Cloud Shared Responsibility Model – aka “Yo’ fault”

2019-11-08 Off By SecureSteve

As Spider-Man’s Uncle Ben says, “With great power comes great responsibility.” It is well understood that your cloud service providers (CSPs) and SaaS providers are responsible for ‘their’ security. Where does that leave your organization? With the power of the cloud, exactly when does your organization assume security “responsibility”?

What is “Shared” Responsibility?

The term thrown around in the industry is a concept referred to as the shared responsibility model. This seems reasonable. We’re all in this together, aren’t we? A follow up question one might wonder is, “How much responsibility?”

It turns out the answer is not exactly crystal clear. According to Gartner, through 2025, 99% of cloud security failures will be the customer’s fault. Which begs a few questions. First, what the what?? How is that shared responsibility? Which part of this is my organization “sharing”, exactly?”

A Cloud Shared Responsibility Visual

It is clear that in a fully on-premise environment, security responsibilities are 100% on that organization. So… if an organization uses a cloud provider, they have, umm, less responsibility…?
-SecureSteve

Many of us learn with pictures, so perhaps visuals can help clarify this shared responsibility model concept. Amazon Web Services seems to be a big “cloud” player, so let’s see what they can help to explain:

Uh huh… Yup… Hmm…. So, umm, yeah… The customer has all of the blue things, and the cloud service provider has all of the orange things. While I “get it”, I don’t really understand it.

Perhaps we can get a different visual. Peerlyst has decent write-up and slightly different visual:

Ok, now we’re talking. Red seems, umm, worse than green, but I’m the customer, so I’m all green. That yellow seems gross, but maybe I can ignore that. I mean, look at all of that green! This is starting to clarify things a bit, but the overall concept still seems vague.

Are there any other visuals that can clarify this further? Let’s see what Microsoft has to show:

Now it seems like we’re getting somewhere. It is clear that in a fully on-premise environment, security responsibilities are 100% on that organization. So, according to the above visuals, if an organization uses a cloud provider, they have, umm, less responsibility…?

One could say that the cloud helps to consolidate the sheer number of tools required to have an effective security posture.
-SecureSteve

The cloud provider 1%

Perhaps we can determine exactly how much responsibility each entity has in this relationship. Subtracting the above 99% responsibility that Gartner says I have in the cloud, from the 100% responsibility I have if things stay on prem, that leaves…(carry the one, oh wait, it’s only one. Can that be right? Must be right. Let me check it again…) 1% cloud service provider responsibility! Hooray! We’ve shared that responsibility, all right! Haven’t we?

No doubt there is some vagueness above to illustrate a point. Yet, it does actually beg the question, “What exactly are the security responsibilities of my Cloud Service Providers?”

Google actually has a very excellent description in their cloud security whitepaper. I encourage you to take a look. My favorite passage:

“Google data center physical security features a layered security model, including safeguards like custom-designed electronic access cards, alarms, vehicle access barriers, perimeter fencing, metal detectors, and biometrics, and the data center floor features laser beam intrusion detection.”

You read that correctly. Google data centers are protected by laser beam intrusion prevention. Freaking laser beams! Even I don’t have laser beams in my data center! All I have is Halon Gas, or if I were to use the cool name, Bromotrifluoromethane. Ok, nevermind that. What I’m saying is, “The cloud MUST be secure!

A “Cloud Shared Responsibility” scenario that your Grandparents can understand

In a true shared responsibility model, being ignorant of your responsibility is as bad as ignoring your responsibility.
-SecureSteve

Say you have some kids, and for the sake of argument, love those kids and don’t want anything to bad happen to them. If something bad happened, that might be the end of your family as you know it today.

When your kids are in your house, you know it is your responsibility to ensure their safety. In fact, you might even bring in some outside tools to help, such as gates, cameras, cabinet locks, electrical outlet covers, etc. You may even bring in a nanny to help provide a separate set of eyes to alert you of danger or concern. You ensure all of your doors are locked. After all, they are your kids, and are the most important thing to your family. It is 100% your responsibility to make sure they are safe, and this responsibility is accepted.

