Cloud Security and Shared Responsibility Model

From my many conversations with cloud users, the aspect of security and compliance seems to be some sort of a grey area where it’s either they’re knowledgeable but not compliant, or they’re barely knowledgeable at all. So, we’ll begin a series on cloud security best practices, and the overall goal is to help you improve the security posture of your cloud environments; starting with the Shared Responsibility Model, which lies at the very foundation of cloud security!

Shared Responsibility Model in our everyday life…
Cloud security, like every other security mechanism or system in life, operates on a shared responsibility model. Your building security operates on a shared responsibility model — your building management provides the building with secure locks either at the entrance to the building doors or gates, while you must secure your personal belongings within your apartment or office. Your national or state security forces provide you with safe streets while you must still remain vigilant on a personal level within your immediate environments. I’m sure you’re already getting the hang of what we mean by having your cloud security and compliance on a shared responsibility model.

How does this work on the cloud?
Your CSP–AWS in this case, is responsible for the security of the cloud while you are responsible for the security in the cloud!

Now let’s break that down a bit more. From this image above we can see that:

AWS responsibility “Security of the Cloud”:

1. Hardware / AWS Global Infrastructure:AWS owns and controls access to the hardware and networking components—physical assets of the cloud infrastructure, which include:
   1. Data centres where your data resides,
   2. Generators,
   3. Uninterruptible Power Supply (UPS),
   4. Power Distribution Units (PDUs)
   5. Computer Room Air Conditioning (CRAC),
   6. Fire suppression systems
   7. Physical access entry and control


2. Software:AWS operates, manages and controls the components from the host operating system and virtualization layer, which include:
   1. Compute: Virtual Machines such as EC2 instances
   2. Storage: Storage servers such as Amazon S3 buckets
   3. Database: Database machines such as Amazon Aurora or DynamoDB
   4. Networking: Networking interfaces like EIPs

Customer responsibility “Security in the Cloud”:
The customer is responsible for any data put ‘into’ the cloud then becomes your responsibility, and how much of this additional security–from what AWS provides (security of the cloud), you wish to implement is entirely your decision.

What security and compliance practices you choose may be dependent on the nature of your business or on any existing security control policies you may already have in place; and based on will be determined by the AWS Cloud services that a customer selects.

For services such as EC2, that are categorised as Infrastructure as a Service (IaaS), the customer is required to perform all of the necessary security configuration and management tasks. In this instance, the customer will need to manage guest operating system updates and security patches, application software or utilities installed on the instances, and the configuration of the AWS-provided firewall on each instance.

For other services such as Amazon DynamoDB and S3 storage capacities, AWS operates the infrastructure layer, OS, and platforms, while customers are responsible for managing their data—including encryption options, classifying their assets, and using Identity & Access Management (IAM) tools to apply appropriate user permissions.

Wendu and the Shared Responsibility Model
Having given us a brief overview (with examples) of what the shared responsibility model is and what it looks like, even using several AWS services; what AWS is responsible for and what you are responsible for.

Tools such as Wendu help you stay accountable to your own cloud security responsibilities. Ensuring compliance with AWS security best practices such as IAM, Multi-factor Authorization (MFA), Password policies, Access key policies and user principles.

Wendu is revolutionising cloud security through SecFinOps and agentless security - enabling teams to collaborate, take ownership, and become accountable for their cloud estates and environments in terms of security, spend, quality and speed.

Learn more about Wendu here, and you can also request a demo to see Wendu in action.