{"id":70598,"date":"2023-03-01T18:13:35","date_gmt":"2023-03-01T23:13:35","guid":{"rendered":"https:\/\/www.commvault.com\/?p=70598"},"modified":"2023-11-14T12:14:29","modified_gmt":"2023-11-14T17:14:29","slug":"understanding-the-shared-responsibility-model","status":"publish","type":"post","link":"https:\/\/www.commvault.com\/blogs\/understanding-the-shared-responsibility-model","title":{"rendered":"Understanding the Shared Responsibility Model: Why You Need a Holistic Data Protection Strategy"},"content":{"rendered":"\n

The cloud has revolutionized how businesses operate, allowing them to take advantage of its scalability and flexibility while reducing costs. However, protecting data remains a critical challenge, with 98% of businesses reporting a cloud data breach within 1.5 years<\/strong>1<\/sup>,<\/strong> according to IDC research – highlighting the need for organizations to take additional measures to protect their data.<\/p>\n\n\n\n

Cloud service providers understand the importance of safeguarding data and applications within their environment and have developed a Shared Responsibility Model (SRM). This model requires businesses to take ownership of securing their data and applications within the cloud environment. <\/p>\n\n\n\n

Cloud providers have different approaches to protecting data, which adds to the complexity, and businesses need to understand the specific details and nuances from provider to provider.<\/p>\n\n\n\n

As such, customers must develop a holistic data protection strategy to ensure they have the necessary controls to protect their data even when relying on native tools included by their provider. This post will explore what this model means for customers and why it is essential to have a comprehensive data protection strategy across cloud and hybrid environments to use cloud services safely and securely.<\/p>\n\n\n\n

Why are businesses increasing their adoption of cloud computing?<\/h3>\n\n\n\n

Cloud computing has extended the possibilities for businesses and provides many advantages. Having workloads, applications, and services running on the cloud or hybrid environments gives businesses greater flexibility and incredible scalability to accommodate growth. In addition to these valuable benefits, having a wide variety of software as a service (SaaS) applications delivered via the cloud enhances operations, optimizes resource utilization, and brings agility and efficiency to business workloads. It\u2019s no surprise that most companies have already embraced the cloud or are actively transitioning workloads, with Gartner estimating that over 95% of new digital workloads will be deployed on cloud-native platforms by 2025<\/strong>3<\/sup>.<\/p>\n\n\n\n

Another key advantage that makes cloud computing so attractive is that it allows users to access data and applications quickly and easily without requiring advanced technical knowledge or expertise. This makes it easier for businesses to deploy applications and manage data in a shorter time\u2013 something that would otherwise require significant technical know-how or experience with traditional IT environments.<\/p>\n\n\n\n

For these reasons, more and more companies are turning to cloud computing to manage their data and applications. The SRM ensures that both customers and providers understand what needs to be secured within the cloud environment so that companies can take full advantage of this technology safely and securely.<\/p>\n\n\n\n

What is the Shared Responsibility Model?<\/h3>\n\n\n\n

The Shared Responsibility Model (SRM) is a cloud security strategy that states that while cloud providers are responsible for securing their service infrastructure, customers are responsible for securing their data and applications within the cloud environment. This division of accountability is designed to ensure that both parties understand what needs to be secured and how it should be done. This model allows companies to use cloud services’ scalability and flexibility while having faith in their provider’s ability to maintain a secure infrastructure.<\/p>\n\n\n\n

To use cloud services safely and securely, customers must understand their role in the SRM. This means developing a holistic data protection strategy that considers their provider’s native tools and any additional security measures the customer might need to put in place. By doing so, customers can better protect their data from threats such as malicious attacks, unauthorized access, data leakage, and more.<\/p>\n\n\n\n

What Are Cloud Providers Responsible For?<\/h3>\n\n\n\n

Cloud providers are responsible for the security and privacy of their cloud computing infrastructure, including physical security, data storage, network protection, host firewalls, access control, and software vulnerability patching. They must also ensure that their services meet legal and regulatory compliance requirements. In addition to providing all these critical components of a secure cloud environment, they are also responsible for the operational integrity of their system, ensuring its availability, scalability, fault tolerance, performance optimization, cost management, and overall reliability.<\/p>\n\n\n\n

Each provider supplies a detailed description of what falls under their cover. For example, in its simplest form, AWS states explicitly that they are \u201cresponsible for protecting the infrastructure that runs all of their services in the AWS Cloud<\/a>.\u201d  <\/p>\n\n\n\n

Another critical responsibility of cloud providers is to keep their customers informed of any changes or updates to their platforms or services. This includes alerting customers when a new security patch has been released or a service is no longer supported. Providers should also have a well-defined process for responding quickly and efficiently to any security incidents that arise.<\/p>\n\n\n\n

Cloud providers should also have rigorous identity management practices to control who has access to the customer’s data within the cloud environment. This includes authenticating user identities with multi-factor authentication methods and regularly reviewing permissions associated with each account to ensure only authorized personnel can access sensitive information.<\/p>\n\n\n\n

Finally, cloud providers should be transparent with customers about how they are protecting their data and informing them of any new changes or compliance updates that may affect their operations.<\/p>\n\n\n\n

How can responsibilities differ across cloud providers?<\/h3>\n\n\n\n

While the Shared Responsibility Model can initially seem simple, cloud providers have different approaches to securing their customers\u2019 data, meaning their responsibilities can vary significantly. For example, some cloud providers may have more stringent access control policies than others, meaning customers may require higher levels of authentication or authorization when accessing their accounts and data.<\/p>\n\n\n\n

Other providers also offer different tools and features that customers can use to protect their data. Some might provide advanced encryption and essential management services that customers can use to ensure their information is safe in the cloud. Others may provide customers with granular auditing capabilities to track and monitor who has accessed specific files or directories within their environment.<\/p>\n\n\n\n

Furthermore, the security requirements of each provider will differ based on the type of cloud services they offer. Microsoft details<\/a> how the division of responsibility changes between customers and Microsoft, according to the deployment type. Infrastructure as a Service (IaaS) providers typically require customers to maintain responsibility for protecting the operating system, applications, and data stored within their virtual machines. Whereas Platform as a Service (PaaS) providers often offer more capabilities out-of-the-box, such as managed databases, web servers, and development frameworks \u2013 all of which must be configured according to the customer\u2019s security requirements.<\/p>\n\n\n\n

Finally, customers need to remember that while cloud providers are responsible for providing secure environments and tools, there are no assurances that customer data will remain private or secure if companies do not adequately implement best practices regarding access control, encryption, and other necessary measures. That said, businesses must understand what each provider is responsible for regarding data protection to choose the right partner for their needs.<\/p>\n\n\n\n

Companies should carefully review each Cloud Provider\u2019s responsibilities to know precisely what they are responsible for versus their service provider when protecting their data from malicious actors, misconfigurations and meeting compliance requirements.<\/p>\n\n\n\n

What Are Customers Responsible For?<\/h3>\n\n\n\n

Despite cloud data being subject to the same responsibilities as any on-premise computing system, many companies remain unaware of this fact. The Shared Responsibility Model outlines that customers are responsible for securing the data and applications within a cloud environment – yet research has found that only 39% of organizations are confident in their ability to do so effectively<\/strong>4<\/sup>.<\/strong><\/p>\n\n\n\n

Ensuring these responsibilities are met requires implementing additional security measures such as backup and recovery, encryption, identity and access management, and monitoring.<\/p>\n\n\n\n

Key Data Protection Considerations<\/strong><\/p>\n\n\n\n