The primary objective of the cloud shared responsibility model is to define or identify customers’ responsibilities pertaining to security and compliance. This model can help relieve customers’ operational burdens as the cloud service provider (CSP) operates, manages and controls the host operating system, infrastructure components and actual physical security of the facilities.
The customer is responsible for the management of guest operating systems and application software components depending on the service model (infrastructure as a service [IaaS], platform as a service [PaaS], software as a service [SaaS]).
Figure 1 summarizes the controls that are owned by a typical CSP versus their customers in each model.
Figure 1—Controls Owned by the SCP and Its Customers
| Control Area | IaaS | PaaS | SaaS |
|---|---|---|---|
| Physical controls—Physical access to data centers is restricted to authorized personnel and mechanisms are in place to minimize the effect of a malfunction or physical disaster to data center facilities | CSP | CSP | CSP |
| Environmental controls—Controls tied to monitors for fire, air conditioning or other data center activity to support disaster risk reduction |
CSP |
CSP |
CSP |
| Data integrity and confidentiality—Controls to provide reasonable assurance that data handling between the customer and the host service provider is secure |
Customer |
Customer |
Customer |
| Identity and Access Management | Customer | Shared | Shared |
| Access policies—Logical access restriction to ascertain unauthorized access |
Customer |
Customer |
Customer |
| Identity management—Secure control access to services and resources for users |
Customer |
CSP |
CSP |
| Access and authentication—Multifactor authentication (MFA) controls across layers of access to the environment |
Customer |
CSP |
CSP |
| Application Layer Processes | Customer | Shared | CSP |
| Application security—Controls such as hardening or patch management used to ascertain adequate security |
Customer |
CSP |
CSP |
| Application specific logic and code— Controls around the entire application development lifecycle |
Customer |
Customer |
CSP |
| Network Management | Shared | CSP | CSP |
| Network security and configuration—Controls over protection against network security issues, including distributed denial of service (DDoS), man-in-the-middle-attacks (MitM), Internet Protocol (IP) spoofing, port scanning or packet sniffing |
Customer |
CSP |
CSP |
| Network—Network cables and other network components |
CSP |
CSP |
CSP |
| Network monitoring—Controls around network usage, port scanning, application usage or unauthorized intrusion attempts |
CSP |
CSP |
CSP |
How to Apply the Shared Responsibility Model in Practice
Practical applicability of the shared responsibility model varies depending on the use case. Responsibility of the customer depends on various factors such as service models, services and operating regions, the customer’s IT environments, and regulatory requirements.
However, there are exercises that can help customers determine the distribution of responsibility based on specific use case, including:
- Determine external and internal security and related compliance requirements and objectives. Industry frameworks and standards such as the US National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) and International Organization for Standardization (ISO) standards can be considered.
- Perform a review of third-party audit attestation documents to determine inherited and complementary user entity controls (CUECs).
- Evaluate the security and compliance-related services provided by the CSPs.
- Undergo CSP-specific training to fully understand customer responsibilities and leverage any services and functionalities provided by the CSP.
Editor’s note: For further insights on this topic, read Jai Sisodia and Mohammed Khan’s recent Journal article, “Understanding the Shared Responsibilities Model in Cloud Services,” ISACA Journal, volume 3, 2022
