Cloud adoption has accelerated in the past year as organizations scrambled to support a remote workforce. Despite this rapid adoption and growth, companies often misunderstand a key cloud concept: the shared responsibility model (SRM).
Many business leaders still ask, “Is the cloud secure”? This is the wrong question. A more appropriate question would be, “Are we, as a security team and organization, securing our share of the cloud?” The overwhelming majority of cloud data breaches/leaks are due to the customer, with Gartner predicting that through 2025, 99% of cloud security failures will be the customer’s fault. For this reason, it is imperative that all security practitioners understand their responsibilities.
What is the shared responsibility model?
The shared responsibility model delineates what you, the cloud customer is responsible for, and what your cloud service provider (CSP) is responsible for. The CSP is responsible for security “of” the cloud—think physical facilities, utilities, cables, hardware, etc. The customer is responsible for security “in” the cloud—meaning network controls, identity and access management, application configurations, and data.
That said, this division of responsibilities can change depending on what service model you use. At a basic level, the NIST Definition of Cloud Computing defines three primary cloud service models: