Deep Dive into Shared Responsibility Model and User Enterprise Security

Shared Responsibility Model - Introduction?

The cloud conquered the IT industry using multiple technologies and all the SMEs and MNCs migrated to the big-league cloud providers. Customers were given a promise that their data, application, and network are protected and big shot infrastructure companies who already have huge human resources and infrastructures in place will handle them. So, customers thought they can pay AWS, Google, and Azure in hefty amounts to protect their data from the hoard of hackers circling around it.?

Over time despite leveraging AWS, Google, and Azure (AGA) cloud services and their security measures, some huge players lost their “precious” data. The irony is that “precious” data they are protecting is not theirs and are not supposed to sell the analytical reports based on it. But they whined over it, they were fined for it and before this happened, they were dined using it. The internal auditors and other cybersecurity experts revised their policies and strengthened their fortress to make sure that they were secure.?

During this havoc, they seem to forget about the biggest security risk to the whole IT industry—people. Especially, those who were not aware (or bothered) about the importance of cyber security practices and what it might cost them.??

At the beginning of pandemic in India, RBI mandated that every cooperative bank in India should implement activities to provide good cyber security protection, which never happened. The result of this negligence will be reflected when they come across an incident and lose money of their clients, after which these banks will be fined by RBI. Even though we have the technology and infrastructure to implement the same in time. Due to negligence and lack of awareness, this is going to be a hunting ground for hackers in the future.??

So here lies the problem. MNCs and SMEs who trusted the AGA to provide security didn’t concern too much about the application security standards they need to implement in their application development process and other policies they should have in place to protect themselves from malicious hackers. They ignored it due to blind trust in big shot cloud infra companies. After analyzing the problem, experts in the big shot infrastructure companies came to the conclusion that they can’t take complete responsibility for the whole thing. This is when they thought about the Shared Responsibility Model, where both customers and service providers are equally or partially responsible for security.??

In other words, our application is like an old-aged mother. The big brother (AGA) will take care of the selected duties which will be decided by him, and the middle brother (Customer) will take care of the all the other duties. This includes pushing the younger brother who lives to consume his resources (Application developers) to take care of the huge part of the duties (Application security).??

To reduce the cost of lawsuits and fines they got for data loss and other issues, they decided that the client should also share responsibility. Hence, the Shared Responsibility Model. When we are deploying an app in the big shot cloud providers, we are responsible for the partial security of the whole service. Again, due to human ignorance and lack of awareness, most SMEs and MNCs are still clueless about it.??

Shared Responsibility Model – Analysis??

Amazon Web Services (AWS)?

They will look after the building security; They will make sure that the server they bought and placed inside the secured building they just talked about is secured, and also, they will make sure that the security of the basic functions like database, storage, processor and networking security is taken care of. All the other security should be handled by the client. It seems like they are putting great efforts to secure infrastructure in reality they are not doing anything. ?

They are only responsible for the “security of the cloud”. According to AWS Shared Responsibility Model, “AWS is responsible for protecting the infrastructure that runs all of the services offered in the AWS Cloud. This infrastructure is composed of the hardware, software, networking, and facilities that run AWS Cloud services.”?

They protect infrastructure building, servers, cables, routers, switch, and the software which is used to manage virtualization and help them to manage the cloud. Nothing else will be under their protection.??

Consider AWS as a builder who said it will provide security and ask for a maintenance fee. They will make sure that the house is protected but they are not responsible for protecting your personal assets and the lives of the people who are in the house. They will make sure the asset they invested in is protected and you are paying for it. This is the same relationship with you and your cloud service provider.?

Keeping the above diagram in mind, let’s evaluate what should be done to provide the same level of security provided by AWS to the customer by any company.??

1. Take a room for rent in an IT park.??
2. Buy 2 servers and set up a network?
3. Get a leased line to the servers?
4. Download and install Ubuntu MAAS or another platform to manage cloud infra?
5. Appoint one person to maintain the network??
6. Appoint a person to maintain the cloud management platform?
7. Make sure they don’t steal anything using USB or Cables etc.?

If the actions described above are implemented on a huge scale that is what AWS is (in terms of security). Investors who have huge cash flow can replicate and get huge returns and some Indian companies have already done it. If you analyze this through a bird's eye view. AWS is a company that rents out storage using virtualization and provides support so that access to the storage is maintained properly.??

So, to compete with AWS. An Investor can start a Data Center and start renting it out.?

To quote AWS in what a customer’s responsibility is if he is using EC2:??

“Amazon Elastic Compute Cloud (Amazon EC2) is categorized as Infrastructure as a Service (IaaS) and as such, requires the customer to perform all the necessary security configuration and management tasks. Customers that deploy an Amazon EC2 instance are responsible for the management of the guest operating system (including updates and security patches), any application software or utilities installed by the customer on the instances, and the configuration of the AWS-provided firewall (called a security group) on each instance.”?

