A Guide to Understanding the Shared Responsibility Model for DevOps Users
When developer project data is stored in-house on company servers and storage, the responsibility of who is responsible for protecting the data is clear. However, as development project management, coordination, and documentation tools have shifted to SaaS service, customers are less clear about who is responsible for their SaaS data protection.
According to an ESG report commissioned by Asigra, 88% of respondents believe that their SaaS provider is either fully or partially responsible for protecting their SaaS data. 33% believe the SaaS vendor is fully responsible for their data if anything goes wrong.
The reality is that there is a shared responsibility for data protection between SaaS providers and their customers. Ignorance of the shared responsibility model and cloud security model to protect their own data can lead to loss of critical data for customers. (51% of customers surveyed noted that they had data loss or corruption in the past year.) Yet over 59% of customers need help to protect their SaaS resident data.
As more DevOps functions are managed by various cloud service providers, like Atlassian (Jira and Confluence), GitHub, Bitbucket, or any other deployment application, cloud-shared responsibility issues will often arise. When they do, it’s essential to have a clear understanding and insight into how it affects your ability to assure your DevOps teams can avoid data loss that leads to productivity losses.
That’s why we’ve compiled a comprehensive guide to the shared responsibility model in the cloud from a DevOps perspective for you here.
What is the Shared Responsibility Model?
What is the principle of shared responsibility? If you’ve ever lived in a condo, booked a hotel room, or rented an Airbnb, you already have an idea of what is meant by “shared responsibility.” You are responsible for some assets, while the proprietor is responsible for others. For example, in a condo – the management companies are responsible for the structure of the building. At the same time, unit owners are responsible for everything inside their unit, including the inside walls, electrical, and plumbing. An Airbnb or hotel is different – the host is responsible for everything except what the guest brings (their clothes and luggage).
What is the principle of shared responsibility when it comes to cloud services? In the simplest terms, a SaaS shared responsibility model is a framework of security and compliance measures designed to highlight the responsibilities of both users and cloud service providers when protecting their business-crucial data and assets stored on the cloud.
The shared responsibility model establishes how cloud providers (IaaS, PaaS, and SaaS) monitor and respond to security threats and issues affecting the overall cloud infrastructure. Like a condo, most cloud providers are responsible for the operation and protection of the overall infrastructure. Customers are often responsible for safeguarding their data and assets stored on the cloud.
There are some common misconceptions regarding the shared responsibility model, the most prominent being that a cloud provider is responsible for protecting all end users’ particular assets (i.e., data) stored within that environment. This isn’t true, and such misconceptions can open a Pandora’s box of issues for service providers and customers, significantly if an outage, a user error, or a malicious attack impacts the customer’s data. (Read any of your cloud providers' terms of service, and you will quickly see they do not take responsibility for your data.)
The Cloud Responsibility Matrix: Shared Responsibility Models for Varying Cloud Delivery Systems
There are three main cloud service models, each one boasting its own unique cloud shared responsibility models that DevOps teams should keep in mind. These are:
Infrastructure-as-a-Service (IaaS): With this type of cloud delivery system (like AWS Amazon Web Services, or Google Cloud) cloud vendors provide various cloud resources for cloud users, such as connected or virtual storage and network equipment, virtual servers, virtualization layers, physical layers, and other physical infrastructure to support development. In the IaaS, shared responsibilities mean the business solely manages the security of anything owned or installed on the cloud infrastructure. At the same time, the provider is responsible for network security controls and physical security.
Platform-as-a-Service (PaaS): With the PaaS model, business and DevOps teams purchase a platform designed to develop, manage, and run applications. In most cases, the cloud PaaS provider will equip users with the software and hardware needed for application development; they’re also entirely responsible for the platform's security responsibilities, taking the burden off users’ shoulders. Cloud security failures are generally the fault of the provider.
Software-as-a-Service (SaaS): This cloud service is where providers will offer a software delivery system that is hosted centrally on the cloud via a specific application. In this model, the SaaS provider is responsible for the application maintenance, management, and security configuration. However, it’s important to note that those using SaaS cloud services should still take backup precautions, as many such systems are still vulnerable to breaches and cyberattacks.
It is important to note that the responsibility for information and data resides with the customer, not the cloud provider in all three cloud models. In general, the cloud service provider is responsible for securing the overall infrastructure for uptime and recovery in the event of a global challenge, and most have incredibly robust disaster recovery and business continuity plans in place. If all their customers’ data is lost, they have backups. However, they are not responsible if a customer’s data is lost. And they aren’t responsible if a customer is individually impacted by user error, malicious actors, or data corruption.
Source: Microsoft Azure Shared Responsibility in the Cloud
What Are the Benefits of the Shared Responsibility Model?
There are several benefits managed service providers have when operating under a shared responsibility model with cloud providers, one of the leading being that it can drastically improve the efficiency of your operations. Although end-users bear much of the responsibility for security under shared responsibility models, the cloud service provider often manages key security aspects (hardware, virtualization, infrastructure). DevOps and IT teams can refocus their efforts on other tasks and make the most of their time, dedicating the proper resources to implement the best security practices on their end.
Additionally, depending on the cloud delivery system you’re using and the shared responsibility model it’s operating under your service provider may invest significant resources into security and backup measures. They’ll often implement cutting-edge testing and monitoring solutions and perform timely updates and patching. Cloud providers often also boast extensive knowledge of security measures and can offer invaluable advice on protecting your assets.
Things to Keep in Mind When Operating Under a Shared Responsibility Model
For managed service providers and DevOps teams, there are some key things to keep in mind if you’re utilizing a cloud service provider; some of the most important are:
- Reviewing the Standard Level Agreement (SLA): Having a crystal clear understanding of your SLA with your service provider is the best way to avoid any issues and minimize security mishaps that could have been prevented. Anything that you or your team is unsure about needs to be clarified upfront so there are clear understandings about who is responsible for what in terms of data security and backup solutions.
- Deploy a Comprehensive Backup Solution: The native tools that come with most SaaS services are generally limited to manual, point-in-time backups that dump your data into packages of unencrypted CSV files. Data recovery (either granular or full) is a painful process of restoring data, one table or record at a time, and keeping the data consistent. Using a service like SaaSAssure℠ will ensure that backup and recovery processes are automated, secure, and easy to manage.
- Emphasize Data Security Responsibilities: In any cloud environment, users should always take the proper steps to implement the best security measures available, regardless of their shared responsibility model. This is because mistakes can happen even at the highest levels, and it’s always best to be prepared for worst-case scenarios, ensuring your business-crucial assets are effectively protected no matter what. This includes assuring that your backup data is protected against attackers with strong encryption, MFA, and Multiperson Approval for access to sensitive backup data.
- Robust Identity & Access Management: Limiting the number of users and credentials of those with access to your cloud platforms and backups is one of the best ways to minimize security risks such as ransomware attacks and AttackLoops™ that can lie dormant in your system. Incorporating such practices into your IAM policy is also essential to remaining protected.
Key Takeaways on Shared Responsibility
In the evolving landscape of cloud services, it's essential for DevOps cloud users and managed service providers to recognize the nuances of the shared responsibility model. While cloud providers offer a robust infrastructure and ensure global operational uptime, the security of the cloud is the responsibility of the provider, while the onus of individual data security falls to the cloud customer and cloud users. A proactive approach to understanding service level agreements, investing in comprehensive backup solutions, prioritizing data security, and refining identity and access management can prevent costly data breaches and losses. Ultimately, as the cloud ecosystem continues to expand, a collaborative understanding between providers and users will pave the way for optimized, secure, and efficient operations in the digital realm.
