What is the Shared Responsibility Model?
The cloud is here and embraced by many businesses. In the case of small businesses, it has become a great way to reduce capital expenditure and ease the burdens of owning infrastructure. The cloud also provides quick access to your data and peace of mind that your data is secure, or does it? Do small businesses know the differences between security on-premises and security in the public cloud? Over the past couple of years, major cloud data breaches have been witnessed. Over 197 million Americans have had their data exposed. Verizon, Home Depot, Sony and even the Dow Jones have had their customer data leaked. If you are in the business of having customer data or even internal data resting on the cloud, then you need to be aware of the Shared Responsibility Model.
As data continues to move to the cloud, it is incumbent on the customer to ensure that they continue to meet their security, governance, and compliance requirements. The Cloud Service Provider (CSP) is responsible for protecting you against brute-force login attempts, where attackers try many passwords in hopes of eventually guessing correctly. However, the customer has a responsibility to ensure that employees use unique and secure passwords to minimize the risk of account compromise. Utilizing the cloud will simplify sharing and collaboration, but it will not hold the CSP responsible for the customer accidentally sharing sensitive data in a non-compliant manner nor protection against employees downloading or deleting data, before leaving for their job for a competitor, as an example. Finally the customer is responsible for following basic security best practices to protect themselves from its employees.
When selecting an MSP (Managed Service Provider), the business owner must select a provider aware of the Shared Responsibility Model, to help enhance end-user responsibility in the cloud, such as security, monitoring, and most importantly, backup. Customers tend to believe data residing in the cloud is backed up, however, based on this model, the responsibility of the data relies on the customer entirely. You do not have any visibility or accountability into who accesses what resources, and managing compliance is virtually impossible. This substantially increases your risk of a security breach. So ask yourself would you put your money in a bank that was not FDIC Insured?