Shared Fate: A Progressive Approach to Efficiently Manage Cloud Risk

Cloud Security Breaches and the Limitations of the Shared Responsibility Model

Cloud security breaches are not uncommon, and when they occur, finger-pointing often ensues. The established shared responsibility model of cloud security, which designates certain responsibilities to both cloud users and cloud service providers (CSPs), has its limitations. However, by building upon its foundations and addressing its shortcomings, both parties have the opportunity to work together towards a more secure cloud future.

Who “Owns” Cyber Risks?

Under the shared responsibility model, the responsibilities of cloud users and CSPs vary depending on the specific cloud services being utilized. Generally, the CSP is responsible for defending against threats to the cloud infrastructure, while the customer is responsible for securing their data and applications within the cloud. However, as cloud adoption has grown, it has become clear that the hard boundaries defining these responsibilities are unrealistic to maintain in many areas of security.

Furthermore, customers often assume that the CSP will assume more cybersecurity responsibility than they actually do. In reality, the most effective way to defend against or respond to cyber threats is through collaboration and cooperation between customer and CSP security teams.

Limitations of the Shared Responsibility Model

The shared responsibility model has several inherent limitations:

1. Lack of technical expertise on the customer side: Some customers may lack the necessary technical skills and resources to handle their side of cloud security effectively. Pushing these responsibilities onto customers alone may invite costly cybersecurity incidents and strain the customer-CSP relationship.
2. More than two parties involved: Cloud environments often involve not just the customer and CSP but also resellers and managed service providers. This complex network of stakeholders complicates the delineation of responsibilities and requires clearer guidelines.
3. Default setting confusion: Many cloud security partnerships falter due to uncertainty regarding default security settings. Cloud customers may be unclear about who is responsible for adjusting these settings, leading to potential vulnerabilities.

After years of real-world experience, it is evident that the shared responsibility model is insufficient. Merely placing more burdens on cloud customers to fill the gaps will not rectify the problem. There is a need for an updated cloud security paradigm that provides practical solutions and encourages collaboration.

The Shared Fate Model: A Collaborative Approach

Google’s shared fate model represents the next stage in evolving beyond the traditional shared responsibility model for cloud security. Under this new approach, the CSP takes on a more proactive role by offering guidance during the deployment stage, as well as ongoing recommendations and tools for maintaining security.

The shared fate model acknowledges the limitations of shared responsibility and aims to bridge those gaps. It incorporates elements such as secure-by-default infrastructure, security foundations, and secure blueprints to alleviate some of the security burdens on customers’ teams. Additionally, in complex cloud environments involving multiple stakeholders, the model provides guidelines for arranging workflows and responsibilities, rather than leaving customers to figure it out alone.

Moreover, the shared fate model places a greater emphasis on cyber insurance, recognizing it as a crucial aspect of responsible security. Cyber insurance offers assistance to cloud customers in the event of a cyber incident.

In essence, shared fate represents a shift towards meeting customers where they are and helping them move closer to where they want to be in terms of cloud security. While customers always bear some level of responsibility, the shared fate model offers a more pragmatic and efficient approach to managing cyber risks.

Editorial: Collaboration for a Secure Cloud Future

In the realm of cloud security, finger-pointing after a breach does little to protect data or prevent future incidents. Calls for a new cloud security paradigm that encourages collaboration and cooperation between cloud users and CSPs are not without merit. The shared fate model introduced by Google exemplifies the direction in which the industry should strive.

It is imperative to recognize that cloud security is not simply about assigning blame or deciding who does what; it is a collective responsibility to ensure the safety and integrity of digital assets. The limitations of the shared responsibility model have shown that a more progressive and inclusive approach is needed.

The shared fate model offers the foundation for a more secure cloud future, where proactive involvement from CSPs and clearer guidelines for responsibilities result in better protection against cyber threats. By providing customers with the necessary tools, recommendations, and support, CSPs can empower them to strengthen their cloud security posture.

Embracing collaboration also demands that customers invest in the development of their internal IT teams and cloud security skills. With a diverse range of stakeholders involved in cloud environments, effective collaboration and communication among all parties are essential.

Advice: Navigating Cloud Security Challenges

As organizations increasingly rely on cloud services, it is crucial to navigate the challenges of cloud security effectively. Here are some recommendations for cloud users and CSPs:

For Cloud Users:

1. Invest in building a skilled and knowledgeable internal IT team with cloud security expertise.
2. Seek comprehensive training and education for IT personnel to enhance their cloud security skills.
3. Stay updated on evolving cloud security practices and industry standards.
4. Engage in open and continuous communication with CSPs regarding security expectations and responsibilities.
5. Implement proper access controls, encryption measures, and data backup strategies.
6. Consider cyber insurance as an additional layer of protection.
7. Monitor and regularly review cloud security configurations and settings.

For Cloud Service Providers:

1. Implement secure-by-default infrastructure and provide robust security foundations to customers.
2. Offer clear guidelines and resources for customers to configure cloud security settings effectively.
3. Proactively engage with customers during the deployment stage and provide ongoing guidance and support.
4. Invest in continuous improvement of cloud security practices and technologies.
5. Collaborate with other stakeholders, such as resellers and managed service providers, to align on security expectations.
6. Consider offering cyber insurance as part of the security package, providing customers with extra protection.
7. Regularly communicate security updates, best practices, and emerging threats to customers.

Conclusion

Transcending the limitations of the shared responsibility model and embracing a more collaborative approach to cloud security is imperative for a more secure cloud future. The shared fate model introduced by Google provides a framework that empowers both cloud users and CSPs to work together in managing cyber risks effectively.

As cloud adoption continues to grow, it is crucial to prioritize effective collaboration, invest in developing cloud security skills, and ensure clear guidelines and responsibilities. By doing so, organizations can navigate the complexities of cloud security and build a resilient ecosystem that safeguards valuable data and applications.