Who is responsible for data and application security in the cloud? It all depends on the service you purchase and what exactly is offered by the provider. To help you understand the various aspects of the problem, we have prepared an overview of the available solutions and their corresponding liability.
Those who have never had any experience with cloud solutions usually take one of two extreme approaches. The first involves complete mistrust and denial of any potential benefits of migrating to the public cloud, specifically because of the lack of security. The contrary approach is based on a complete confidence in cloud computing providers and belief they would take full responsibility for this area. The situation is more nuanced and if you want to ensure security in practice, both parties to the process, the provider and the user, must be involved in varying proportions. The degree of each party’s involvement results directly from the type of cloud computing services you choose.
When it comes to security in cloud services, we are dealing with the model of shared responsibility between the provider and user of public cloud services. The model describes responsibilities not only in terms of data and application security, but also in terms of ongoing maintenance of systems. This text focuses on security aspects from the user’s perspective.
If all systems in the organization are used in the on-premise model, the approach to security is very simple. The user is responsible for every aspect of maintaining, monitoring and ensuring security, from providing power supply, protection against damage (fire, flood), through physical infrastructure, to operating systems and applications. The user is responsible for system unavailability, hacks or data leaks.
Migration to a public cloud means gradual elimination of user responsibility and its transfer to the cloud provider. The more advanced and complementary the service, the more responsibility is taken over by the cloud provider and the less is borne by you.
Infrastructure as a Service (IaaS)
Let’s start with the simplest cloud service – IaaS. Infrastructure as a Service, or the ability to rent infrastructure upon subscription. What does this mean? As part of this service, the public cloud provider takes over responsibility for the physical part of maintaining the IT environment. You no longer have to worry about power supply, hardware, cabling, access control, video surveillance systems, security service and other aspects of having your own data center. All of the said aspects are the responsibility of the cloud service provider. The user is still responsible for the operating system and everything above it (databases, applications).
Public cloud operators, including OChK, provide the highest standards of security for their data centers where the hardware is located. Moreover, by having more data centers in different locations (or even in different countries in the case of global providers), they are able to ensure availability and security, at a level completely unattainable in the on-premise model.
Platform as a Service (PaaS)
Another cloud services model is PaaS (Platform as a Service). In terms of security, this service poses the biggest challenge because different platforms define responsibilities between the public cloud operator and the client in an inconsistent manner. One thing is certain: the responsibility for the operating system on which the platform runs rests with the cloud service provider. For example, if you set up a Kubernetes cluster, then you will not be involved with with the operating system. The system is obviously installed on the server and in some cases you can even log in to it, however this is not recommended, precisely because the responsibility for the operating system remains with the cloud provider.
Above the operating system, there are applications, privileges with the project and folder structure or another container used by a particular cloud service provider. Here the problem becomes more ambiguous as it depends on the specific cloud service provider. It is best to verify with the provider of a particular platform which of these are the responsibility of the provider and which are yours. It may also turn out that in a particular area the responsibility is shared.
For example: a cloud provider can automatically configure a network layer for you so you can use a given platform as a default. During the course of the project, however, it may turn out that you need a more advanced functionality, for which you partly change the network configuration yourself. Then the responsibility is actually shared, and you need to be aware of that.
Software as a Service (SaaS)
Finally, there is SaaS, or Software as a Service. From the perspective of transferring responsibility for maintenance and security, this model is most beneficial to the user. User responsibility begins at the application layer, which means you need to take care of identities and privileges, the data you process in the application as well as the client devices (usually employee workstations) on which they use the service. Everything else, i.e., the servers, operating system, and network as well as the security of the application itself, rests on the cloud provider.
However, it is important to note that although cloud providers ensure data backup that guarantees uninterrupted data availability, it is worth remembering there might be situations where this may not be sufficient. What we specifically mean is, user mistakes such as accidental deletion of data (e.g., text files, emails, pictures, etc.). In this case, the cloud application provider is not responsible and will not be able to restore the deleted files. This is exactly why you should check whether the application allows you to create additional backup – whether using another, external service or in the form of files and folders saved locally. This is especially important if you store critical data for your organization in the application.
The responsibilities are easier to understand if you look at the diagram below. As you can see, there are areas that are always covered by the cloud provider and areas that the user always takes care of. There are also areas that, depending on the model you choose for a given service, can be transitioned seamlessly between the client and the provider. You should therefore remember to identify in each case where your responsibility ends and take care of that which you are responsible for.
Identity: the key to cloud security
A very important issue is identity management in the public cloud. This is an aspect that always lies within the client’s responsibility. Therefore, it should not be underestimated and you should always verify the security options available, since service providers offer different authorization models. When creating an IT environment, you should choose the model that offers you both comfortable use and an adequate level of security.
Identity is important in any IT system, but its loss in a cloud environment is particularly severe. Contrary to on-premise systems, cloud applications are tightly integrated with each other. Usually one identity credential allows access to multiple systems. Unauthorized access may involve the loss of a multitude of valuable data.
In addition to identity verification and authorization models in public clouds, we also have other tools available, such as PIM (Privileged Identity Management) or PAM (Privileged Access Management). It is worth familiarizing yourself with them in advance of migrating to the cloud. Make sure you learn about the “Zero Trust” model, which is increasingly being used in public clouds and SDP, or Software Defined Perimeter, one form of implementation of the Zero Trust model. This is an important and extensive topic, so we will devote a separate entry to it on our blog.
This article collects the basic information on the responsibility for data and application security in the public cloud. However, with complex projects such as those related to identity management in a multi-cloud environment, every case is slightly different, requiring individual analysis and solutions. This is why you should leverage the knowledge and experience of OChK experts to prepare well for the migration and effectively ensure cloud security. We look forward to cooperating with you!