Cybersecurity insights from industry experts.

Why Shared Fate is a Better Way to Manage Cloud Risk

The shared responsibility model was good enough to cover the first years of the cloud revolution, but the model is showing its limitations. Shared fate is a more mature model for the future of cloud security.

Anton Chuvakin, Security Advisor at Office of the CISO, Google Cloud

September 15, 2023

4 Min Read
A group of people with hands together in the middle to show teamwork.
Source: andresr via iStock Photo

Cloud security breaches happen, and when they do, it's common for finger-pointing to follow. There's an opportunity for both cloud users and cloud service providers (CSPs) to work together to transcend the limitations of the established shared responsibility model of cloud security. Building on that model's foundations and addressing its shortcomings can lead us to a better and more secure cloud future. 

Who "Owns" Cyber Risks? 

While under the shared responsibility model direct responsibilities change depending on the cloud services a customer is using, the CSP is always responsible for defending against threats to the cloud infrastructure, and the customer is always responsible for the security of the data and applications they manage in the cloud. 

But as cloud adoption has expanded, the limitations of shared responsibility have become clear. A hard edge between areas of responsibility isn't realistic to maintain in many areas of security. In addition, customers frequently assume that the CSP will take ownership of more cybersecurity responsibility than they actually do, and in many cases the only realistic way to defend against or respond to cyber threats is for the customer and CSP security teams to work together

Limitations of Shared Responsibility 

Some specific ways that the shared responsibility model can break down include: 

  • Lack of technical expertise on the customer side. What good is a model that pushes responsibilities onto the customer that the customer isn't capable of handling? Overloaded IT teams and a lack of cloud security skills can mean that some customers simply won't be able to handle their side of cloud security without a lot of help. Insisting on a model that pushes those responsibilities onto them alone is doing little but inviting a costly cybersecurity incident that will damage the relationship between customer and CSP. 

  • More than two parties involved. A cloud environment involves more than just a customer and a CSP. Once resellers and managed service providers are considered, the problem of blurry lines of responsibility becomes exponentially more complicated. A good security model should be about more than just liability. The classic shared responsibility model has no clear guidelines for the complex cloud configurations that are a reality for many organizations. 

  • Default setting confusion. This is an example of an issue that should be simple but has proven to be complex in practice. Many cloud security partnerships falter around the question of default security settings. Cloud customers often aren't clear who is responsible for adjusting those settings, and just because it is possible to make adjustments doesn't mean new cloud customers always understand what adjustments should be made.   

After years of real world use, it's clear that there are some critical areas where the shared responsibility model is not enough — and from a practical point of view, placing more burdens on cloud customers to try to fill the gaps is simply not going to fix the problem. There's a need for an updated cloud security paradigm, one that offers more actual solutions and encourages more collaboration.

The Shared Fate Model

The next stage of the evolution beyond traditional shared responsibility for cloud security is Google's shared fate, a collaborative model for handling cloud risks. Under the shared fate model, the CSP takes a much more proactive role, including providing guidance at the deployment stage as well as recommendations and tools to ensure ongoing security. Shared fate sees the cloud provider accepting the reality of where shared responsibility breaks down and steps up to close the gaps. 

Secure-by-default infrastructure, security foundations, and secure blueprints are elements of the shared fate model that take some of the security burdens off of customers' teams. In complex cloud environments involving multiple stakeholders, the model provides guides for how workflows and responsibilities should be arranged, rather than leaving it up to the customer to figure out alone. And shared fate places a greater emphasis on cyber insurance, a crucial aspect of responsible security that is there to help a cloud customer in the case of a cyber incident. 

Shared fate represents a shift intended to meet customers where they are and help them get to where they want to be. While customers always have some level of responsibility for cloud security, the shared fate model is a more pragmatic way to help manage cyber risks. Because in the end, cloud security is not just about deciding who does what, but about doing better, together.

Read more about:

Partner Perspectives

About the Author(s)

Anton Chuvakin

Security Advisor at Office of the CISO, Google Cloud

Dr. Anton Chuvakin works for the Office of the CISO of Google Cloud, where he arrived via Chronicle Security (an Alphabet company) acquisition in July 2019. Before that, Anton was a Research Vice President and Distinguished Analyst at Gartner for Technical Professionals (GTP) Security and Risk Management Strategies team.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights