Three misconceptions about the cloud and the shared responsibility model
Once, in one of our articles, we told a story that happened to a manufacturer of metal-plastic windows. The company's system administrator accused the cloud operator's technical support specialists of deleting one of the virtual machines. After a long investigation, it turned out that the VM had been deleted by another system administrator. Such a situation could not have happened if the administrator clearly understood the areas of responsibility of the parties.
The most common concept of working with cloud services is the shared responsibility model. In this article, we will look at the most common misconceptions about it.
A few words about the Shared Responsibility Model
The model is based on simple logic: the cloud provider controls everything in its area of responsibility. And the user of the cloud – in his area.
But two more points should be taken into account. First, there may be additional services that require security or IS services. Secondly, there are "gray areas" that can be controlled by both participants of the process. However, their cooperation is often based on myths, and then misunderstandings arise.
Myth No.1: The provider is responsible for the security of services in the cloud
It is a mistake to believe that the operator provides 100% protection of its client's services. It is always shared between both. Where this line passes depends on the type of infrastructure that the company uses.
There are three models of cloud infrastructure:
- IaaS (Infrastructure as a Service) is used when the client gets access to a server on which he can place his entire IT infrastructure or a specific service.
- PaaS (Platform as a Service) is used when the access to the platform in the cloud is provided for: operating system, database management system, development and testing tools. The user can install his software there.
- SaaS (Software as a Service) is used when the customer receives software that is served by the developer.
The less the operator is involved, the lower are his responsibilities regarding the IT infrastructure. For example, in the case of IaaS, it is responsible for the hardware, data storage systems, and the hypervisor (software that allows multiple virtual computers to be hosted on a single physical server).
The company ensures that passwords do not fall into the wrong hands, and programs and the operating system are protected from outside interference. At the same time, network traffic is in the "gray zone", where the provider controls the bandwidth at the permitted level, while traffic filtering remains entirely up to the customer.
Myth No.2: Operator certificates will allow me to meet regulatory requirements
Service providers, for whom the protection of their customers' data is a priority, certify their infrastructure and business processes according to all necessary standards in the field of information security. And then they offer already certified public or private environments for hosting the necessary client services. But migration to the cloud does not exempt the customer from certification.
Every business that collects, stores and transmits the personal, medical or payment data of its customers must protect it on three levels:
- physical (storage of physical equipment)
- virtual (virtual infrastructure)
- software (site, application or service, etc.)
If the client uses IaaS or PaaS services, the provider's certificate covers the first two levels. The software level is the responsibility of the user of cloud services. That is, the customer is provided with a virtual isolated environment to which only he has access. And he must certify what is placed there separately.
If the business wants to change the supplier, then the certification will have to be passed again.
Myth No.3: Migrating to the cloud, I will not need to deal with administration and make backups
Renting the cloud involves maintenance, updates, support of the virtual infrastructure and its operation according to the stated SLA. Everything placed in it is the property of the customer. So installing and updating software, network settings and administration of own infrastructure in the cloud is completely on his side.
The same is with backups. Very often, clients think that backups come with the cloud infrastructure, or that they are made by default. However, they are wrong. In fact, backup is the same service as ordered public or private clouds. A backup service is provided, and it is up to business IT professionals to properly configure and monitor it.
Migration to the cloud does not completely relieve business from IT-related tasks. But it takes away a large part of the work in the IT department, which allows it to deal with the development of the company, and not with the support of the IT infrastructure.
Earlier we explained what SLA is and why it cannot be 100%.