Overview
The Shared Responsibility Model is a framework that delineates the security responsibilities between a Cloud Service Provider (CSP) and the customer. This model helps clarify what aspects of security are managed by the cloud provider and what remains the responsibility of the customer. While each CSP has its own version of this model, they generally adhere to the same core principles.
AWS Shared Responsibility
properties | On-Premise | Infrastructure as a service | Platform as a Service | Software as a Service |
Application | * | * | * | # |
Data | * | * | * | # |
Runtime | * | * | # | # |
Middleware | * | * | # | # |
OS | * | * | # | # |
Virtualization | * | # | # | # |
Server | * | # | # | # |
Storage | * | # | # | # |
Networking | * | # | # | # |
*Customer is Responsible
#Customer Service Provider Is Responsible
Key Concepts
Customer Responsibilities
Configuration of Managed Services or Third-Party Software: Ensuring that configurations are secure and meet organizational policies.
Application Security: Securing applications and managing access controls.
Identity and Access Management (IAM): Configuring and managing user permissions and access controls.
Configuration of Virtual Infrastructure Systems: Managing virtual machines, networks, and storage configurations.
Operating System Security: Keeping the OS up-to-date and secure.
Network Security: Configuring firewalls and managing network security settings.
Client-Side Data Encryption: Encrypting data before it is sent to the cloud.
Server-Side Encryption: Configuring encryption for data at rest.
Networking Traffic Protection: Securing data in transit between the customer and the cloud provider.
CSP Responsibilities
Software: Ensuring the security of the cloud platform’s software and applications.
Compute: Managing the physical servers, hypervisors, and virtual machines.
Storage: Securing the underlying storage infrastructure.
Database: Maintaining the database systems and their security.
Networking: Managing network infrastructure and its security.
Hardware/Global Infrastructure: Providing and securing the physical infrastructure, including data centers, servers, and networking hardware.
Physical Security: Protecting the physical locations where the cloud infrastructure resides.
Deployment Models and Responsibility
The responsibilities vary based on the type of cloud service and deployment model:
On-Premise
- Customer: Full responsibility for everything from the hardware to the applications and data.
Infrastructure as a Service (IaaS)
Customer: Manages the operating system, middleware, applications, and data.
AWS: Responsible for hardware, networking, virtualization, and the underlying infrastructure.
Platform as a Service (PaaS)
Customer: Manages applications and data; some configuration of associated services.
AWS: Manages the operating system, middleware, runtime, and infrastructure.
Software as a Service (SaaS)
Customer: Manages the data and configurations within the application.
AWS: Manages everything from the application to the hardware.
Function as a Service (FaaS)
Customer: Uploads and manages code.
AWS: Manages the entire infrastructure including deployment, runtime, networking, and security.
Comparison Example in Compute
Bare Metal
Customer: Host OS Configuration.
AWS: Hypervisor, Physical Machine.
Elastic Cloud Compute (EC2)
Customer: Guest OS Configuration, Container Runtime.
AWS: Hypervisor, Physical Machine.
AWS Elastic Container Service (ECS)
Customer: Configuration, Deployment, and Storage of Containers.
AWS: OS, Hypervisor, Container Runtime.
AWS Elastic Beanstalk (PaaS)
Customer: Uploads code, Configures services.
AWS: Manages servers, OS, networking, storage, and security.
Amazon WorkDocs (SaaS)
Customer: Manages document contents, file management, and sharing access.
AWS: Manages servers, OS, networking, storage, and security.
AWS Lambda (FaaS)
Customer: Uploads code.
AWS: Manages everything else, including deployment, runtime, container, networking, storage, and physical machine.
Shared Responsibility Model in Architecture
Serverless Functions
Example: AWS Lambda, AWS Amplify
Customer Responsibility: Focuses on data and code.
CSP Responsibility: Manages everything else.
Containers/Server Management
Example: AWS ECS, AWS EKS, AWS Fargate
Customer Responsibility: Configures containers, deployments.
CSP Responsibility: Manages container runtime, infrastructure.
Traditional/VMs
Example: AWS EC2, AWS Elastic Beanstalk
Customer Responsibility: More responsibilities in configuration and management.
CSP Responsibility: Provides and secures the underlying infrastructure.
Conclusion
The Shared Responsibility Model simplifies cloud security management by clearly defining what aspects of security are managed by the customer and what is handled by the CSP. Understanding this model helps organizations ensure that all security aspects are covered, whether they are managing data and applications or relying on the cloud provider for infrastructure security.