Let us understand how the division of responsibilities varies from one service model to another:
- On-premises data centers: In an on-premises infrastructure (hardware and software), the customer is responsible for everything, from the physical security of data centers to the encryption of sensitive data.
- IaaS: Virtual machines as services, which are offered by cloud providers such as Azure VM, AWS EC2, and Google Compute Engine, can be taken as examples of IaaS. If a customer decides to use VMs in the cloud, the cloud provider is responsible for the security of the physical data center, physical network, and physical host where the VM is hosted. As per Figure 1.4, security to the operating system (vulnerabilities and patches), network controls, applications hosted in the VM, identity and directory infrastructure, devices through which VMs are accessed, and information and data in the VM are all the customer’s responsibility.
- PaaS: A wide range of services is offered by cloud providers under the PaaS category. Azure Web App, Logic Apps, Azure Functions, Azure SQL, Azure Service Bus, AWS Lambda, AWS Elastic Beanstalk, and Google App Engine are a few services under the PaaS category. As the service name suggests, PaaS provides an environment for building, testing, and deploying software applications. The most useful benefit of PaaS for its customer is that it helps create an application quickly without the need to manage the underlying infrastructure, such as hardware and operating systems. This becomes easy for customers as they are only responsible for securing the application and data.
- SaaS: SaaS is a readymade, subscription-based application made available by cloud providers for its customers. Microsoft 365, Skype, Google Workspace, ERP, Amazon Chime, Amazon WorkDocs, and Dynamics CRM are some common examples of SaaS offerings. Out of all the service offerings, SaaS requires the least security responsibility from customers. The cloud provider is responsible for everything except data, identity access, accounts, and devices.
Important note
No matter which service is availed by the customer, the responsibility to protect accounts and identity, devices (mobile and PCs), and data is always retained by the customer.
The shared responsibility model is one of the most important topics to understand in the cloud security domain. Now that you understand it, let us understand another important topic – defense in depth.
Defense in depth
Defense in depth (DiD) is a cybersecurity strategy that uses a layered security approach to protect organizations’ critical assets from cyber criminals by utilizing a series of security measures to slow the advance of an attack. This was originally inspired by the military strategy, where each layer provides protection so that if one layer is breached, a subsequent layer will prevent an attacker from getting unauthorized access to data.