Reading Time: 3 minutes

In a public cloud there can be different service models, but in all of them there is a common concept called: shared responsibility model. What does it means?

In an on-premises datacenter, you own the responsability of the whole stack, but as you move to the public cloud some responsibilities are transfer to the cloud provider.

As you consider and evaluate public cloud services, it’s critical to understand the shared responsibility model and which security tasks the cloud provider handles and which tasks you handle.

The workload responsibilities vary depending on whether the workload is hosted on Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS), or in an on-premises datacenter.

And of course, they vary depending the cloud provider.

For example, the following diagram illustrates the areas of responsibility between you and Microsoft (in Azure), according to the type of deployment of your stack.

Diagram showing responsibility zones.

For Amazon AWS, AWS is responsible for protecting the infrastructure that runs all of the services offered in the AWS Cloud. This infrastructure is composed of the hardware, software, networking, and facilities that run AWS Cloud services. Customer responsibility will be determined by the AWS Cloud services that a customer selects. This determines the amount of configuration work the customer must perform as part of their security responsibilities. For example, a service such as Amazon Elastic Compute Cloud (Amazon EC2) is categorized as Infrastructure as a Service (IaaS) and, as such, requires the customer to perform all of the necessary security configuration and management tasks. Customers that deploy an Amazon EC2 instance are responsible for management of the guest operating system (including updates and security patches), any application software or utilities installed by the customer on the instances, and the configuration of the AWS-provided firewall (called a security group) on each instance. For abstracted services, such as Amazon S3 and Amazon DynamoDB, AWS operates the infrastructure layer, the operating system, and platforms, and customers access the endpoints to store and retrieve data. Customers are responsible for managing their data (including encryption options), classifying their assets, and using IAM tools to apply the appropriate permissions.

Similar concept are appliable for all others cloud proviers.

For all cloud deployment types, you own your data and identities. You’re responsible for protecting the security of your data and identities, on-premises resources, and the cloud components you control. Cloud components you control vary by service type.

Regardless of the type of deployment, you always retain the following responsibilities:

  • Data
  • Endpoints
  • Account
  • Access management
Share

Related Posts

  • Free cloud services for SMB

    In a previous post (Approaching the SMB segment), I've already considered some solutions and approaches for SMB. Public cloud (especially in a SaaS form) could be an interesting way in several scenarios. The interesting aspects is that there are several services also for free, valuable…

  • Are public cloud services really cheaper?

    One myth of public cloud services is that is cheaper compared to private services, but it's (or it could be) wrong. The reality is that you don't have CapEx and you have usually monthly OpEx. But in the long (or sometimes also in the short)…

  • IaaS vs. PaaS vs. SaaS

    Uno dei tanti temi interessanti emerso dal recente Cloud Communities Day, svoltosi lunedì 22 a Milano e con la presenza di varie community, oltre che di analisti e di accademici, è stato quale potesse essere il tipo di cloud più interessante. Limitandoci ai tre tipi…