Who’s Responsible for the Security of Data in the Cloud?

It has often been said that public cloud services are more secure than the typical corporate data center. While that’s true, consider the following:

· Approximately 1.6 million files involving more than 80 municipalities were exposed due to a misconfigured Amazon S3 bucket related to MapsOnline, a software service provided by PeopleGIS. The data included personal information of area residents and their properties.

· A misconfigured S3 bucket led to the exposure of 3TB of data held by four airports in Colombia and Peru. The data included ID photos and personally identifiable information of airline employees.

· Japanese website Doctors-Me.com failed to properly configure a bucket, giving hackers access to 300,000 images uploaded by patients seeking medical consultation. Some of the images provide enough information for someone to identify the patient, including adults and children.

Cloud service providers such as Amazon have world-class data center facilities and teams of experts who are steeped in the latest security techniques. However, the cloud is only as secure as you make it, as these three data leaks show. The cloud operates under a shared responsibility model, in which cloud service providers are responsible for the security of their data center infrastructure, and customers are responsible for what’s stored there. However, there are variations to this rule.

Interested In Learning More?

Untitled design - 2022-12-30T091804.180.png

Understanding the Shared Responsibility Model

First, the division of responsibilities varies by delivery model. With Software-as-a-Service (SaaS), the cloud provider maintains the most control, with responsibility for the application and underlying infrastructure. The customer is responsible for endpoint security, network security, identity and access management (IAM), and data protection.

With Platform-as-a-Service (PaaS), the cloud provider secures the platform and underlying infrastructure. Customer responsibilities are the same as with SaaS, except the customer is also responsible for the applications and workloads that are developed and implemented on the platform. With Infrastructure-as-a-Service (IaaS), the cloud provider is only responsible for the infrastructure. Customers are responsible for all other aspects of the environment, including virtualization, platforms, containers, APIs and software.

Cloud providers are responsible for maintaining the firewalls and other security and network controls they offer. However, the customer is responsible for configuration, defining rules, monitoring for alerts and responding to incidents.

Of course, the devil is in the details. The major cloud providers talk about the shared responsibility model in similar terms, but there is no standard. In practice, the model is applied differently and varies among services offered by the same provider. It’s important that customers read and understand the SLA for every platform, service and resource they use.

Untitled design - 2022-12-30T091934.918.png

Ensuring Cloud Resources Are Protected

Some customers may wonder why they must take responsibility for security in the cloud. After all, a primary benefit of the cloud is the ability to offload IT management. However, cloud providers can’t take responsibility for aspects of the environment they don’t control.

Furthermore, the cloud service provider always maintains the security of the infrastructure, and sometimes other aspects as well. This enables the customers t reallocate resources to other areas of responsibility. Furthermore, cloud service providers follow rigorous security protocols, and customers benefit from that expertise.

Cloud platforms also give customers access to robust controls that can be configured in the customer portal. In most cases it’s cheaper and more efficient to use the cloud platform’s firewall and other services than to replicate on-premises security infrastructure in the cloud.

That said, all of this is enormously complex, and few organizations have in-house expertise in cloud security. At DeSeMa, we helped develop some of the major components of the leading cloud platforms. We understand the subtleties of the shared responsibility model, and the security controls available within each cloud service. We can ensure that those controls are configured properly and put maintenance and management processes in place. We can also assess your entire environment and ensure there are no security gaps between various clouds and on-premises infrastructure.