In a public cloud there can be different service models, but in all of them there is a common concept called: shared responsibility model. What does it means?
In an on-premises datacenter, you own the responsability of the whole stack, but as you move to the public cloud some responsibilities are transfer to the cloud provider.
As you consider and evaluate public cloud services, it’s critical to understand the shared responsibility model and which security tasks the cloud provider handles and which tasks you handle.
The workload responsibilities vary depending on whether the workload is hosted on Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS), or in an on-premises datacenter.
And of course, they vary depending the cloud provider.
For example, the following diagram illustrates the areas of responsibility between you and Microsoft (in Azure), according to the type of deployment of your stack.
For Amazon AWS, AWS is responsible for protecting the infrastructure that runs all of the services offered in the AWS Cloud. This infrastructure is composed of the hardware, software, networking, and facilities that run AWS Cloud services. Customer responsibility will be determined by the AWS Cloud services that a customer selects. This determines the amount of configuration work the customer must perform as part of their security responsibilities. For example, a service such as Amazon Elastic Compute Cloud (Amazon EC2) is categorized as Infrastructure as a Service (IaaS) and, as such, requires the customer to perform all of the necessary security configuration and management tasks. Customers that deploy an Amazon EC2 instance are responsible for management of the guest operating system (including updates and security patches), any application software or utilities installed by the customer on the instances, and the configuration of the AWS-provided firewall (called a security group) on each instance. For abstracted services, such as Amazon S3 and Amazon DynamoDB, AWS operates the infrastructure layer, the operating system, and platforms, and customers access the endpoints to store and retrieve data. Customers are responsible for managing their data (including encryption options), classifying their assets, and using IAM tools to apply the appropriate permissions.
Similar concept are appliable for all others cloud proviers.
For all cloud deployment types, you own your data and identities. You’re responsible for protecting the security of your data and identities, on-premises resources, and the cloud components you control. Cloud components you control vary by service type.
Regardless of the type of deployment, you always retain the following responsibilities:
- Data
- Endpoints
- Account
- Access management