If the customer is taking care of security configuration management (this means who can access data and what is to be encrypted, etc.) firewall rules. With the same resources we can maintain our own servers and the firewall will have better security and we don’t have to pay more to increase the performance of EC2 instances, etc. Just to keep things nostalgic, set up an SSH server in the physical server and ask everybody to connect using Putty or Terminal. Other than that, there is not much difference.??

For a hacker who is smart enough to get into one container through the application developed by an AWS client, it is like an open season. Additionally, we have to protect the OS which we use in EC2 or the other platform they provide for us.??

As AWS is not responsible. they won't monitor the users accessing EC2 instance, this implies that an employee in a notice period who can download the “xyz.pem” file or make a copy of it, can access the server and do whatever he wants.?

From the financial standpoint, although you pay AWS for hosting your application, you will be responsible for any penalty charges if a third party decides to sue you in the event of a breach of security protocols such as GDPR or HIPAA. This is because the responsibility for ensuring security in the cloud lies with you, not with AWS.?

According to AWS Shared Responsibility Model,??

“For abstracted services, such as Amazon S3 and Amazon DynamoDB, AWS operates the infrastructure layer, the operating system, and platforms, and customers access the endpoints to store and retrieve data. Customers are responsible for managing their data (including encryption options), classifying their assets, and using IAM tools to apply the appropriate permissions.”?

After reading this. Customers will think that this is a fair approach for the benefit of users. It is and it is what it is because the AWS invested in the platform.??

To summarise the whole approach, we will only protect what we invested our money on, everything else the customer should protect. No wonder AWS is doing well these days.?

Google Cloud Platform (GCP)?

Google Cloud Platform has two things to consider:??

1. Shared Responsibility Model??
2. Shared Fate?

The shared responsibility model of GCP is more customer-centric than AWS.?

AWS and GCP state that their responsibility is almost the same when it comes to IaaS. Both of them refuse to maintain security for the guest OS data and content. But GCP offers audit logging and encryption as a measure to help the customer identify the threat and find the culprit if they got hacked. In a way, they can contribute more to the customer, yet in an event of any cybersecurity incident customer might have to bear all the fines and costs.??

When we are looking at the PaaS model in the shared responsibility model, GCP provides way better security than AWS. In AWS, we need to take care of identity, operations, and access and authentication. So compared to AWS, GCP gives way better security??

GCP handles better responsibility on SaaS and PaaS than AWS.?

The area of focus for GCP is not in the Shared Responsibility Model but Shared Fate Model.?

According to Google,??

“Shared fate is about us taking responsibility for making Google Cloud more secure. Shared fate includes helping you get started with a secured landing zone and being clear, opinionated, and transparent about recommended security controls, settings, and associated best practices. It includes helping you better quantify and manage your risk with cyber-insurance, using our Risk Protection Program. Using shared fate, we want to evolve from the standard shared responsibility framework to a better model that helps you secure your business and build trust in Google Cloud.”?

To demystify the statement, Google says that it will teach customers and provide quality resources to customers to make sure that their applications are protected and secured so that customers will have a proper guide to do things correctly. Since Google can’t just review your code and do the security testing for your application and access controls, the best they can do is to teach you how to do it.??

Azure Cloud?

Azure rather has a very straightforward approach to shared responsibility.??

According to Azure,??

“Regardless of the type of deployment, the following responsibilities are always retained by you (customer):?

1. Data?
2. Endpoints?
3. Account?
4. Access management”?

This is an open-and-shut case for them.??

If you are using IaaS, it will protect the physical server, host, and network i.e., all things physical just like AWS. AWS may have used language in their documentation that could be challenging for project managers and individuals with limited knowledge of cybersecurity to comprehend. This strategy might help retain clients who are not fully aware of potential security risks in the cloud environment.?

Azure shot a straight arrow to customers and said that “I will not protect you in these areas and you have to protect yourself in these areas regardless of the services you buy from us.” Azure is like a partner who gives the facts to face and lets you make a decision without sounding ambiguous.??

Solution

In IaaS, you should have your own team handle all security and if you choose GCP then things will be easy. They have guidelines and security design frameworks that customers can utilize to train their employees with and later can be used for reference. For the other set up, your own team should define everything by yourself and also implement it by yourself with whatever the cloud providers offer.???

In the PaaS model the same situation exists. Google seems to be the better choice than others. Still, you should have a team or find a service provider who knows how to handle Cyber security.??

In SaaS, the client just has to worry about the data and access management. If you can’t do so, hire somebody to do it.??

Even though it has been almost a year since they implemented the shared responsibility model, almost everyone is unaware of its intricacies, and it is the biggest threat to enterprise security. The decision-makers are yet to understand the implications. The purpose of this article is to create awareness in the decision makers of different enterprises to protect yourself from the harmful aftermath.?