close search bar

Sorry, not available in this language yet

close language selection

Shared responsibility model: Who owns cloud security?

Synopsys Editorial Team

Nov 06, 2018 / 2 min read

If you’re new to the cloud, here’s the first thing you should know: Cloud providers follow the shared responsibility model. This model has immediate implications for your cloud adoption strategy and your ongoing cloud security program. But recent research shows that if you’re new to the cloud, you’re more likely to assume that others will let you know of a data breach—and less likely to be proactive in securing your cloud deployment. Are you opening yourself up to the risk of data breach without even knowing it?

What is the shared responsibility model?

The shared responsibility model is a model for cloud operations in which you and your cloud service provider (CSP) divvy up responsibilities for your cloud deployment. Your CSP may handle everything from physical networks, servers, and storage to hypervisors, virtual networks, middleware, runtimes, operating systems, and even applications, but you’ll be responsible for the rest. In other words, no matter what level of service your CSP offers, you’re responsible for the security and compliance of some part of your cloud deployment.

How are responsibilities shared?

The division of cloud security responsibility generally falls into three buckets, depending on your cloud service model:

Diagram Illustrating the Shared Responsibility Model for Cloud Security

Remember this well: Even if your CSP provides your entire cloud system—servers, systems, and applications—you’re still responsible for the security of your data wherever it is, whether it’s at rest or in transit.

Why is the shared responsibility model important?

The shared responsibility model is important because it should drive both your cloud migration strategy and your ongoing cloud security plan. For example, if you use your own apps in the cloud in a PaaS or IaaS model, you’re responsible for their security. And because an application’s vulnerabilities follow it wherever it goes—you can’t just “configure away” vulnerabilities in the cloud—you’ll have to conduct application security testing on your cloud apps. If you use your CSP’s applications in the SaaS model, you’re not responsible for application security. But in any model, you must play an active role in your cloud deployment, configuring your CSP’s security controls and monitoring your cloud solution to make sure your data stays protected.

Am I doing enough to protect my data?

Unfortunately, many organizations that have adopted the cloud struggle with the concept of shared responsibility for cloud security. 451 Research has found that organizations have different expectations for their cloud providers depending on how conservative they are about adopting new technology. The newer you are to the cloud game, the less likely you’re taking an active-enough role in securing your cloud deployment.

Fortunately, there are things you can do to strengthen your cloud security program and reduce your risk of data breach. 451 Research’s Business Impact Brief Cloud Security: Whose Job Is It, Anyway? is a quick read that explains how to support your cloud migration and stay vigilant in the ever-evolving landscape of cloud security threats.

Continue Reading

Explore Topics