One of the most common phrases when we talk about security and compliance in the public cloud is shared responsibility, and in this article, we want to explain what this shared responsibility is
The first thing that should be clear is that this concept of shared responsibility is applicable to any public cloud regardless of the provider we contract, as all of them have a section where they explain how they see shared responsibility.
Shared responsibility means that for security and compliance issues there is a shared responsibility between the public cloud provider and the customer.
The second is the meaning of shared responsibility. Shared responsibility means that for security and compliance issues there is a shared responsibility between the public cloud provider and the customer. In this shared model the customer is relieved of some operational burden over the different environments, as the public cloud providers operate, manage and control all components of the physical host operating system and virtualisation layer, as well as the physical security of the premises on which the services run.
On the other hand, the customer must assume management and responsibility for the guest operating system (including updates and security patches), for any other application software deployed under that operating system and for the security configuration of the service/instance such as firewall, access rules and identity. Each service or type of service (SaaS, PaaS, IaaS) in a Cloud environment requires different responsibilities from customers for the integration of these into their IT environment and the corresponding legislation and regulations.
Microsoft's vision of Shared Responsibility
AWS Vision of Shared Responsibility
How do we apply this model?
Customers often have the perception that the fact that a cloud service complies with a certain regulation (for instance, PCI/DSS, EIOPA, ENS, etc.) exempts them from having responsibility for the environment, as the service already complies, and they do not perceive that this regulation requires, for example, encryption at rest or identity management, elements whose configuration or implementation is the responsibility of the customer, i.e. the customer must distinguish between compliance of the cloud and compliance on the cloud, or security of the cloud and security on the cloud.
To conclude and so that we can all understand what the shared responsibility model is, I will explain it with a simile. Compliance of the cloud would be like having a car with the maximum number of stars and maximum score in crash tests, and compliance on the cloud is driving that car on the road below the maximum speed marked on the road. In the end, compliance and safety is something shared between the vehicle manufacturer, who provides all the means to make it safe, and us as drivers applying road safety rules.
