and scalable compute resources. Cloud storage and network capability complement delivery, which can be self-provisioned, metered, and be available on-demand.

Users of IaaS can build a “virtual data center” in the cloud. Users also get access to many of the same technologies and resource capabilities of a traditional data center without having to invest in capacity planning, physical maintenance and management of it.

Following exhibit depicts benefits of each model and some examples.

Separation of Responsibilities

Cloud Security Shared responsibility model

Cloud Security is a shared responsibility. Type of cloud service model – IaaS, PaaS and SaaS- dictates who is responsible for which security task.

Scope of SaaS Security

SaaS largely moves the task of managing software and its deployment to third-party service providers. In a SaaS model, the provider is primarily responsible for the infrastructure and software stack; user has no control over these components. Users are primarily responsible to secure their data.

Scope of PaaS Security

PaaS model abstracts out operating system, server software along with underlying server hardware and network infrastructure. This lets the user free to focus on the business scalability, and the delivery of their product or service.

Cloud Security In IaaS

In IaaS model, cloud provider supplies and secures basic cloud infrastructure components, such as virtual machines, disks and networks. The provider is also responsible for the physical security of the data centers that house its infrastructure. IaaS users, are generally responsible for the security of the operating system and software stack required to run their applications, as well as their data.

Users’ responsibilities generally increase as they move from SaaS to PaaS to IaaS.

Implication of Cloud Model on business

Choice of cloud model affects business, governance & compliance. For example – AWS, as an IaaS, may claim to be PCI compliant. However an AWS customer may need to implement required controls for the layers O/S and above to be PCI compliant.

Customers must implement additional controls such as vulnerability management programs, continuous configuration monitoring to safely consume IaaS service.