Shouldering the Increasingly Heavy Cloud Shared-Responsibility Model

There are a number of solutions that can help ensure security and compliance mandates are met in the cloud, but organizations should prioritize integration and policy-based management.

Kirsten Newcomer, Director, Cloud and DevSecOps Strategy, Red Hat

March 20, 2023

5 Min Read
an abstract digital image of clouds being connected by wiring.
Source: Kalawin via Adobe Stock

As business and the world in general grow more complex, the shared responsibility between cloud customer and cloud provider becomes, well, cloudier. This is especially true when it comes to security and compliance.

Moving applications and infrastructure to the cloud frees up resources and increases flexibility and scalability, but does not free organizations from ensuring their regulatory and security responsibilities are being met. Cloud providers promise security of the cloud, but organizations are responsible for security in the cloud. And compliance in the cloud — especially in a hybrid model — can be an overwhelming challenge, because you don't know what you don't know. And, of course, what you don't know is what will end up costing you — in time, money, and, sometimes, reputation.

It would be hard enough if nothing ever changed, but we live in a world of continuous churn. In early January, for example, the Biden administration released its fall 2022 regulatory agenda, including dozens of proposed, pending, and final rules governing everything from food additives to cybersecurity requirements for government contractors. And the cloud itself has paved the way for disruptive applications such as the AI-based ChatGPT— applications that have many potential benefits but also open up new channels warranting compliance and security concerns. The proposed American Data Privacy and Protection Act, which would provide national standards for personal information collected by companies, also could increase federal oversight of AI.

As scrutiny and regulations increase, penalties are becoming stronger. Organizations must ensure they are doing everything they can to protect their business applications and meet regulatory requirements while taking advantage of the cloud. Not only that, but organizations must be able to demonstrate they are doing so to whomever asks — auditors, customers, partners, and even the competition — whenever they ask. 

Continuous Compliance Mindset

Continuous change requires adopting a mindset of continuous compliance within a DevSecOps model. There's no one tool for doing this. In fact, there are many — perhaps too many right now. The market is likely to converge, as platform providers integrate security and compliance capabilities, but in the meantime, organizations should proactively be seeking opportunities to integrate technology that enables and helps maintain observability, governance, and security.

For example, cloud security posture management (CSPM) systems help organizations identify and remediate security risks due to misconfigurations of IaaS, SaaS, and PaaS platforms. CSPMs discover cloud resources and monitor them against established security best practices and regulatory standards. 

On a more comprehensive scale, CNAPPs (cloud-native application protection platforms) provide an integrated platform approach to cloud-native application security that combines CSPM capabilities with CWPP (cloud workload protection platform) features. The goal of CNAPPs is to apply security and compliance holistically across cloud infrastructure and cloud workloads to identify and remediate risk throughout the solution stack.

Notably, CNAPPs that integrate with Kubernetes strengthen an organization's ability to securely and compliantly build, deploy, run, and scale cloud-native applications across on-premises, hybrid, and cloud infrastructures. There are a number of Kubernetes projects designed to improve security, observability, and governance. Community investment in this space is growing as organizations increasingly deploy multiple Kube clusters and expand their use of the platform across organizational boundaries.

SPIFFE/SPIRE, for example, goes a long way toward solving the problem of end-to-end identity, while Sigstore eases cryotographic signing along the supply chain. Opportunities exist to combine many of these projects for even greater benefits. Tekton Chains uses Sigstore for signing and attestation of the artifacts produced by a Tekton pipeline. The Tekton project is also investing in using SPIFFE/SPIRE to provide identities for TaskRun pods and sign the task objects to guarantee that the tasks themselves were not tampered with.

Automating Policy

Organizations should also be thinking in terms of automated, policy-based governance, risk management, and compliance whenever and wherever possible. Just as bridges are being created between historically siloed security solutions, DevOps teams must build bridges between historically siloed organizations. DevOps teams must become DevSecOps teams by taking a proactive approach to managing security and compliance throughout the application and platform lifecycle, as well as the application supply chain.

Look for solutions that help provide automated guard rails for your developers in the tools they use every day so that applications can be hardened before they're deployed. Many developers don't have a strong compliance and security knowledge base, so the more guidance solutions can provide, the better. Similarly, look for solutions that help provide automated guard rails for teams managing infrastructure as code so infrastructure can be hardened at deployment time. Leverage solutions that simplify adoption of security practices with standard patterns for developers, infrastructure, and security teams based on industry expertise with out-of-the-box policies and built-in response capabilities. 


More and more organizations are managing solutions in multiple clouds, including on-premises and public cloud, to build business agility and scalability. Managing solutions across multiple clouds can create additional work and overhead for infrastructure, application, and security teams. Organizations investing in multicloud and hybrid cloud infrastructure will benefit from solutions that enable them to implement automated, policy-based governance, compliance, and security practices in a common way across cloud environments. Look for solutions that can be used throughout the lifecycle and the stack; solutions that create bridges by providing guidance to individual teams in the tools they use every day. This can create feedback loops and solutions that enable collaboration among stakeholders with a common language, while also enabling informed risk-management decisions and more effective prioritization workflows based on contextualized data.

About the Author(s)

Kirsten Newcomer

Director, Cloud and DevSecOps Strategy, Red Hat

Kirsten Newcomer works closely with Red Hat’s many security professionals across the Red Hat portfolio of open source offerings. She is a diversified software management professional with more than 20 years of experience in security, application development, and infrastructure solutions. Prior to joining Red Hat, Kirsten provided strategic direction for Black Duck’s open source security and governance solutions.


Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights