Cloud security breaches happen, and when they do, it's common for finger-pointing to follow. There's an opportunity for both cloud users and cloud service providers (CSPs) to work together to transcend the limitations of the established shared responsibility model of cloud security. Building on that model's foundations and addressing its shortcomings can lead us to a better and more secure cloud future.
Who "Owns" Cyber Risks?
While under the shared responsibility model direct responsibilities change depending on the cloud services a customer is using, the CSP is always responsible for defending against threats to the cloud infrastructure, and the customer is always responsible for the security of the data and applications they manage in the cloud.
But as cloud adoption has expanded, the limitations of shared responsibility have become clear. A hard edge between areas of responsibility isn't realistic to maintain in many areas of security. In addition, customers frequently assume that the CSP will take ownership of more cybersecurity responsibility than they actually do, and in many cases the only realistic way to defend against or respond to cyber threats is for the customer and CSP security teams to work together.
Limitations of Shared Responsibility
Some specific ways that the shared responsibility model can break down include:
Lack of technical expertise on the customer side. What good is a model that pushes responsibilities onto the customer that the customer isn't capable of handling? Overloaded IT teams and a lack of cloud security skills can mean that some customers simply won't be able to handle their side of cloud security without a lot of help. Insisting on a model that pushes those responsibilities onto them alone is doing little but inviting a costly cybersecurity incident that will damage the relationship between customer and CSP.
More than two parties involved. A cloud environment involves more than just a customer and a CSP. Once resellers and managed service providers are considered, the problem of blurry lines of responsibility becomes exponentially more complicated. A good security model should be about more than just liability. The classic shared responsibility model has no clear guidelines for the complex cloud configurations that are a reality for many organizations.
Default setting confusion. This is an example of an issue that should be simple but has proven to be complex in practice. Many cloud security partnerships falter around the question of default security settings. Cloud customers often aren't clear who is responsible for adjusting those settings, and just because it is possible to make adjustments doesn't mean new cloud customers always understand what adjustments should be made.
After years of real world use, it's clear that there are some critical areas where the shared responsibility model is not enough — and from a practical point of view, placing more burdens on cloud customers to try to fill the gaps is simply not going to fix the problem. There's a need for an updated cloud security paradigm, one that offers more actual solutions and encourages more collaboration.
The Shared Fate Model
The next stage of the evolution beyond traditional shared responsibility for cloud security is Google's shared fate, a collaborative model for handling cloud risks. Under the shared fate model, the CSP takes a much more proactive role, including providing guidance at the deployment stage as well as recommendations and tools to ensure ongoing security. Shared fate sees the cloud provider accepting the reality of where shared responsibility breaks down and steps up to close the gaps.
Secure-by-default infrastructure, security foundations, and secure blueprints are elements of the shared fate model that take some of the security burdens off of customers' teams. In complex cloud environments involving multiple stakeholders, the model provides guides for how workflows and responsibilities should be arranged, rather than leaving it up to the customer to figure out alone. And shared fate places a greater emphasis on cyber insurance, a crucial aspect of responsible security that is there to help a cloud customer in the case of a cyber incident.
Shared fate represents a shift intended to meet customers where they are and help them get to where they want to be. While customers always have some level of responsibility for cloud security, the shared fate model is a more pragmatic way to help manage cyber risks. Because in the end, cloud security is not just about deciding who does what, but about doing better, together.