Understanding the Shared Responsibility Model: Why You Need a Holistic Data Protection Strategy

The cloud has revolutionized how businesses operate, allowing them to take advantage of its scalability and flexibility while reducing costs. However, protecting data remains a critical challenge, with 98% of businesses reporting a cloud data breach within 1.5 years¹, according to IDC research – highlighting the need for organizations to take additional measures to protect their data.

Cloud service providers understand the importance of safeguarding data and applications within their environment and have developed a Shared Responsibility Model (SRM). This model requires businesses to take ownership of securing their data and applications within the cloud environment.

Cloud providers have different approaches to protecting data, which adds to the complexity, and businesses need to understand the specific details and nuances from provider to provider.

As such, customers must develop a holistic data protection strategy to ensure they have the necessary controls to protect their data even when relying on native tools included by their provider. This post will explore what this model means for customers and why it is essential to have a comprehensive data protection strategy across cloud and hybrid environments to use cloud services safely and securely.

Why are businesses increasing their adoption of cloud computing?

Cloud computing has extended the possibilities for businesses and provides many advantages. Having workloads, applications, and services running on the cloud or hybrid environments gives businesses greater flexibility and incredible scalability to accommodate growth. In addition to these valuable benefits, having a wide variety of software as a service (SaaS) applications delivered via the cloud enhances operations, optimizes resource utilization, and brings agility and efficiency to business workloads. It’s no surprise that most companies have already embraced the cloud or are actively transitioning workloads, with Gartner estimating that over 95% of new digital workloads will be deployed on cloud-native platforms by 2025³.

Another key advantage that makes cloud computing so attractive is that it allows users to access data and applications quickly and easily without requiring advanced technical knowledge or expertise. This makes it easier for businesses to deploy applications and manage data in a shorter time– something that would otherwise require significant technical know-how or experience with traditional IT environments.

For these reasons, more and more companies are turning to cloud computing to manage their data and applications. The SRM ensures that both customers and providers understand what needs to be secured within the cloud environment so that companies can take full advantage of this technology safely and securely.

What is the Shared Responsibility Model?

The Shared Responsibility Model (SRM) is a cloud security strategy that states that while cloud providers are responsible for securing their service infrastructure, customers are responsible for securing their data and applications within the cloud environment. This division of accountability is designed to ensure that both parties understand what needs to be secured and how it should be done. This model allows companies to use cloud services’ scalability and flexibility while having faith in their provider’s ability to maintain a secure infrastructure.

To use cloud services safely and securely, customers must understand their role in the SRM. This means developing a holistic data protection strategy that considers their provider’s native tools and any additional security measures the customer might need to put in place. By doing so, customers can better protect their data from threats such as malicious attacks, unauthorized access, data leakage, and more.

What Are Cloud Providers Responsible For?

Cloud providers are responsible for the security and privacy of their cloud computing infrastructure, including physical security, data storage, network protection, host firewalls, access control, and software vulnerability patching. They must also ensure that their services meet legal and regulatory compliance requirements. In addition to providing all these critical components of a secure cloud environment, they are also responsible for the operational integrity of their system, ensuring its availability, scalability, fault tolerance, performance optimization, cost management, and overall reliability.

Each provider supplies a detailed description of what falls under their cover. For example, in its simplest form, AWS states explicitly that they are “responsible for protecting the infrastructure that runs all of their services in the AWS Cloud.”  

Another critical responsibility of cloud providers is to keep their customers informed of any changes or updates to their platforms or services. This includes alerting customers when a new security patch has been released or a service is no longer supported. Providers should also have a well-defined process for responding quickly and efficiently to any security incidents that arise.

Cloud providers should also have rigorous identity management practices to control who has access to the customer’s data within the cloud environment. This includes authenticating user identities with multi-factor authentication methods and regularly reviewing permissions associated with each account to ensure only authorized personnel can access sensitive information.

