The shared responsibility model refers to a framework that establishes the cloud security obligations of a cloud service provider and of the organization which uses those services. It aims to determine accountability and responsibility, so that all aspects of cloud security are covered.

Each cloud service provider may offer coverage over different security aspects, and this may greatly depend on the type of service: whether it is IaaS, PaaS, or SaaS, for example. In general, this model defines the expectations of the cloud provider when it comes to the security of a cloud provider:

• Physical facilities (such as data centers)
• Network devices (routers, switches, load balancers, etc.)
• Servers, virtualization layers, storage systems, etc.

On the other hand, the customer of the cloud service provider may be responsible for the security of aspects that fall under their direct control, such as:

• Data and asset access management
• Data and application protection and management
• Firewall, VPN (virtual private network), and other network-control configurations
• External connections to cloud assets (connections from entities outside of the organization)
• Additional cloud configurations

Both parties also must comply with industry standards and regulations. Depending on the type of service and the specific cloud provider, there may also be some overlapping responsibilities between the organization and the cloud service provider.

The shared responsibility model differs from service to service.

IaaS

The cloud service provider may be responsible for the physical security of the data centers, services, and storage, while the organization may have to ensure proper data configuration and classification.

PaaS

The cloud service provider may have to secure the platforms and its applications, while the organization may have to protect the code and assets developed on the platform.

In the shared responsibility model, the cloud service provider is held accountable for certain aspects of cloud security and coverage. These responsibilities are typically outlined in the provider’s SLAs.

Cloud data security refers to the protection of any type of data (whether it is stored or in transit to/from the cloud). The responsibility of cloud protection is divided between a cloud service provider and an organization with the shared responsibility model. That ensures that all aspects of security are accounted for when protecting cloud data.

The shared controls aspect of the model states that both parties are accountable for the protection of pre-determined aspects of the security of the data. For example, the cloud service provide may be held responsible for the physical security of the data centers that store the data, while the organization may be responsible for the access and policy management of the data (who can access it, when, where and why).

Keep in mind that responsibility is divided differently depending on the type of cloud service and the specific cloud provider.

To fulfill their share of the shared responsibility model, organizations must first understand the SLAs associated with the cloud service(s) and service provider(s). There is no standard shared responsibility model, so it may differ greatly between providers and services. Furthermore, organizations should have strong data access management and security policies in place. It may be prudent to also establish clear communication channels within the organization and with the cloud service provider to efficiently receive notifications and information about the status of the cloud environment.

Since there is so much variation in the cloud, and organizations are constantly scaling their ever-changing cloud ecosystems, it may be useful to consider a cloud management solution. These tools can facilitate in the process of understanding user access controls, managing risk, and/or visualizing cloud entitlements, among many other features.

In some cases, they may even provide automated remediation solutions and recommendations, and augmented visibility over all cloud assets across various cloud services and providers. These enhancements may prove extremely useful when managing a complex cloud environment.

Learn more about how different uses of AI can help make protecting data in the cloud easier for security teams in the white paper "The CISO's Guide to Cloud Security."

Darktrace/Cloud provides dynamic visibility into your cloud environments for cloud-native threat detection and response. Darktrace's Cyber AI understands your cloud environment, continuously learning ‘normal’ across your network, architectural and management layers.