Times do change

While the in-house care for our kids can be effective, times sometimes change. Family goals may even transform, and your in-house environment might not be conducive to those changes. You still love your kids and want them to be safe. Yet you realize that for family transformation to occur, you might need to introduce them to a different environment, such as daycare.

Of course, you are going to vet out your daycare provider. You might look for high fences and very strong locks on the doors. Perhaps you ask about their laser beam intrusion detection. You ask questions about who is monitoring your kids, the safety tools and procedures available, and their notification practices.

Your daycare also encourages additional learning and development activities for your kids. This includes field trips outside of the premises of the daycare provider. A charter bus company may be contracted to pick up the kids, and they may be taken to a museum or a park.

It is reasonable that you want to feel confident your kids will be safe when you drop them off at daycare. You love your kids, yet you have begun to share some responsibility in protecting them with your daycare provider or perhaps other third-parties (charter bus company, museum, etc). This shared responsibility seems reasonable, even helpful, especially since it allows for the changes in your family.

Real-world daycare versus real-world cloud responsibility

At a high level, moving your data to the cloud, or utilizing cloud services seem to have a lot of similarities to a “daycare” example. In fact, these overall similarities often are the basis for “cloud first” initiatives within an organization. Indeed, the cloud can provide a business transformation opportunity. Isn’t sharing responsibility awesome?

It is ironic that while “the cloud” is the future of many organizations, people who have their “head in the clouds” are considered out of touch with reality. The above daycare example is helpful, but there are several key items that differ between the daycare’s responsibility, and cloud provider’s responsibility.

Of course, you are going to vet out your various Cloud Service Providers (CSPs). As compared to the “daycare” example above, organizations must understand:

The provider may provide the fencing supplies, but YOU must ensure the fences are assembled.
The provider may provide the locking mechanisms, but YOU must ensure that the lock has been turned.
You must control who has a key to the locks.
If you have more than one type of data you must plan to have different locks (and thus, keys) for that data.
You must define and vet out every entity accessing that environment, including time of day, type of access, and usage when in the environment. You must separately control cleaners, administrators, teachers, parents, pets, mimes, etc.
You must define what types of doors to use, how big to make them, and what shape they are.
You must configure your own monitoring capabilities.
You are responsible for the maintenance of the monitoring tools.
You must configure separate monitoring for access of the environment, versus access of your data.
You must define every single notification event that is important to your family. If you forget an important notification event, that is your responsibility.
You must have full say over what third-party activities are involved with your data.
You must define what third-party tools are used in accessing your data. You must choose bus company, driver, route, etc.
You must fully control where your third-party data goes. If you do not define this explicitly, you lose access to that data. If you say, take my data “wherever”, it will go wherever.
Finally, if you forget any of the above responsibilities, or others not defined above, most cloud service provider terms of service indicate that it is “Yo’ fault”.

What are the lessons to be learned here?

“Shared” responsibility DOES NOT mean “Reduced” responsibility
Despite the fact that the environment has changed, and the implementation tactics have changed, your organization is as much responsible for their data as they ever have been. Laser beam intrusion detection at a physical data center in the Arctic Circle does not replace data protection policies.
Cloud security controls and procedures resemble on-premise security controls and procedures
Whether or not your organization uses a physical firewall, or a virtual one provided by your cloud service, an “Any:Any” rule at the top is bad in both cases. Pre-defined access control and multi-factor authentication is a MUST. Data identification and control is critical. The way these security controls are implemented may differ, but the controls themselves are nearly the exact same!
There are very effective tools today to assist organizations being safe in the cloud.
The acronym CASB (Cloud Access Security Broker) is one that is coming onto the cloud security scene, but arguably that term is already dated. There are a variety of vendors and tools today that can help with a large portion of security needs. In fact, one could say that the cloud helps to consolidate the sheer number of tools required to have an effective security posture.

Just remember, that in a true shared responsibility model, being ignorant of your responsibility is as bad as ignoring your responsibility.

#StayVigilant
#StaySafe
#LookOutForEachOther