Businesses must embrace the concept of a shared responsibility mode. Nigel Hawthorn
Businesses are conflicted about moving their data to the cloud. Some claim that one of the main reasons for moving data to the cloud is because it is more secure. Major cloud vendors like Microsoft, Amazon, and Google correctly point out that the responsibility is not theirs alone and that businesses must embrace the concept of a shared responsibility model.
Microsoft, for example, publishes its model for Azure. Amazon has a similar approach for AWS. Both of these models point out that a secure infrastructure relies on the customer playing their part to make the system truly secure and compliant.
Cloud providers have often approached shared
responsibility by listing the security features they offer and leaving the rest
up to the customer, splitting responsibility into two. While this division is a
good start, it can leave the enterprise unsure about how to decide, allocate
and implement the areas allocated to them.
Shared responsibility in action
car rental process can best illustrate an ideal example of a shared
responsibility model. First, the manufacturer is liable for ensuring the car is
roadworthy when it comes off the assembly line. It needs to have good brakes,
tires, and functioning airbags. After the car arrives at a rental company, both
the company and the renter will typically not test the airbags – they just
assume they will work as originally installed. As the car gets older, the
rental company should check the tires and the brakes, service the car and keep
it roadworthy. The renter assumes this is the case.
On the renter’s side, they need to have the appropriate license for the vehicle, which the rental company checks before handing over the keys. The renter is responsible for accidental damage, though this may not be the actual driver when multiple drivers are sharing the driving. The car includes seat belts, installed by the manufacturer, but it is the driver’s responsibility to wear their belt and ensure that all members of the car wear them too, and drivers follow conditions and road rules.
This division of responsibility when renting a car is shared among five groups of people: the car manufacturer, the rental company, the passengers, the renter and the driver. Ignoring one layer of safety could have tragic consequences so every aspect needs consideration in totality.
Where risk ultimately lies
Microsoft, Amazon, and other cloud providers are working to deliver shared responsibility models at a baseline level, but there needs to be more responsibility from the end-user community. This includes the enterprise itself, information and IT security teams, and the users. Business and IT leaders can only safeguard cloud data if security features are well-understood, switched on, and properly configured at the outset.
Overall, the technology community needs to consider who controls and manages cloud configurations, data flow between different cloud services, collaboration, access, and device controls, and user behavior.
The responsibility for risk belongs to the business. Members of the IT team need to be the guardians of security and compliance for the enterprise. They need to work with the CISO and other business leaders to understand and set policies around data control, work with lines of business to help them classify data accurately, ensure regulatory compliance, help the purchasing team make buying decisions, determine user access to cloud services, and ensure comprehensive user training.
Without strict processes in place and a delineation of who
is accountable for what, a business decision like implementing a new public
cloud service can put a corporation at serious risk of a data breach or other
related security issues. But with the shared responsibility model, businesses
can ensure that everyone does their part.
Nigel Hawthorn is the EMEA Director, Cloud Business Unit.