Question your beliefs: it’s almost never a cloud provider's responsibility. Sometimes your assumptions could lead to huge risks, as in this case.
When organizations adopt cloud services to help make their business more efficient, they are also facing new environments that require safeguards they might not be fully aware of.
The boundary between the security measures implemented by the Cloud Service Provider (CSP) and the client is often blurred, and this could lead to huge risks. Many organizations think that the CSP is responsible for the entire cloud environment and believe that, once service settings are configured, they can forget about maintenance. This is one of the most common reasons why companies have difficulties with ensuring security for their cloud-based data.
Whether the client is just adopting a cloud solution or has years of deployments under his belt, it is worth taking the time to make sure which aspects of security fall to the CSP and which are in the domain of the client organization.
The cloud provider is responsible for handling some of the security layers, but never the full pack. The client itself must then define and implement the remaining layers to match its regulations, risk assessments and policies.
To help the understanding of the delineation of responsibility for securing data in clouds and to solve this alliance riddle, the Shared Responsibility Model has been established. There are two main approaches for defining the Shared Responsibility Model in the cloud security context:
Understanding the borders of the Shared Responsibility Model is essential while moving to the cloud or, at worst, when already in the cloud. We should then analyze and comprehend the key points of the related Shared Responsibility Model in order to implement the appropriate safeguards and to reduce the risk.
Unfortunately, the existence of the Shared Responsibility Model is not enough to fully mitigate the risks. The client’s commitment should be intense and ongoing.
First of all, the client should take the necessary time to understand the boundary between the organization and the CSP as well as the related responsibilities. It’s not an immediate grasp and it might turn out to be demanding and onerous.
The costs of adopting a cloud solution are substantial. The client should allocate adequate funds to implement the appropriate security measures and to provide training courses to its staff. An effective cloud security model requires that the organization commits a budget to its security measures and employee training.
Complex structures further complicate the shared responsibility because it is easier to blame the other party when something goes wrong. The duties should be clearly delineated, and collaborating is fundamental. If teams don't communicate in a cloud operations environment, the disconnect only worsens.
Sometimes the IT department is able to speed up the cloud implementation by neglecting cyber security safeguards. Compliance, security and governance could be sacrificed in a rush to launch cloud services. To counteract any such tendency, there should be a common control and decision-making process over the entire project and, again, permanent communication.
Our area of involvement is meant to support the client in minimizing the risks associated with the adoption of a cloud service. With our expertise we can support clients from the initial phase of a cloud service provider engagement and through the entire maintenance of the solution.