We are designing our cloud security framework for our IaaS deployment, and understanding the Shared Responsibility Model is critical. We know the provider secures the physical facility, but where does the line cut off regarding areas like the Operating System, the virtualization layer, Identity and Access Management (IAM), and data encryption? I need clarity on which elements we, the customer, are fully accountable for to avoid any gaps in our enterprise's security posture and compliance.
3 answers
In the IaaS Shared Responsibility Model, the cloud provider is responsible for "Security of the Cloud"—covering the physical facility, physical network, and the virtualization layer (hypervisor). The customer is responsible for "Security in the Cloud." This includes the Operating System (guest OS patching and configuration), the application code, the runtime, all data encryption (at rest and in transit), network configuration within the virtual network (VPC), and especially Identity and Access Management (IAM) for all users and services. Any unpatched OS vulnerability or misconfigured IAM policy is the customer's accountability, making it crucial to implement strict patching and access control protocols.
Regarding data encryption, since the provider handles storage infrastructure, does the IaaS provider automatically encrypt data at rest, or is the customer strictly responsible for implementing and managing the encryption keys for all storage volumes and objects?
The IaaS provider secures the physical infrastructure and virtualization. The customer is responsible for securing the Operating System, applications, all data encryption, and managing Identity and Access Management (IAM). This customer responsibility is a key differentiator from the PaaS model.
That's right. The customer must also manage the configuration of virtual firewalls and Network Security Groups within the virtual network provided by the IaaS platform to control traffic flow and access to their virtual machines.
While most major IaaS providers offer default encryption for block and object storage volumes, the customer is responsible for ensuring it is enabled and often has the option (and responsibility for security) of using Customer-Managed Keys (CMK) via a service like a Key Vault. Best practice dictates that the customer takes ownership of managing these encryption keys, as this is a fundamental component of securing their data and maintaining full control as mandated by the Shared Responsibility Model in a highly regulated enterprise environment.