Finally, cloud providers should be transparent with customers about how they are protecting their data and informing them of any new changes or compliance updates that may affect their operations.

How can responsibilities differ across cloud providers?

While the Shared Responsibility Model can initially seem simple, cloud providers have different approaches to securing their customers’ data, meaning their responsibilities can vary significantly. For example, some cloud providers may have more stringent access control policies than others, meaning customers may require higher levels of authentication or authorization when accessing their accounts and data.

Other providers also offer different tools and features that customers can use to protect their data. Some might provide advanced encryption and essential management services that customers can use to ensure their information is safe in the cloud. Others may provide customers with granular auditing capabilities to track and monitor who has accessed specific files or directories within their environment.

Furthermore, the security requirements of each provider will differ based on the type of cloud services they offer. Microsoft details how the division of responsibility changes between customers and Microsoft, according to the deployment type. Infrastructure as a Service (IaaS) providers typically require customers to maintain responsibility for protecting the operating system, applications, and data stored within their virtual machines. Whereas Platform as a Service (PaaS) providers often offer more capabilities out-of-the-box, such as managed databases, web servers, and development frameworks – all of which must be configured according to the customer’s security requirements.

Finally, customers need to remember that while cloud providers are responsible for providing secure environments and tools, there are no assurances that customer data will remain private or secure if companies do not adequately implement best practices regarding access control, encryption, and other necessary measures. That said, businesses must understand what each provider is responsible for regarding data protection to choose the right partner for their needs.

Companies should carefully review each Cloud Provider’s responsibilities to know precisely what they are responsible for versus their service provider when protecting their data from malicious actors, misconfigurations and meeting compliance requirements.

What Are Customers Responsible For?

Despite cloud data being subject to the same responsibilities as any on-premise computing system, many companies remain unaware of this fact. The Shared Responsibility Model outlines that customers are responsible for securing the data and applications within a cloud environment – yet research has found that only 39% of organizations are confident in their ability to do so effectively⁴.

Ensuring these responsibilities are met requires implementing additional security measures such as backup and recovery, encryption, identity and access management, and monitoring.

Key Data Protection Considerations

•  A robust data protection strategy for all workloads is essential for the total visibility and security of hybrid cloud environments. With regular backups of all workloads, organizations can be better prepared to respond in case of data loss due to either a cybersecurity event or a natural disaster. Additionally, having data readily accessible enables IT teams to restore any lost workloads quickly and efficiently with minimal downtime.
• Encryption is critical when protecting sensitive data, such as financial or personal information, from unauthorized access attempts from external sources and internal personnel who could misuse customer information. Still, only 17% of businesses are encrypting at least half of the sensitive data they store in the cloud⁵. Customers should ensure they have robust encryption protocols across their environment and regularly re-inspect and apply the latest available options.
• Identity and Access Management (IAM) is also essential for cloud service customers. Implementing an IAM system will enable customers to control who has access to their cloud environment on a user level, allowing only authorized personnel to view or modify data. By utilizing multi-factor authentication, customers can enjoy better protection from breaches and limit the potential damage a malicious actor could cause. Additionally, customers should ensure that their authentication methods meet the standards set by their industry’s governing body or regulatory agencies. Furthermore, companies should have a Separation of Duty (SOD) policy to further protect cloud data from misuse by any single account holder.
• Monitoring and managing cloud and hybrid environments is a complex task, as cloud-based data resources constantly change. Therefore, using a monitoring and observability service is essential for administrators to ensure the security and proper management of cloud data. Cloud-native tools such as Amazon CloudWatch and Azure Monitor enable real-time monitoring and visibility into cloud, hybrid, and on-premises applications and infrastructure resources. The provision of data analysis not only helps administrators gain actionable insights from cloud data but also access crucial information about the performance of their cloud environment.

