Cloud Technology

How exactly does the Shared Responsibility Model work in multi-cloud security deployments?

SA Asked by Sarah Miller · 14-05-2024
0 upvotes 12,477 views 0 comments
The question

I am currently preparing for my CCSP certification and I am getting a bit confused about the Shared Responsibility Model. If our company is using a mix of AWS for hosting and a third-party SaaS for CRM, who is ultimately liable if a data breach occurs due to an unpatched operating system versus a misconfigured S3 bucket? It seems like a gray area when you scale across different vendors and service models. 

3 answers

0
EM
Answered on 15-05-2024

The Shared Responsibility Model is the cornerstone of cloud security, but it changes based on the service type (IaaS, PaaS, or SaaS). For an unpatched OS in an IaaS environment like AWS EC2, the responsibility lies entirely with your organization. However, for a SaaS platform, the provider manages the underlying infrastructure and OS patching. A misconfigured S3 bucket is almost always the customer's fault due to improper IAM policies or public access settings. Always consult your provider's specific Service Level Agreement (SLA) to define these boundaries clearly for your security audits. 

0
MI
Answered on 16-05-2024

This is a great point, but have you considered how this model shifts when you introduce serverless functions like AWS Lambda? In that case, does the provider handle more of the runtime security, or are we still on the hook for the application code vulnerabilities?

DA 17-05-2024

For serverless environments, the provider manages the underlying server and runtime environment, but you remain strictly responsible for the security of your code and the data it processes. You must ensure your IAM roles follow the principle of least privilege so the function cannot be exploited to access other cloud resources.

0
JE
Answered on 18-05-2024

In short, the provider secures the "Cloud" (physical hardware and virtualization), while you secure what is "In the Cloud" (data, apps, and access). 

SA 19-05-2024

Spot on! Most people forget that the provider can't protect you from your own weak passwords or poorly configured firewall rules.

Share your thoughts

Your email address will not be published. Required fields are marked (*)

Professional Counselling Session

Still have questions?
Schedule a free counselling session

Our experts are ready to help you with any questions about courses, admissions, or career paths. Get personalized guidance from industry professionals.

Request a Call Back

Search Online

We Accept

We Accept

Follow Us

"PMI®", "PMBOK®", "PMP®", "CAPM®" and "PMI-ACP®" are registered marks of the Project Management Institute, Inc. | "CSM", "CST" are Registered Trade Marks of The Scrum Alliance, USA. | COBIT® is a trademark of ISACA® registered in the United States and other countries.

Book Free Session