Although it goes without saying, especially these days; when it comes to information technology infrastructure and data, security is paramount. That goes for both on-premises infrastructure and data, as well as cloud-hosted. I want to dive more into the cloud side of this thought. People have been running workloads, applications, and services in private, on-premises data centers for years and years, so it seems obvious that we have certain security responsibilities and concerns. In the cloud, it might not always be clear, and the fine print needs to be read and understood. I think it would be easy for a consumer to think “well, this application is delivered ‘as a service’, so I don’t need to really need worry about the security of my data, it’s all just taken care of for me”. That being stated, there is one concept that I have found that breaks down this potentially nebulous security in the cloud concept well. That is the shared responsibility model.
At a high level, the concept of the shared responsibility model helps you understand where the responsibilities lie, between the cloud service provider and the consumer in a cloud deployment. The phrase that I have found that seems to explain the shared responsibility model very well is: when it comes to security, the cloud service provider is responsible for security of the cloud and the consumer is responsible for security in the cloud. I cannot quite remember if something along those lines is a direct quote from someone or some organization, but I like how it is laid out. Now, let’s dig into that statement a bit deeper. My interpretation of this is that cloud service providers are responsible for securing the services and the underlying infrastructure, while the consumers are responsible for securing the data and potentially the applications that run in the cloud. I say potentially when it comes to applications, because I think it depends upon the cloud service model in question. If it is a Software as a Service application, then the CSP would be responsible for security of the application. However, in the scenario of Infrastructure a as Service, the consumer would be responsible for application and operating system security. Ah yes, my favorite statement when it comes to information technology: it depends. In any event, the consumer really is responsible for ensuring data security and compliance in the cloud. Something that it seems we hear often in the news is that researchers continue to find unauthenticated, unsecured cloud hosted data storage on the internet. If we are following the shared responsibility model, this would be the fault of the consumer, rather than the cloud service provider.
I think that when it comes to cloud computing, especially relating to security, it is important to take the time to fully understand what you are doing and how you are implementing different services. While what you are consuming is being delivered “as a service”, you should still understand that you may have extra responsibilities and actions to take to properly secure your applications and data. When in doubt, take a look at managed/professional services as an option to help you out. To me, it isn’t always feasible for a company to have experts in every facet of technology, including cloud services. There is no shame in asking for help.