Transformative tech trends like the internet of things (IoT), artificial intelligence (AI), virtual reality (VR) and dispersed workforces have increased cloud adoption. Why? Because it provides the ability for agility, productivity, and scalability like no other infrastructure. And whilst the cloud isn’t necessarily new, it does still leave plenty of organizations with questions. Particularly around security. The Shared Responsibility Model is a term you should familiarize yourself with as you explore your cloud journey. It could be the difference between cloud protection and brand damage.
Clearing Up Cloud Security
Cloud service providers such as AWS, Azure, and Atlassian provide an unimaginable scaling opportunity for businesses globally. Not only does it remove the need for expensive upfront capital expenditure it also enables unlimited access to scalable data servers on a pay-as-you-go model. In just a few clicks. Additionally, you can configure new employee machines from anywhere in the world, and protect them without the need to purchase, deploy and wait for the arrival of new hardware. It’s all digital. It’s Infrastructure as a Service (IaaS).
In 2023 and beyond, cloud adoption will continue to grow. Companies that don’t adopt it will undoubtedly be left snapping at the heels of earlier adopters. In fact, Gartner forecast that by 2025 cloud spending will overtake traditional IT expenditure
The cloud shift accelerated during the pandemic, and now there’s no going back. Organizations capitalized on its potential and they’re reaping the benefits fast. In 2022, more than $1.3 trillion in enterprise IT spending was at stake from the shift to cloud, growing to almost $1.8 trillion in 2025, according to Gartner.
And, as more organizations migrate their own, and customer-sensitive data to the cloud, it opens up the question of who is responsible for the data that is now hosted there. Is it the cloud service provider? Or is it the organization purchasing the service from the host?
Who’s Responsibility Is It To Protect Cloud Data?
It’s true that cloud service providers offer the likes of compliance certifications and their own security. But, it’s not true that they offer complete security. In fact, cloud security is a shared responsibility between the vendor and the business. This isn’t much different from when you bought that PC back in 1995 at home and it came pre-loaded with the latest out-of-the-box anti-virus software like McAfee. Just because it was there didn’t mean it was McAfee’s responsibility to protect your PC for years to come. Or as you downloaded new software. Yes, it might flag a potential threat, but if your PC was infected by a new, undiscovered virus, you certainly weren’t going to take McAfee to court for not remaining up to scratch with the latest market threats. It was your responsibility to continually assess if that out-of-the-box solution matched your requirements, and that you kept it updated.
Now, as more data is hosted in the cloud, the principle remains the same. Your organization has specific requirements to protect your customer data. That might require very different layers of security for a small business compared to a large enterprise cataloging customer data. For example, think of the health industry.
The Shared Responsibility Model
The Shared Responsibility Model lays out an agreement between cloud service providers and organizations utilizing their hosted services. Essentially, the model clarifies that cloud service providers are responsible for protecting the overall infrastructure in the cloud. This is known as the “security of the cloud”. Conversely, you maintain responsibility for the security of any content, platform, applications, systems and networks you choose to host there. This is known as “security in the cloud”.
Cloud service providers’ responsibility includes:
- Control the host operating components of the system and virtualization layers.
- Physical security of the offices and data centers the host operates from.
- Protection services such as encryption.
- Security groups.
- Multi-factor authentication capabilities.
As an organization, you are responsible for:
- Assessing your chosen security solution.
- Maintaining the integrity of the cloud infrastructure.
- Updates and patches to application software.
- Configuration of firewalls.
- Deploying security utilizing the hosts protection services such as access assignments and permission levels.
- Additionally, you can increase security by using host-based firewalls, threat-based detection and encryption
Recovering Deleted Cloud Data
In 2021, Co-Founder and CEO of SPK and Associates Christine McHale, interviewed Vish Reddy, Co-Founder of Revyz, a cloud backup solution.
Revyz was created after Vish realized that a colleague had deleted valuable data in the cloud, only to find that data in the cloud is not backed-up automatically. A common misconception of cloud service users.
In the interview, Vish explains:
“Imagine this. You’re the user of the application and the administrator. You accidentally press the wrong thing and things get deleted. Who is responsible for that? That action was taken by you as the customer. Now, that could have been a legitimate action. You want to actually go delete something. Microsoft can’t go and revert whatever you want to actually delete and get rid of, right? That’s where the shared responsibility model comes into play. It means you as the customer are responsible for certain things which are protecting your data. Microsoft, Atlassian or Salesforce, will give you the structure or the mechanisms to protect the data but you have to do it yourself. The Cloud Security Alliance updated their questionnaire, or their assessment mechanism, to include the shared responsibility model related questions. Because they found that this understanding of every administrator out there was, as people assume, in the cloud. That people don’t need to worry about it. Therefore, they don’t need a cloud backup solution.”
The Responsibility Model Overview Vs Infrastructure
It’s critical to understand the Shared Responsibility Model in depth. A solid understanding of these protection layers will also provide a solid foundation for the cloud security of your data. By clearly defining whether you, the customer, or the cloud service provider is responsible for cloud-hosted data, you will be able to better protect both customer and market-sensitive data.
If you need further support on protecting your cloud services, you can contact our expert managed services team here for a no-obligation discussion. At SPK, we partner with the largest players in the cloud market including AWS and Azure. We were also recently accoladed as Atlassian Gold Partners for our work on successful integrations and migrations, so you can trust our team to support yours.