Sharing the Responsibility of Compliance and Security in the Cloud

SecureCloud

Cloud security continues to be a hot topic with regular news stories about companies suffering breaches and losing data.  What is the cause of these breaches and who is to blame? An article on Gartner.com states that “Through 2022, at least 95% of cloud security failures will be the customer’s fault”. So why is it the customer’s fault and not the cloud provider?

Many of these breaches are a result of operating system vulnerabilities and configuration management, which in most cases are the responsibility of the customer.  To help provide guidance on responsibilities when using cloud services, Amazon has published information on their Shared Responsibility Model. This model clarifies which IT controls are the responsibility of the customer, which are Amazon’s responsibility, and which are shared.

There are three IT controls: Inherited Controls, Shared Controls, and Customer Specific. Amazon is responsible for Inherited Controls, which include physical and environmental controls. Shared Controls are things like patch management, configuration management, awareness and training. These controls are shared between Amazon and the customer. For example, Amazon is responsible for patching the infrastructure and the customer is responsible for patching the OS and application. The last control is Customer Specific. These are solely the responsibility of the customer and include things like service and communications protection or zone security.

The Shared Responsibility Model from Amazon is helping companies understand the compliance and security responsibilities in the cloud. Whether you are using Amazon Web Services or not, most cloud providers have similar models that clearly assign responsibilities of each party involved.  If you’re not familiar with your providers policy, make sure to review it and take responsibility for the security of your cloud applications.