Day 7: Shared responsibility model

Day 7: Shared responsibility model

AWS Cloud Practitioner With Neel Patel

Overview

The Shared Responsibility Model is a framework that delineates the security responsibilities between a Cloud Service Provider (CSP) and the customer. This model helps clarify what aspects of security are managed by the cloud provider and what remains the responsibility of the customer. While each CSP has its own version of this model, they generally adhere to the same core principles.

AWS Shared Responsibility

propertiesOn-PremiseInfrastructure as a servicePlatform as a ServiceSoftware as a Service
Application***#
Data***#
Runtime**##
Middleware**##
OS**##
Virtualization*###
Server*###
Storage*###
Networking*###

*Customer is Responsible

#Customer Service Provider Is Responsible

Key Concepts

Customer Responsibilities

  • Configuration of Managed Services or Third-Party Software: Ensuring that configurations are secure and meet organizational policies.

  • Application Security: Securing applications and managing access controls.

  • Identity and Access Management (IAM): Configuring and managing user permissions and access controls.

  • Configuration of Virtual Infrastructure Systems: Managing virtual machines, networks, and storage configurations.

  • Operating System Security: Keeping the OS up-to-date and secure.

  • Network Security: Configuring firewalls and managing network security settings.

  • Client-Side Data Encryption: Encrypting data before it is sent to the cloud.

  • Server-Side Encryption: Configuring encryption for data at rest.

  • Networking Traffic Protection: Securing data in transit between the customer and the cloud provider.

CSP Responsibilities

  • Software: Ensuring the security of the cloud platform’s software and applications.

  • Compute: Managing the physical servers, hypervisors, and virtual machines.

  • Storage: Securing the underlying storage infrastructure.

  • Database: Maintaining the database systems and their security.

  • Networking: Managing network infrastructure and its security.

  • Hardware/Global Infrastructure: Providing and securing the physical infrastructure, including data centers, servers, and networking hardware.

  • Physical Security: Protecting the physical locations where the cloud infrastructure resides.

Deployment Models and Responsibility

The responsibilities vary based on the type of cloud service and deployment model:

On-Premise

  • Customer: Full responsibility for everything from the hardware to the applications and data.

Infrastructure as a Service (IaaS)

  • Customer: Manages the operating system, middleware, applications, and data.

  • AWS: Responsible for hardware, networking, virtualization, and the underlying infrastructure.

Platform as a Service (PaaS)

  • Customer: Manages applications and data; some configuration of associated services.

  • AWS: Manages the operating system, middleware, runtime, and infrastructure.

Software as a Service (SaaS)

  • Customer: Manages the data and configurations within the application.

  • AWS: Manages everything from the application to the hardware.

Function as a Service (FaaS)

  • Customer: Uploads and manages code.

  • AWS: Manages the entire infrastructure including deployment, runtime, networking, and security.

Comparison Example in Compute

Bare Metal

  • Customer: Host OS Configuration.

  • AWS: Hypervisor, Physical Machine.

Elastic Cloud Compute (EC2)

  • Customer: Guest OS Configuration, Container Runtime.

  • AWS: Hypervisor, Physical Machine.

AWS Elastic Container Service (ECS)

  • Customer: Configuration, Deployment, and Storage of Containers.

  • AWS: OS, Hypervisor, Container Runtime.

AWS Elastic Beanstalk (PaaS)

  • Customer: Uploads code, Configures services.

  • AWS: Manages servers, OS, networking, storage, and security.

Amazon WorkDocs (SaaS)

  • Customer: Manages document contents, file management, and sharing access.

  • AWS: Manages servers, OS, networking, storage, and security.

AWS Lambda (FaaS)

  • Customer: Uploads code.

  • AWS: Manages everything else, including deployment, runtime, container, networking, storage, and physical machine.

Shared Responsibility Model in Architecture

Serverless Functions

  • Example: AWS Lambda, AWS Amplify

  • Customer Responsibility: Focuses on data and code.

  • CSP Responsibility: Manages everything else.

Containers/Server Management

  • Example: AWS ECS, AWS EKS, AWS Fargate

  • Customer Responsibility: Configures containers, deployments.

  • CSP Responsibility: Manages container runtime, infrastructure.

Traditional/VMs

  • Example: AWS EC2, AWS Elastic Beanstalk

  • Customer Responsibility: More responsibilities in configuration and management.

  • CSP Responsibility: Provides and secures the underlying infrastructure.

Conclusion

The Shared Responsibility Model simplifies cloud security management by clearly defining what aspects of security are managed by the customer and what is handled by the CSP. Understanding this model helps organizations ensure that all security aspects are covered, whether they are managing data and applications or relying on the cloud provider for infrastructure security.