You’re driving a long, dark road on a rainy night. If you’re driving 20 miles over the speed limit and you don’t step on the brakes when the car in front of you comes to a sudden stop, is it your fault or your car manufacturer’s fault if you rear-end the car that is in front of you?
When we drive, we seamlessly understand that there are some things we depend on the manufacturer to provide (brakes that work, airbags that deploy) and some things we’re responsible for (using the brakes when needed, not turning off the airbag protection).
This is the concept of shared responsibility and was a core topic at this year’s Cybersecurity Law Institute panel – “Vendors and Cloud-Based Solutions: How Can All Stakeholders Protect Themselves?”
When it comes to cloud computing and data protection, it is a shared responsibility between the cloud service provider (CSP) and the customer that is analogous to the relationship between the car owner and car manufacturer.
While the fundamentals of shared responsibility between drivers and car manufacturers seem relatively straightforward, it’s not always as clear-cut when analyzing the responsibilities between customers and CSPs for protecting cloud data.
The cloud, as a relatively new architectural model for many organizations, is unique because there are multiple organic models that can shift responsibilities between customers and CSPs. For example, customers can only configure the application layer software in Software as a Service (SaaS) applications. But when moving down the stack to Infrastructure as a Service (IaaS), customers have the responsibility for configuring and managing the servers they’ve stood up in the cloud.
While on the Georgetown Law Institute panel in D.C., I explained how Microsoft views the shared responsibility model as a working partnership with customers to ensure they are clear on what we provide and what their responsibilities are across the stack. To be sure, there are some perceptible shifts in responsibility, which is illustrated in the graphic below.
The left-most column shows seven responsibilities that customers should consider when using different cloud service models. The model shows how customers are responsible for ensuring that data and its classification is done correctly and that the solution is compliant with regulatory obligations. Physical security falls to the CSP, and the rest of the responsibilities are shared. Note this a general rule of thumb, and every customer should talk to its CSP to ensure and understand the responsibilities are outlined and meet the organizational needs.
Once a customer has a solid handle on what the CSP is providing, consider the three tips below for managing the shared responsibilities. These could include things like network controls, host infrastructure, end-point protection, application level controls, and access management.
Consult the STARs
The CSA STAR registry consists of three levels of assurance, which cover four unique offerings based on a comprehensive list of cloud control objectives. Here customers can see what controls a provider has attested to. STAR also helps customers assess how different providers are using a harmonized model. It’s also important to ask the CSP if it has completed a SOC 2 Type 2. This assessment is based on a mature attest standard, and ensure that evaluation takes place over time rather than at a point in time, among other helpful standards.
(Really!) Read the contracts
Yes, it’s tempting to skip over the long legalese, but the nuances of a contract between a customer and CSP can go a long way in helping each side understand its shared responsibilities. For example, if the contract allows for certain levels of transparency between the two in the form of allowing the customer to see an audit or compliance report. However, you should remember that seeing an overview isn’t the same as being able to read every page of the report. A customer should know what level of transparency they’re getting. Customers should be certain there are clear roles and escalation paths that make sense, so if something goes wrong or a decision needs to be made about shutting off a service or reporting a breach, it can be done without hesitation. And don’t forget to engage your own counsel during contact review, no one understands legalese as well as a lawyer.
Follow the guides
To help organizations understand ways to protect their data in the cloud, Microsoft has blueprint guides for use cases like FFIEC and HIPAA regulations. We also have tools to help companies manage and improve their cloud controls, including Compliance manager and Secure score. Compliance manager enables organizations to manage their compliance activities from one place. Secure score is an assessment tool designed to make it easier for organizations to understand their security position in relation to other organizations while also providing advice on what controls they should consider enabling.
Microsoft takes its side of the shared responsibility model seriously and is continually looking for ways to help the customer identify weaknesses and put action plans in place to shore them up. Not unlike how car manufacturers continually iterate to make cars safer, safety enhancements are meant to lessen the burden of driver responsibilities, not remove them entirely. When it comes to protecting data, if you keep your eyes on your data road, we’ll make sure the brakes are working.
For more information on shared responsibilities for cloud computing read this comprehensive white paper.