Shared Responsibility in the Divided Cloud

By

Kevin Hartwig, Director of Infrastructure Services

Shared Responsibility in the Divided Cloud

In the cloud computing space, it’s important to understand that using a cloud service provider (CSP) isn’t a “set it and forget it” relationship. The shared responsibility model clearly divides security, compliance, and operational tasks between CSPs and the organizations that use their services. However, nothing solidifies these concepts like seeing them in real-world examples. This article explores three brief case studies—each drawn from a different cloud service model (IaaS, PaaS, and SaaS)—to highlight how responsibilities shift across the spectrum. 

Shape

Case Study 1: Infrastructure as a Service (IaaS) 

A medium-sized retail company wanted to migrate from an on-premises data center to a cloud provider, initially planning to host its e-commerce platform on AWS using Amazon EC2 and Amazon S3 to store their assets. They needed maximum flexibility and control to integrate some existing on-premises databases and inventory-management tools with the cloud services. 

Who does what? 

Cloud Service Provider (AWS) 

  • Provided AWS Well-Architected Framework describing how to best implement network security and access controls between their data center and cloud solution.  
  • Managed physical infrastructure and underlying virtualization (servers, networking, data center operations). 
  • Provided infrastructure monitoring tools (CloudWatch) and network security features such as AWS Security Groups. 

The Retail Customer 

  • At the Virtual Private Cloud (VPC) level, configured secure access controls and firewalls. 
  • Made sure they timely updates to their EC2 operating systems and applications.  
  • Implemented data encryption for customer credit card data (both in transit using SSL/TLS and at rest via server-side encryption in their on-prem data center). 
  • Established backup strategies, multi-region replication, and a disaster recovery plan. 

Takeaways 

  1. Monitoring with Amazon CloudWatch revealed latency issues with communication between their services and their database. A better approach would be to host the services and database in the same region and with the same cloud provider.  
  1. Early on, they accidentally left an S3 bucket open to the public. Once discovered, they quickly remediated it by tightening IAM roles and policies and using Amazon CloudFront to distribute their assets. 
  1. Setting up alerts through Amazon CloudWatch helped catch unusual spikes in resource usage, enabling the team to respond to potential security threats. 
Shape

Case Study 2: Platform as a Service (PaaS) 

A SaaS startup chose to build its latest application on Azure App Service. The company appreciated the speed of development and flexibility of deployment. The platform freed them from having to worry about managing the underlying servers and operating systems on which their services ran. 

Who does what? 

Cloud Service Provider (Microsoft Azure) 

  • Provided and automatically updated the underlying OS, runtime environment, and core platform services. 
  • Managed high availability (up-time, resource availability, system availability) at the platform level and handled networking between Azure components. 

The Startup Customer 

  • Wrote secure application code and handled user authentication logic. 
  • Considered long-term needs and decided to containerize their service as part of their standard software development lifecycle (CI/CD).  
  • Ensured sensitive data stored in Azure SQL Database was encrypted at rest and followed necessary compliance practices based on their industry. 
  • Monitored for unexpected traffic on their application endpoints using Azure Monitor.  

Takeaways 

  1. Migrating away from Azure App Service could require substantial effort to re-architect the application, underscoring the importance of early planning for portability. 
  1. Because they didn’t have to manage servers directly, the developers could focus on feature development. 
  1. Using a PaaS allowed them to iterate more rapidly, enabling them to go live sooner.  

Case Study 3: Software as a Service (SaaS) 

A consulting firm adopted Salesforce for CRM. They wanted to minimize infrastructure responsibilities and leverage built-in compliance features, especially for client data. 

Who does what? 

Cloud Service Providers (Salesforce, Microsoft) 

  • Managed the software platforms, including updates, patches, and security at the infrastructure and application layers. 
  • Ensured global availability and compliance certifications (e.g., SOC 2, GDPR). 

The Consulting Firm 

  • Configured user roles and permissions, enforcing least-privilege policies. 
  • Set up data classification guidelines, ensuring sensitive client data was stored properly. 
  • Maintained endpoint security on employee devices accessing Salesforce. 

Takeaways 

  1. Mismanaging user permissions could expose confidential data, so the firm invested in robust IAM policies. 
  1. Even when using SaaS, you must still handle data governance, set retention policies, and comply with data privacy regulations. Choose a SaaS product that meets your industry and regulatory needs.  

Whether you’re adopting IaaS, PaaS, or SaaS, the underlying theme is clear: The cloud provider handles the physical and foundational aspects, while you retain responsibility for securely configuring, maintaining, and governing what you build on top of it. Understanding your data, industry segment, and general company needs will help you to choose the cloud service model that best fits your organization. As they say, “Measure twice, cut once.” By understanding and defining each party’s role at the outset, you can minimize missteps that could be costly and time-consuming to fix later on. 

Resources

To Enhance Your Cyber Operations

Employing the Concept of “Continuity of Care” in Cybersecurity

Employing the Concept of “Continuity of Care” in Cybersecurity

My wife, Kelly, was a pediatric nurse, having worked in healthcare for over 30 years. I'm biased, but she always got high marks in her profession, from both her peers and from patients for whom she provided care. She provided a level of care that was absolutely critical to ensure patients receive consistent, high-quality treatment across all stages of care. The importance of documentation, communication and a continuity of care was imperative – children’s lives depended on it. But what does continuity of care look like outside the world of healthcare? In the realm of cybersecurity consulting, the principle of continuity is just as vital and plays a pivotal role in safeguarding organizations from evolving cyber threats.

Find out more
Cloud IAM Best Practices – Simplifying Security Without Compromising Access

Cloud IAM Best Practices – Simplifying Security Without Compromising Access

Managing access in the cloud can be stressful. Who should be granted access? What if credentials get exposed? Should you err on the side of security or usability? If you work in Identity and Access Management (IAM), you are likely familiar with these stressors. But there’s good news: Following a few key principles can simplify navigating IAM while at the same time strengthening your organization’s security.

Find out more