By following the best practices regarding security protocols, businesses can ensure they have the necessary controls to protect their data while taking full advantage of the benefits offered by cloud computing services. Ultimately, it’s up to each company’s circumstances when deciding what specific measures must be taken to keep sensitive information safe from external threats or unauthorized access.

Why You Need a Holistic Data Protection Strategy

With cloud related threats topping the list of cyber security concerns for UK senior executives and 90% saying they have experienced a greater exposure to cyber risks due to increased digitization in the last two years⁶, customers should continuously develop and maintain a holistic data protection strategy to ensure their data is secure, even when relying on the cloud provider’s native tools. A holistic approach involves understanding the full scope of data security requirements across multiple clouds and implementing appropriate technical, operational, and physical controls.

One of the most important reasons for this type of strategy is to identify and address any potential risks or vulnerabilities that could occur due to the increased use of cloud services. While cloud providers may have robust security measures in place, only 52% of CISOs are confident they are able to fully enforce a consistent security policy across all applications in the cloud^7, meaning any additional security measures taken by businesses can provide extra layers of protection against malicious attacks, unauthorized access, data leakage, and other cyber threats.

In addition to helping protect sensitive data from potential threats, a holistic data protection strategy can also help businesses comply with various industry regulations such as HIPAA or GDPR. By having an adequate data protection plan in place, companies can better ensure they meet all relevant compliance standards while still taking advantage of all the benefits of using cloud-based services.

Encryption and backup are vital considerations customers should keep in mind to ensure data protection.  To achieve this, customers should also consider investing in third-party vendors like Commvault that provide additional layers of security for their cloud environments to complement native tools, ensure they meet their responsibilities, and effectively protect their data.

Microsoft echoes this statement in their Services Agreement, stating, “all online services suffer occasional disruptions and outages, and Microsoft is not liable for any disruption or loss you may suffer as a result.” and “we recommend that you regularly backup Your Content and Data that you store on the Services or store using Third-Party Apps and Services.”

Commvault goes beyond backup by providing a simple and unified Data Protection Platform that spans all customer data – regardless of whether legacy or modern workloads live on-premises, in the cloud, or spread across a hybrid environment. Our knowledge of cloud options and deep integrations with a broad range of cloud providers offers the integration and automation possibilities to meet your unique data management and protection requirements.

Finally, customer organizations need to have clear ownership over their data so that everyone involved knows who is responsible for what type of information and how it should be handled securely throughout its entire lifecycle. This includes identifying who has access rights over specific sets of data as well as when those rights must be revoked (e.g., after an employee leaves the organization).

By having a holistic data protection strategy in place alongside their provider’s native tools, customers can better protect their information from external threats while also ensuring their operations meet regulatory requirements as necessary.

Companies need to invest time into creating such strategies to safely take full advantage of the benefits offered by cloud computing without putting themselves at risk for costly breaches or fines due to non-compliance issues down the line.

Final Thoughts on Cloud Data Protection Strategies

With cyber-attacks increasing and nearly half of all data breaches happening in the cloud⁸, organizations must take adequate measures to protect their data and environment. The Shared Responsibility Model is a crucial cloud security strategy that emphasizes an effective combination of customer responsibility in developing proactive defense plans with third-party solutions for additional layers of protection when using cloud services. To successfully implement this approach, customers must understand how responsibilities differ across different providers to minimize potential risks while taking full advantage of the services offered by these platforms.

To learn more about how we protect your Cloud Environments, visit our digital transformation and SaaS-Delivered Solution pages. You can also discover more about our latest release on our what’s new page.

References

1. IDC survey, commissioned by Ermetic. – 3. Gartner IT Symposium/Xpo 2021 – 4. CSA Understanding Cloud Data Security and Priorities 2022 – 5. 2021 Thales Global Cloud Security Study – 6. PWC Cyber Security Outlook 2023 – 7. BlueFort Security 2022 CISO survey – Help net security – 8. IBM and the Ponemon Institute’s 2021 Cost of a Data Breach