It’s essential that organizations understand and accept the idea that aligning with a reputable and experienced cloud service provider doesn’t mitigate the need to adopt a smart, strong cloud security defense. The shared responsibility model of cloud security is a great framework, but it requires real teamwork between the cloud provider and your internal team.
Knowing where to start in terms of roles and responsibilities, evaluating and selecting the right tools and services, and figuring out how to allocate financial, technical and personnel resources are critical components of a successful cloud service strategy.
Although the shared responsibility model has existed for a few years, it is not widely understood by many organizations. According to TechTarget’s SearchCloudComputing site, it goes like this:
The cloud platform provider is typically responsible for securing the underlying cloud infrastructure, such as servers, storage, networking gear and virtual machines, as well as protecting the physical data center where those components reside. The customer, on the other hand, is typically in charge of securing their own data, as well as the operating systems and software stack required to run the applications.
Now some people may interpret this as “OK, you do your thing and we’ll do ours, and we’ll have our bases covered.” But that misses the point of the entire shared responsibility concept: It’s everyone’s responsibility in the end, and all parties are just trying to determine a model for ensuring cloud security as efficiently and effectively as possible.
How does this play out in a real-world setting? There are a few rules of the road. First, keep in mind that there is no hard-and-fast rule, line or boundary for where the customer’s responsibility for security ends and where the cloud provider’s security role begins. This is one of those situations where some managed overlap can be a good thing. Naturally, communication—actually, over-communication—is essential here, so time, money and people resources aren’t unnecessarily duplicated.
Another essential element in the shared responsibility model is the need for trust and confidence between the two parties. The importance of achieving that air of trust and confidence cannot be overstated. Just because the cloud provider isn’t actually responsible for the customer’s software stack or data, there may be an assumption that the provider will monitor and point out potentially dangerous situations that could put the customer at risk and expose it to liability. Additionally, there is the potential for incompatibilities between a customer’s older version of a software tool and the network monitoring agent on the cloud provider’s infrastructure. Both sides should be on the lookout for unexpected anomalies that could indicate something as benign as a false positive security alert or something more problematic.
Finally, all sides must acknowledge and commit to a willingness to work together to reduce risk in all key areas of cloud security: data governance, regulatory compliance and legal exposure. Finger-pointing is not only counterproductive (see the discussion about trust above), but ultimately does nothing to address problems that arise from something as seemingly simple as fixing as a failed compliance audit or as potentially devastating as the theft of millions of customer records from a cloud database.
Cloud Security for Dummies
Read this paper to learn why enterprises rely on advanced and complete cloud services to transform fundamental business processes more quickly and confidently than ever before.
Download NowSecurity Baked Into Oracle Cloud Infrastructure
Today’s cloud infrastructure must be designed from the start with security in mind. Oracle Cloud Infrastructure offers best-in-class security technology and operational processes to secure its enterprise cloud services. However, securely running workloads in Oracle Cloud Infrastructure requires organizations to be aware of their security and compliance responsibilities. By design, Oracle provides security of cloud infrastructure and operations (cloud operator access controls, infrastructure security patching and so on), and organizations are responsible for securely configuring their cloud resources. Security in the cloud is a shared responsibility between the customer and Oracle.
In a shared, multi-tenant compute environment, Oracle is responsible for the security of the underlying cloud infrastructure (such as data center facilities and hardware and software systems) and organizations are responsible for securing their workloads and securely configuring their services (such as compute, network, storage and database).
In a fully isolated, single-tenant, bare-metal server with no Oracle software on it, the organization’s responsibility increases, as it brings the entire software stack (operating systems and above) upon which applications are deployed. In this environment, organizations are responsible for securing their workloads, securely configuring their services (compute, network, storage and database) and ensuring that the software components that run on the bare-metal servers are securely configured, deployed and managed.
For more information on how working with the right cloud security platform can make life easier for your enterprise, please click here.
