The Evolving Shared Security Responsibility Model in the Cloud

The cloud is a digital frontier promising scalability and agility, and it raises a critical question: Who secures what in this vast landscape? The Shared Responsibility Model (SRM) is not just a legal formality but a dynamic framework that evolves with technology and cyber threats. Understanding this model is crucial, as it’s the key to securing your cloud environment. The advent of serverless functions, containerization, and AI has changed how we deploy applications, necessitating a deeper understanding and proactive adaptation of the SRM.

The traditional SRM is about the division of duties

In its traditional form, the SRM was a clear-cut division of labor. Cloud service providers (CSPs) took ownership of securing the foundational layers of the cloud, including the physical infrastructure housing the servers, the network controls governing traffic flow, and the hypervisor layer that enables virtualization.

Customers were responsible for everything they brought into the cloud: Data, applications, operating systems, configurations, and diligently patching vulnerabilities in their software stack. However, the belief that the cloud is secure by default is a dangerous oversimplification. While CSPs strive to provide a secure foundation, the customer’s actions (or inactions) can significantly impact the overall security posture:

  • Misconfigurations of cloud resources, such as overly permissive access controls or unsecured storage buckets, can expose sensitive data and create vulnerabilities.
  • Attackers can exploit exposed secrets, such as API keys and credentials, in code repositories, which require monitoring by resilient scanning tools. 
  • Unpatched vulnerabilities in application dependencies can serve as entry points for malicious actors.

These risks underscore the need for a deeper understanding of the SRM and proactive measures to address the customer’s side of the security equation.

Key drivers of SRM evolution

The SRM is not a static document, and it is constantly evolving.

1.     Technological advancements

The rise of serverless computing and containerization has introduced new complexities to the SRM. The CSP manages the underlying infrastructure in serverless environments, but the customer is responsible for securing the function code, its dependencies, and its runtime environment. Containerization introduces a similar challenge, with the CSP managing the container orchestration platform, but the customer is responsible for securing the container images and the applications running within them.

2.     Threat landscape

Cyber threats are becoming increasingly sophisticated, targeting both CSPs and their customers. Multi-vector ransomware attacks, advanced persistent threats (APTs), and supply chain attacks pose significant risks. Data breaches have become commonplace, highlighting the importance of shared robust data protection measures between parties.

Moreover, the proliferation of cloud-native threats, such as misconfigurations of cloud resources and vulnerabilities in application programming interfaces (APIs), requires specialized security tools and expertise from both sides of the equation.

3.     Regulatory requirements

Stringent data protection and privacy regulations, such as the General Data Protection Regulation (GDPR) and the Health Insurance Portability and Accountability Act (HIPAA), directly impact how the SRM is implemented and enforced. These regulations often require a shared responsibility approach, with both CSPs and customers taking specific measures to ensure compliance.

The modern SRM: A multilayered approach

In response to these evolving challenges, the modern SRM has transformed into a multilayered approach where shared responsibility is the norm rather than the exception.

IAM

Identity and Access Management (IAM) is a prime example of this shift. While CSPs provide the foundational IAM infrastructure, customers must implement fine-grained access controls, enforce least privilege principles, and regularly audit permissions to ensure that only authorized users can access sensitive resources.

Data security

Data security is another area where shared responsibility is critical. CSPs typically provide encryption at rest and in transit, but customers must ensure proper key management and implement additional encryption measures if needed. Data loss prevention (DLP) solutions, which monitor and prevent sensitive data from being exfiltrated, require both effective CSP capabilities and customer configuration.

Incident response

Incident response is inherently collaborative. CSPs are responsible for detecting and mitigating infrastructure-level incidents, such as DDoS attacks or hardware failures. However, customers must have their own incident response plans in place to address security events within their applications and data, including log analysis, forensic investigation, and timely communication with the CSP.

AI and ML

Emerging technologies like AI and machine learning are also reshaping the SRM. AI-powered threat detection and anomaly detection tools can enhance the security posture of both CSPs and customers by automatically identifying suspicious activity and potential vulnerabilities. Automation plays a vital role in incident response, allowing for faster detection and remediation of threats.

Practical recommendations for cloud users

In this complex landscape, cloud users must adopt a proactive and vigilant approach to security:

  1. Thoroughly understand your CSP’s specific SRM. Don’t assume all providers are the same; each has its own nuances and specific delineations of responsibility.
  2. Conduct a comprehensive risk assessment of your cloud environment, identifying vulnerabilities in your applications, configurations, and the CSP’s infrastructure.
  3. Embed security into the very fabric of your cloud projects from the outset. Don’t treat it as an afterthought. Employ security best practices like infrastructure as code (IaC) and continuous monitoring.
  4. Leverage advanced security tools that can automate the detection and remediation of vulnerabilities in your code, configurations, and cloud infrastructure.

The cloud offers immense opportunities, but it also presents significant security challenges. By understanding the evolving Shared Responsibility Model, embracing collaboration with your CSP, and implementing robust security measures, you can navigate this dynamic landscape and build a secure and resilient cloud environment.

Dotan Nahum
Head of Developer-First Security at Check Point Software Technologies | + posts

Dotan Nahum is the Head of Developer-First Security at Check Point Software Technologies. Dotan was the co-founder and CEO at Spectralops, which was acquired by Check Point Software, and now is the Head of Developer-First Security. Dotan is an experienced hands-on technological guru & code ninja. Major open-source contributor. High expertise with React, Node.js, Go, React Native, distributed systems and infrastructure (Hadoop, Spark, Docker, AWS, etc.). https://www.checkpoint.com/