Cloud computing radically changes the way computing services are provided and consumed, both cloud service providers and cloud service customers need to adapt themselves to this new information technology service delivery model.
On one hand, for public cloud services, customers must rent resources (e.g. software or applications, platforms, servers, etc.) running on platforms owned and operated by external service providers. Cloud customers generally pay for the services proportionally to their consumptions (known as pay as you go billing or pricing model), and they can automatically scale (horizontally or vertically) based on their needs. These are only few of numerous benefits of public clouds.
On the other hand, public clouds are shared platforms between several customers (including competitors, hackers, criminal organizations, etc.). That’s why, since the beginning of the 1st public cloud service offering launched by Amazon Web Services (AWS) in 2006, security and compliance risks are always among the top barriers for public cloud adoption.
When it comes to security in the public cloud, one of the main concept to understand, is the Shared Responsibility Model.
I released on Peerlyst (web comunity of security professionals), a series of 3 posts focusing on the shared responsibility in public cloud.
In the first post, you will learn some tips that can help to understand how the security responsibility is shared between the Cloud Service Provider (CSP) and the Cloud Service Customer (CSC), and how a cloud customer should consider this aspect during the definition and implementation of its cloud security strategy.
In the second post of the series, I provided some tips that can be helpful for a CSC to have a detailed view of the shared responsibility in public cloud. I particularly highlighted how much a clear understanding of the chain of responsibility at CSP and CSC sides is important, as well as the key role of a cloud security RACI matrix.
In that second post, I also briefly introduced a Cloud Responsibility Checklist which can help a CSC to evaluate to what extend its security responsibilities in a public cloud are under control.
In the third and last post of the series, I proposed a process that can be used by a CSC to keep control of the shared responsibility model in public cloud. This process includes the following 3 main steps:
- Clarification of the responsibility scope
- Identification and agreement on the responsibility delimitation with the CSP & partners
- Evaluation of the alignment to the CSC’s cloud strategy
This process can help a CSC to not only ensure that it understands and takes care of its responsibilities in the cloud, but also to make sure that the CSP, as well as all involved partners have formally agreed with the CSC on their scope of responsibility.