Explore the Posture Control Workshop to see how our platform fast-tracks cloud native application security.
In an on-premises data center environment, security responsibility rests solely with the owner. Accountability for maintaining security controls, patching, and physical infrastructure falls to the organization’s security team (or other responsible party, such as IT), never the hardware vendor(s). However, when portions of a network use or are composed of private or public cloud services, some security responsibilities fall to the CSP.
This is where a shared responsibility model comes in, outlining precisely which security duties, data states, locations, and so on are in the CSP’s domain and which are in the customer’s. Microsoft Azure, Google Cloud, Amazon Web Services (AWS), and other CSPs each have their own model, tailored to their specific offerings.
Most shared responsibility models hold you, the customer, responsible for anything under your direct control: data, credentials, and configurations, as well as any functionality that sits outside the CSP’s cloud resources, such as your organization’s firewalls and other internal network security.
A lack of clarity around responsibilities can contribute to misconfigurations that weaken your security posture and ultimately cause cloud security failures, so it’s critical that you understand where your organization’s security duties lie in relation to your providers’.
How responsibility is divided depends on the type of cloud service you’re using. You’ll always be responsible for securing your data, devices, accounts, and access management. Likewise, CSPs will always be responsible for securing the physical infrastructure—their hosts, data centers, and networks. Let’s look at where other differences come into play:
In itself, the reduced customer responsibility of a cloud service is a major benefit when compared to the total liability you take on with your private on-premises infrastructure, but there’s more to be had. Sharing cloud security responsibility with a service provider also lets you take advantage of:
Adopting the cloud and sharing responsibility has plenty of advantages, but there are still certain potential challenges to consider.
Compliance and Ultimate Responsibility
First and foremost, you need to be able to trust your provider with your data. Your organization’s data security policies, be they internal rules or external regulations, carry a lot of influence here. If you’re selecting a provider, make sure you understand what you’re agreeing to. In many cases, your organization will still ultimately be culpable if those rules or regulations are violated in a data breach.
Understanding and Adapting
To keep up your end of the security bargain, you need to understand exactly where your responsibilities end and the CSP’s begin. Your personnel also need to know how to use the CSP’s tools and navigate their controls to avoid introducing vulnerabilities. Beyond that, you need to be able to adapt when architectures and systems change—like when new integrations are introduced—so you and your workloads stay secure.
The best practices specific to a given responsibility model come down to your unique needs and the provider’s offering, but there are some general practices to keep in mind in any shared security responsibility situation:
The cloud is where modern business lives. Few would debate that. What’s equally undeniable, though, is that using cloud services opens up your users, endpoints, and data to new risks. A crucial piece of protecting yourself from those risks is ensuring you completely understand your security responsibilities.
That’s only one piece, however. Holding up your responsibilities can be a daunting proposition when you’re dealing with third-party partners, multiple supply chains, and the growing risks of ransomware, phishing, and other advanced attacks that target your endpoints, credentials, and data. These facets of your security will always fall to you, and with so many possible avenues for attacks and data loss, it’s paramount that you choose the right security partners.
Zscaler can help you take advantage of all the cloud has to offer—flexibility, scale, reach, ease of use, and more—securely.
Posture Control by Zscaler is a unified, high-performance, cloud native platform built from the ground up to prioritize infrastructure and application security risks in distributed clouds and across the development and DevOps lifecycles, helping you maintain:
Maintain comprehensive CSPM controls across cloud infrastructure, resources, data, and identities.
Secure human and machine identities while enforcing least-privileged access.
Secure Infrastructure as Code
Shift security left with the developer and DevOps workflows to fix vulnerabilities and compliance issues.
Secure confidential data across multiple cloud repositories while maintaining visibility, control, and compliance.
Secure Workloads and Applications
Leverage zero trust to agentlessly secure hosts, containers, and serverless functions across the full app lifecycle.