What is the Shared Responsibility Model and why should you care about it?

The last decade has experienced an explosive growth of cloud services going from being a $24.65bn market in 2010 to reaching an estimated $150bn by the end of 2020. The growth has primarily been fueled by organizations moving their core business workloads to cloud providers such as Salesforce, Microsoft and AWS, just to mention a few.

The main benefits for customers include (but are not limited to) flexible consumption models, improved productivity, time-to-value, innovation and the obvious reduction of investments in capital expenditure – not having to invest upfront in servers, software etc. The “cloud” has remained the preferred destination of organizations looking to transform their business.

The cloud is secured, if you do your part 

It’s a well-established fact that true business transformation is more than simply making incremental improvements to existing workflows. Real business transformation requires organizations to radically rethink how they are dealing with customers as well as their external partners.

This is particularly challenging as the ecosystem which these organizations operate will also need to transform. It often includes a transition towards using shared cloud platforms that customers and partners will use.

Organizations are already extensively using cloud services such as Microsoft SharePoint and Dropbox to share content within their own organization. But up until now, these services have primarily been used to support simple tasks, like the sharing of individual files.

As organizations continue to mature – and their understanding of the cloud continues to evolve – many business leaders are looking to move entire workloads to the cloud. Thus, leaving little or no assets remaining in an on-premise environment or in data centres the company manages internally. 

The major difference today, though, is that these workloads now support the inclusion of customers and external partners. Whilst this is good for productivity, it also has the unfortunate result in that it is opening a virtual Pandora’s Box of cybersecurity risks for all parties involved.  

However, these risks can be managed if organizations are aware of how security responsibilities on cloud services are shared.

Introducing the Shared Responsibility Model – the key to ensuring you stay safe and out of trouble

In the olden days when organizations managed their own computer systems, business decision-makers didn’t have to concern themselves with cybersecurity-related topics. The IT department had the operational responsibility of ensuring they met the security requirements mandated by their Chief Information Security Officer (CISO). Ultimately, the bar was set by the CISO and it could be set as high or low as he or she desired.

With the introduction of cloud services during the first decade of the 2000’s, this wasn’t considered to be a major issue. With the exception of Salesforce, providing end-to-end sales workloads on a cloud service, many cloud providers only offered very specific services such as backups, file sharing, conference calling, meeting services, etc.

But cloud providers were clear about the division of responsibilities pertaining to security. The industry had minted a security paradigm called “Shared Responsibility” which outlined the roles and responsibilities when operating on the cloud.

The cloud provider was (and still is) responsible for security of the platform, including elements such as:  

  • Selecting and auditing the providers of data center technology 
  • Ensuring the physical security of the data centers themselves 
  • Encrypting data transferred between the various data centers e.g. when replicating data 
  • Ensuring the security of the native applications the cloud provider was providing.  

However, the customer was always and still is, responsible for ensuring the integrity and security of content residing on the platform.

With more content-heavy workloads being moved to the cloud, many traditional organizations are now faced with a dilemma. On one hand, they appreciate the potential upsides of using cloud services, but they are also acutely aware that their traditional security capabilities are not able to secure and protect content that has been created, uploaded, and shared with other organizations on that same platform. And yet, somehow, they need to ensure that content on their platform cannot be used to carry out attacks.

Taking the cloud-centric approach

This is where F-Secure Cloud Protection for Salesforce enters the picture. By taking a cloud-centric approach to this challenge, organizations can innovate and push the boundaries on how they utilize the advantages of shared cloud platforms. Instead of scanning content for malware on an individual’s laptop, F-Secure Cloud Protection for Salesforce scans content whenever its either uploaded or downloaded. Content already residing on the cloud platform can also be scanned in accordance with the organization’s requirements (e.g. daily).

The benefits this brings to a customer of a cloud service are immense.

Firstly, as the scanning is taking place on the cloud (rather than on a laptop) there is no need to do software installations on people’s computers. This means that anyone accessing or sharing content on the cloud service will be protected from the word go, even if they are working for different organizations. Every user is being shared an equal share of security.

Secondly, the cloud centric approach allows organizations to dramatically rethink with whom they partner and how they collaborate with these on the cloud. F-Secure’s cloud protection capabilities allow for a multitude of use cases, effectively liberating business from the age-old boundaries set by IT security. One can claim that security has finally lived up to being the business enabler it always claimed it was.

And finally, by deploying F-Secure Cloud Protection for Salesforce, organizations have a fair shot at ensuring they comply with the strict requirements of e.g. EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

These laws require organizations to implement data protection and privacy by design which effectively means the organization (providing a service to a consumer) is responsible for guaranteeing the rights outlined in the legislation.

And as the cloud service provider is only acting as a data processor, the responsibility of complying with prevailing data and privacy legislation sits firmly with the company using the platform for providing customer-facing services.

In summary, the cloud provides organizations a wide range of benefits including (but not limited to) security. But security is a shared responsibility and organizations that fail to comply with their responsibilities are exposing themselves and their customers and partners to unimaginable risks. 

By Rasmus Almqvist | Source: F Secure

LEAVE A REPLY

Please enter your comment!
Please enter your name here