Digital Business

SaaS, IaaS, and PaaS: What the shared responsibility model means for zero trust

Jul 14, 2022
SaaS, IaaS, and PaaS: What the shared responsibility model means for zero trust

When moving to the cloud, companies approach it with a number of different models – SaaS, IaaS, and PaaS most commonly. But moving to the cloud shouldn’t obscure the fact that what you’re really looking for is a zero trust security model. 

The concept of zero trust stipulates that all connections, between users, applications, and processes, are limited to trusted parties. These trusted parties need to be evaluated before being allowed the opportunity to exchange data with one another, or even to simply connect. 

To recap the shared responsibility model of cloud service delivery: Iaas, PaaS, and SaaS models transfer progressively more of the burden of the management of the solution to the vendor. This reduces the lift for the consumer, but can also come at the expense of agility and control. Our friends at the Cloud Security Alliance have a good breakdown of where responsibility tends to reside at each of these levels. They point out, though, that the fine line of responsibility between the vendor and the consumer is always case-specific.

Cloud Service Models (IaaS, PaaS, SaaS), David Chou, 2018

Even in the case of SaaS, where applications are managed by a third-party provider, there are still zero trust principles and practices organizations must adhere to. With SaaS solutions, the first leg of your zero trust strategy is typically a single sign-on (SSO) identity verification solution. This enforces multi-factor authentication for users of the service, as well as links the identity solution to a posture control system to ensure that the device the user is connecting with is properly protected. You need to make sure you trust both who is connecting as well as how they are connecting.

The problem facing development teams today is that so many tools and services have migrated to the cloud, that no one can be an expert in all of them. The big three cloud providers alone (Amazon, Google, and Microsoft) offer hundreds of cloud services. 

Zero trust can provide a defense-in-depth approach by securing all aspects of your infrastructure from user devices to microservices. The different models of cloud adoption just change the demarcation point between the third-party cloud provider and the business. Knowing where this line sits in practice is critical to maintaining the security of cloud-native applications.

Even when you move the demarcation point up to the SaaS case, the effective use and implementation of a zero trust model is critical to the security of your data and your company. With cloud security, Gartner predicts that cloud misconfigurations will be the top root cause of breaches. This means that 99% of cloud security issues will due to customer error! 

A holistic approach to zero trust security needs to address this risk. A cloud-native application protection platform or CNAPP can help secure cloud-native applications against misconfiguration. Zscaler’s CNAPP solution provides comprehensive visibility and insight into the metrics and controls needed to manage this critical security component. Critically, this gives developers the ability to prioritize real risk amid high levels of noise. 

Zscaler provides a holistic suite of zero trust tools, allowing you to prioritize what portion of the zero trust journey is most important to your business, so you can start your journey there. Remember the Chinese proverb, “a journey of a thousand miles begins with a single step.” Start your journey today. 

What to read next

Adapting the cloud service model to today's needs

Strategies for surviving in a multi-cloud world