Cloud security is a tricky area. There are many myths about securing the cloud. Some think that once you have moved to the cloud, it is the cloud provider’s responsibility to protect everything in the cloud, while others think that nothing is secure in the cloud and it is not safe to move to the cloud, especially when you are dealing with sensitive data. The fact is security and compliance in the cloud is a shared responsibility between cloud providers and cloud customers.
This brings a lot of questions to our minds. Who is responsible for what? How do you define the responsibility matrix between cloud providers and customers? Who defines those responsibilities and on what basis?
Let us understand this with a simple and fun analogy of a Pizza-as-a-Service model. The cloud’s shared responsibility model can be explained using the analogy of ordering pizza in different ways: making it at home, ordering a Take and Bake pizza, ordering a pizza for delivery, or dining out at a restaurant:
Figure 1.3 – Pizza-as-a-Service model
- Making pizza at home is like managing your IT infrastructure. You are responsible for everything, including buying the ingredients (hardware and software), preparing the dough and toppings (setting up the infrastructure and applications), cooking the pizza (maintaining the infrastructure), and cleaning up afterward (managing security, backups, and disaster recovery).
- Ordering a Take and Bake pizza is like using IaaS. You order the pizza with the toppings you want, but the pizza is not cooked yet. You must take it home and cook it yourself. Similarly, with IaaS, you are provided with a virtual infrastructure that you configure and manage yourself, including installing and configuring the operating system, middleware, and applications.
- Ordering a pizza for delivery is like using PaaS. You order the pizza with the toppings you want, and it is delivered to you fully cooked. You do not have to worry about the cooking process, but you still have control over the toppings. Similarly, with PaaS, you are provided with a platform for developing and deploying applications, and the CSP takes care of the underlying infrastructure.
- Dining out at a restaurant is like using SaaS. You order the pizza, and it is delivered to you fully cooked and ready to eat. You do not have to worry about cooking or toppings as the restaurant takes care of everything. Similarly, with SaaS, you use a cloud-based application that is fully managed by the cloud service provider, and you do not have to worry about the underlying infrastructure, security, or backups.
In all these scenarios, the shared responsibility model applies. You, as the customer, are responsible for selecting the pizza toppings you want, just as you are responsible for configuring and securing your data and applications in the cloud. The cloud service provider is responsible for providing a secure and reliable environment for your data and applications, just as the restaurant is responsible for providing a clean and safe dining experience.
Now that you have understood shared responsibility via an interesting analogy, let’s understand the concept with the help of an actual responsibility model provided by every cloud provider for their customers. This responsibility is also known as security of the cloud versus security in the cloud:
Figure 1.4 – Shared responsibility model
Let us quickly discuss what security of the cloud and security in the cloud mean:
- Security of the cloud: Security of the cloud means protecting the infrastructure that runs all the services offered by the cloud provider, which is composed of the hardware, software, networking, and facilities that public cloud services use. Cloud providers are responsible for the security of the cloud, which includes protecting the cloud environment against any security threats.
- Security in the cloud: This refers to the responsibility held by customers and is solely determined by the cloud services that customers choose for consumption and where those workloads are hosted, such as IaaS, PaaS, SaaS, Database-as-a-Service (DBaaS), Container-as-a-Service (CaaS), or even Security-as-a-Service (SECaaS).
Customers must carefully consider the services they choose from different providers as their responsibilities vary depending on the services they use, the integration of those services into their IT environment, and applicable laws and regulations.
The responsibility model makes responsibility clear. When an organization does not have a cloud footprint, the organization is 100% responsible for the security and compliance of the infrastructure. When an organization moves to the cloud in a hybrid or cloud-native setup, the responsibility is shared between both parties.