The shared responsibility model of the Cloud Services Providers (CSP) defines the limits of responsibilities with the customer, that is, the Cloud Consumer, when adopting services based on Cloud Computing. Traditionally speaking we have IaaS, SaaS and PaaS service models.
This model is often not fully understood by the Cloud Consumer. Due to the experience we have lived in Perú and what I have observed during the adoption process in other countries of the region, unfortunately, there has not been a clear diffusion of this model, which is so relevant in terms of Cloud Governance, Cloud Services Management, Cybersecurity, among others; not to mention all the other issues related to Cloud Computing.
"Cloud providers and customers must share the responsibility for security and privacy in cloud computing environments, but sharing levels will differ for different delivery model"
-Takabi, H., Joshi, J., & Gail-Joon. (2010)
Regarding the importance and impact of not understanding that the adoption of Cloud Computing implies a shared responsibility, let's review some background information quickly.
Since the conception of Cloud Computing as a model of emerging services, many publications had already referred to adoption factors that promoted or prevented the adoption of Cloud Computing. In that case, the proposal of Takabi, H., Joshi, J., & Gail-Joon was very relevant with respect to sharing responsibility in security when adopting Cloud Computing.
In the Cloud Security Alliance Global Blog, Thethi (2017) made a publication entitled "AWS Cloud: Proactive Security & Forensic Readiness". In this blog, Bruno Agostinho put the following comment:
“If all people were aware of the model of shared responsibility, many security problems would have been avoided”
Dear Bruno, I have to tell you that after almost a year you wrote it, I totally agree with you.
The models of shared responsibility are very similar among all the Cloud Services Providers (CSP); however they are not the same. Let's review some models that I have been able to investigate in greater detail:
Here is the AWS Shared Responsibility Model:
Source: AWS. (July 16, 2018). Shared Responsibility Model. Retrieved from https://aws.amazon.com/compliance/shared-responsibility-model/?nc1=h_ls
In this publication AWS (2018) clearly shows the shared responsibility between the Cloud Customer and the Cloud Services Provider (CSP) that means AWS, as well as describes the responsibilities in terms of the service models based on Cloud Computing that provides, among others.
The Shared Responsibility Model of HUAWEI Cloud:
Source: HUAWEI. (30 de Noviembre de 2018). HUAWEI CLOUD Overall Security. Retrieved from https://www.huaweicloud.com/en-us/securecenter/overallsafety.html
HUAWEI (2018) also shows in quite detail the shared responsibility between the Cloud Customer and the Cloud Services Provider (CSP) that is HUAWEI Cloud, as well as describes the responsibilities in terms "Tenant" that would be the Cloud Consumer in relation to the models of services based on Cloud Computing that provides, among others.
Despite this, however, I can see that there is no a good level of maturity in companies regarding the definition of their Cloud Computing adopting strategy.
Among others, the shared responsibility model of the Cloud Services Provider (CSP) is not clear, in a manner that services based on IaaS, SaaS or PaaS have already been migrated and then the company realize that they had to analyse previously the Responsibility Model, as well as also other very relevant points such as Data Lock in, Government Cloud, Cloud Compliance, Cloud Audit, Cloud Services Management that should have been reviewed in advance.
This situation means that we don´t have enough level of maturity to start the adoption process towards Cloud Computing by Cloud Consumer in a safe way.
We must understand that we adopt "services based on Cloud Computing", therefore we have to manage them and govern the Cloud Services Provider (CSP)
In my opinion, as a result of the security incident that occurred at the Bank of Chile in 2018, many companies and professionals finally took a higher level of awareness about Information Security and Cybersecurity, then:
How can we establish a Cybersecurity Strategy, if we do not understand the Shared Responsibility Model of the Cloud Services Provider?