Shared Responsibility Model for Cloud Security
In Amazon Cloud Service offering (AWS), customers are burdened with share of responsibility for information security in the cloud. This is not unusual model in security and most of the information security management systems are asking for responsibility in all segments and from all stakeholders including the end users. Shared Responsibility Model is making clear distinction between roles of those maintaining the cloud and those using it.
Responsibility for “security of cloud” and “security in cloud” is what AWS Shared Responsibility Model is dealing with. It clearly defines that “security of cloud” like facilities, physical security of data centre, network infrastructure and virtualization platform & infrastructure is responsibility of AWS and responsibility for “security in cloud” like VMs and guest OS security, data at move, data in use and data at rest; credentials, policies and configurations are user responsibility.
This segregation of responsibility is intended for AWS IaaS offering. For offerings like PaaS and SaaS, OS Network and Firewall configuration as well as Identity and Access Management are responsibility of Cloud Service Provider (CSP) and data is remaining responsibility of users.
It is very important to notice that IaaS, PaaS and SaaS offering though differentiate in whether VMs, OS and network/firewall configurations are part of user responsibility, still have common concern which is data security as responsibility of users. Data security is main cloud security concern and whether Shared Responsibility Model is deployed by CSP or not, (probably) the only way to provide technical control to data security in cloud is to deploy client-side encryption. Relying on CSP to provide that level of security assurance whether by means of legal,administrative or technical controls within or outside shared responsibility model violates basic nature of security assurance that is at the core of very definition of Shared Responsibility Model.
References
Amazon, 2015. AWS Shared Responsibility. Available at: http://aws.amazon.com/compliance/shared-responsibility-model/
lol! Next assignment on Monday do a risk assessment on and identify demarcation of responsibilities for an IaaS setup running an RODC. Coincidence, There is NOT such a thing ;)