Shared Responsibility Model
Recap from the September 3rd, 2019 CISO/Security Vendor Relationship Podcast
by Lydia Pert
When it comes to the cloud, who takes responsibility? Is it up to you or the cloud provider (i.e., the vendor)? One of the top options is the Shared Responsibility Model, where each involved party has a level of responsibility and accountability in ensuring security.
According to Steve Prentice on the most recent Cloud Security Tip segment, the Shared Responsibility Model for cloud is the difference between the “security OF the cloud” and “security IN the cloud,” with cloud service providers taking care of the OF, and clients taking care of the IN. “In the cloud” means the data, the access – especially guest access, and the usage.
This usually means that the vendor secures the hardware and software of the cloud itself, while the customer is responsible for the security of their assets within the cloud.
Division of Responsibility
Vendors are responsible for protecting the infrastructure that runs all of the services offered in the Cloud — such as the hardware, software, networking, and facilities that run the Cloud services. On the other hand, customers are responsible for managing their data (including encryption options), classifying their assets, and using tools to apply the appropriate permissions and access control.
This Shared Responsibility Model often extends to IT controls as well. Just as the responsibility to operate the IT environment is shared between vendors and customers, so too is the management, operation, and verification of IT controls. Many providers, such as Amazon Web Services, help manage those controls associated with the physical infrastructure deployed in the environment that may previously have been managed by the customer.
Shared responsibility is a great model — but like anything there could be drawbacks. Newer, serverless computing methods tends to complicate the Shared Responsibility Model somewhat, which places more burden back on client security professionals. Ownership of security is also a critical blind spot — corporate security teams and cloud service providers need to have some clear and regular communication about this, since changes and convergences happen with alarming frequency.
A recent Gartner report suggests that over the next five years, at least 95% of cloud security failures will be the customer’s fault. When you think about far reaching data privacy legislations like GDPR now in force, this places the requirement of securing personal data back to the data owner’s corner. There will also always be cloud service providers that only take care of the bare minimum requirements for security.
VPN on a Shared Responsibility Cloud
Despite a few potential disadvantages, the Shared Responsibility Model is overwhelmingly a great situation, and many cloud vendors do a fantastic job with said model. In fact, Amazon Web Services (AWS) is one of those vendors, and OpenVPN Access Server is provided on AWS. With Access Server on AWS, you will have access to the following benefits, to name just a few:
- Integrated powerful web interface that lets you configure remote access to resources, granular access control, and simplifies installation and configuration of client devices. Automated PKI built-in infrastructure that reduces complicated setup procedures and deployment timelines. Flexible licensing model based on the number of concurrent connected devices.
- Multiple secure authentication methods to help you easily integrate your existing authentication services for your VPN server. OpenVPN Access Server supports the following authentication methods: Local DB, LDAP(S), Active Directory, RADIUS.
- Integrates OpenVPN server capabilities, enterprise management capabilities, and private tunneling to accommodate Windows, macOS, Linux (32-bit and 64-bit), Android, and iOS environments.
Our pricing model is based on the number of concurrent connected devices, so it's affordable for any size business and can easily grow with your company. OpenVPN Access Server also allows 2 concurrent connections at no cost.