OpenVPN Security Advisory: Dec 14, 2018
Action needed: Important update for OpenVPN Access Server

Shared Responsibility Model

Recap from the September 3rd, 2019 CISO/Security Vendor Relationship Podcast

by Lydia Pert

When it comes to the cloud, who takes responsibility? Is it up to you or the cloud provider (i.e., the vendor)? One of the top options is the Shared Responsibility Model, where each involved party has a level of responsibility and accountability in ensuring security.

According to Steve Prentice on the most recent CISO Cloud Tip segment, the Shared Responsibility Model for cloud is the difference between the “security OF the cloud” and “security IN the cloud,” with cloud service providers taking care of the OF, and clients taking care of the IN. “In the cloud” means the data, the access – especially guest access, and the usage.

This usually means that the vendor secures the hardware and software of the cloud itself, while the customer is responsible for the security of their assets within the cloud.

Division of Responsibility

Vendors are responsible for protecting the infrastructure that runs all of the services offered in the Cloud — such as the hardware, software, networking, and facilities that run the Cloud services. On the other hand, customers are responsible for managing their data (including encryption options), classifying their assets, and using tools to apply the appropriate permissions and access control.

This Shared Responsibility Model often extends to IT controls as well. Just as the responsibility to operate the IT environment is shared between vendors and customers, so too is the management, operation, and verification of IT controls. Many providers, such as Amazon Web Services, help manage those controls associated with the physical infrastructure deployed in the environment that may previously have been managed by the customer.

Model Disadvantages

Shared responsibility is a great model — but like anything there could be drawbacks. Newer, serverless computing methods tends to complicate the Shared Responsibility Model somewhat, which places more burden back on client security professionals. Ownership of security is also a critical blind spot — corporate security teams and cloud service providers need to have some clear and regular communication about this, since changes and convergences happen with alarming frequency.

A recent Gartner report suggests that over the next five years, at least 95% of cloud security failures will be the customer’s fault. When you think about far reaching data privacy legislations like GDPR now in force, this places the requirement of securing personal data back to the data owner’s corner. There will also always be cloud service providers that only take care of the bare minimum requirements for security.

VPN on a Shared Responsibility Cloud

Despite a few potential disadvantages, the Shared Responsibility Model is overwhelmingly a great situation, and many cloud vendors do a fantastic job with said model. In fact, Amazon Web Services (AWS) is one of those vendors, and OpenVPN Access Server is provided on AWS. With Access Server on AWS, you will have access to the following benefits, to name just a few:

Our licensing model is based on the number of concurrent connected devices, so it's affordable for any size business and can easily grow with your company. Without a license key installed, OpenVPN Access Server will allow 2 concurrent connections at no additional cost for testing purposes (excepting AWS infrastructure costs).

Share