Cloud Security 14 Feb 2023

Cloud security: Where do CSP and client responsibilities begin and end?

All of the major public clouds — such as AWS, Microsoft Azure, Oracle Cloud and IBM Cloud — observe what’s known as a “shared security model.” This, according to (ISC)2, means that an organization is responsible for security “in” the cloud and CSPs are responsible for ensuring the security “of” the cloud. These responsibilities vary based on software-as-a-service (SaaS), platform-as-a-service (PaaS) or infrastructure-as-a-service (IaaS) deployment. With IaaS, the hardware responsibility becomes diminished for the cloud customer, according to (ISC)2. Similar responsibility shifts are true of PaaS and SaaS models. “These models keep the customer off the upgrade treadmill, leveraging the expertise of the cloud provider,” according to the nonprofit. Still, the practical application is “where things can get tricky,” (ISC)2 cautions. Without expertise, executives can be “lulled” into the notion that a provider solves all of their cybersecurity problems. Naturally, with IaaS, the cloud provider is responsible for virtualization/cloud infrastructure and physical facets, Hevesi explained. PaaS providers are responsible for the same, in addition to virtual network and service orchestration. They share workload responsibilities with the client. The responsibility of SaaS providers ramps up; they are responsible for workload, and share responsibility when it comes to the application API and application areas.