Cloud Security Knowledge Sharing By Guy-Bertrand Kamga

To promote a Secure Cloud-Based Digital Transformation

Month: July 2018

Dealing with Shared Responsibility Model in public Cloud

Cloud computing radically changes the way computing services are provided and consumed, both cloud service providers and cloud service customers need to adapt themselves to this new information technology service delivery model.

On one hand, for public cloud services, customers must rent resources (e.g. software or applications, platforms, servers, etc.) running on platforms owned and operated by external service providers. Cloud customers generally pay for the services proportionally to their consumptions (known as pay as you go billing or pricing model), and they can automatically scale (horizontally or vertically) based on their needs. These are only few of numerous benefits of public clouds.

On the other hand, public clouds are shared platforms between several customers (including competitors, hackers, criminal organizations, etc.). That’s why, since the beginning of the 1st public cloud service offering launched by Amazon Web Services (AWS) in 2006, security and compliance risks are always among the top barriers for public cloud adoption.

When it comes to security in the public cloud, one of the main concept to understand, is the Shared Responsibility Model‍.

I released on Peerlyst (web comunity of security professionals), a series of 3 posts focusing on the shared responsibility in public cloud.

In the first post, you will learn some tips that can help to understand how the security responsibility is shared between the Cloud Service Provider (CSP) and the Cloud Service Customer (CSC), and how a cloud customer should consider this aspect during the definition and implementation of its cloud security strategy‍.

In the second post of the series, I provided some tips‍ that can be helpful for a CSC to have a detailed view of the shared responsibility in public cloud. I particularly highlighted how much a clear understanding of the chain of responsibility at CSP and CSC sides is important, as well as the key role of a cloud security RACI matrix.

In that second post, I also briefly introduced a Cloud Responsibility Checklist which can help a CSC to evaluate to what extend its security responsibilities in a public cloud are under control.

In the third and last post of the series, I proposed a process that can be used by a CSC to keep control of the shared responsibility model in public cloud. This process includes the following 3 main steps:

  • Clarification of the responsibility scope
  • Identification and agreement on the responsibility delimitation with the CSP & partners
  • Evaluation of the alignment to the CSC’s cloud strategy

This process can help a CSC to not only ensure that it understands and takes care of its responsibilities in the cloud, but also to make sure that the CSP, as well as all involved partners have formally agreed with the CSC on their scope of responsibility.

Pyramidal view of Cloud Security Risks

As I described in most of my previous articles, defining and implementing an effective cloud security strategy requires the involvement of several stakeholders within and outside of an organization.

Indeed, defining and implementing the cloud security strategy‍ within an organization should include people from diverse entities, including:

  • Business Groups or Units
  • Information Technology (IT)
  • Cyber Security
  • Procurement and Supply Chain
  • Legal & Compliance
  • External partners (Cloud Service Providers, IT partners, Managed Service Providers, etc.)

Having all these diverse profiles involved, ensures that most of aspects will be taken into account in the cloud security strategy on one hand but on the other hand, this may lead to endless debates as the members will not have the same level of knowledge in terms of cloud computing.

Learn in this article posted on Peerlyst community, the common stakeholders’ positions or attitudes with regards to cloud security‍ as well as the multi-level or pyramidal view of cloud security risk‍s.