The adoption of cloud technology continues at an increasing pace, with organizations realizing the enormous benefits of moving to the cloud in terms of speed and scalability. Additionally, organizations are learning that managing the complexities of information technology (IT) infrastructures can be aided by leveraging Managed Service Providers (MSPs). From both an operational and a security perspective, the move from traditional on-premises deployments to cloud-hosted environments and managed services may help relieve many burdens. However, this transition also introduces new and unique challenges, particularly around the operational and security responsibilities between the cloud service provider (CSP), the MSP, and the customer. What many organizations may not know, however, is that moving to the cloud or outsourcing security capabilities are not the panaceas, allowing organizations to simply point to the CSP/MSP for coverage of all organizational security requirements. Security leaders need to be able to frame security and operational responsibilities in the context of different cloud deployment models and leveraged MSP services.
Although cloud technologies and managed services have been embraced and implemented by organizations over the past several years, there remains a general lack of understanding of where security and operational responsibilities lie. The questions around responsibilities become more easily conceptualized and, ultimately, answered through the prism of the shared security responsibility model, which intends to convey where the responsibilities of the CSP/MSP end and where the customer’s responsibilities begin. Understanding the shared security responsibility model is the first step in determining where responsibilities lie for cloud environments and integrating the concepts into operational processes.
Many CSPs have offerings that are certified or compliant with different security standards, such as the Federal Risk and Authorization Management Program (FedRAMP); however, simply using these services “out of the box” may not meet an organization’s specific security regimen. This is typically because the organization, and not the CSP/MSP, has the responsibility of configuring and deploying services in a secure and compliant manner. While it may be true that the CSP/MSP provides the tools and functionality to properly secure data in accordance with its customer’s requirements, the responsibility for implementing these features may or may not lie with the CSP/MSP, depending on the cloud service model and the specific services deployed.
Fortunately, some of the large CSPs provide high-level breakdowns of their responsibilities with respect to their service offerings to help customers begin to frame their understanding. Google, Amazon, and Microsoft have developed shared responsibility models that can be abstracted and applied to get an initial understanding of how each CSP upholds its responsibilities for implementing security capabilities. This mature high-level breakdown of responsibilities that the larger CSPs offer to their customers is not easily replicated with smaller CSPs, security vendors, and MSPs.
“MSPs customarily assure the organizations they support that they are the ‘one throat to choke’ or ‘the buck stops with them’ as a highly effective sales tactic. But today’s compliance requirements are forcing MSPs to not just identify their roles in the shared security responsibility model at a very granular level but to include this detail in their Service Level Agreements (SLA) with the clients,” said Joy Beland, who owned an MSP in Los Angeles for twenty-one years.
“MSPs will have a harder time asking for the client to sign off their portion of the responsibilities if they are not proactively working to delineate the true roles of each player and shift the mindset to cybersecurity being a team sport.”
An important concept regarding the shared security responsibility model is the demarcation of “security of the cloud” vs. “security in the cloud.” From a security “of” the cloud perspective, the CSP is responsible for providing the physical security controls of the traditional data center, including maintenance and backups of the cloud infrastructure. The delineation of responsibilities between the CSP and the customer for security “in” the cloud will be predicated on the deployed services, specifically, Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS). As service offerings within each deployment model allow for a multitude of capabilities and implementations, the level of responsibility will shift across each implementation.
To ensure the protection of organizational assets deployed “in” the cloud, adopting cloud technology and managed services also requires the adoption and understanding of the shared security responsibility model. Although applicable to all, organizations steeped in the traditional on-premises deployment model, where IT resources are physically contained within the organization’s data center, will be particularly best served by exploring and applying the shared security responsibility model as resources and capabilities move to the cloud. In fact, the use of cloud environments and MSPs may change how an organization may meet security and compliance requirements in a fundamental and more robust way due to their inherent, redundant, and elastic nature.
To hear firsthand accounts of the challenges and solutions to sharing security services from CSPs, MSPs, and customers, join us on June 9, 2022, at RSA Conference. CForum is hosting the “Cybersecurity: What role do you play?” panel of industry experts who will share their experiences and perspectives for defining shared responsibilities to secure their environments efficiently.