Welcome to ITS! Learn more about our strategic partnership with Afineol!

Mark Sheldon Villanueva

By: Mark Sheldon Villanueva on September 1st, 2022

Print/Save as PDF

Who is Responsible for Your Cloud Security?

Cloud | Microsoft 365

Here's a head-scratcher: Who should be securing your data in the cloud - you or your Cloud Service Provider (CSP)?  

We know it's tempting to say that all responsibility should fall on your provider. Why not? You're paying for their services, and they have people on their team whose sole job is to ensure the service is secure. It should be a no-brainer, right? 

Cloud Service Provider

Unfortunately, things aren't so simple. Cloud security is a lot like cybersecurity for your network in the sense that it's a team effort. While your CSP is responsible for securing the cloud, they expect you to be responsible for your activities while inside it. Protecting your data is just as much your task as it is theirs. 

It's something many people fail to realize, and that's where the problem lies. Because if you don't know what aspect of cloud security you're responsible for, how can you enforce the right policies to protect your data? It stacks the odds against you. In fact, Gartner predicts that from the present up to 2025, almost all or 99% of cloud security failures will be the customer's (your) fault. 

Intelligent Technical Solutions (ITS) is a security-focused IT support company dedicated to helping you understand your data security by sharing our insights. To help you draw the line on where your responsibility with cloud security lies, we'll dive into the following: 

  • Who's Responsible for Your Cloud Security? 
  • Division of Responsibility Between You and Your CSP 

Who is Responsible for Your Cloud Security? 

We know the answer isn't as clear-cut as you might have hoped, and we're sorry to disappoint you. It's because there's really no single answer to that question. The truth is that cloud security is a shared responsibility between you and your CSP. The level of responsibility you and your CSP bear will change depending on who's providing the service and what service they provide. 

According to Peter Swarowski, Director of Operations at ITS, a good starting point is asking your CSP if they provide a matrix showing who's responsible for what. For example, Microsoft published their own matrix, which outlines what they take care of and what they expect their customers to handle. It even includes information specific to Microsoft cloud offerings. 

The image below shows what Microsoft's shared responsibility matrix looks like: 

Microsoft shared responsibility

As you can see, depending on whether you deploy Software as a Service (SaaS), Platform as a Service (PaaS), or Infrastructure as a Service (IaaS), your and your CSP's responsibilities will vary. 

In addition, keep in mind that the matrix above only applies to Microsoft cloud services. Other cloud providers like Amazon Web Services (AWS) have their own. There are even CSPs that don't provide a shared responsibility matrix. In those cases, Swarowski says, "you need to take a look at what's there and ask questions to understand what your responsibility is." 

It's something you need to determine and fully understand as soon as possible. Frankly, it's a tedious task. However, it will give you valuable information that could influence your security strategies and guide your actions when something goes wrong. 

Division of Responsibility Between You and Your CSP 

You vs Your CSPAs we mentioned above, your responsibility for cloud security will vary depending on your provider and the cloud service you use. However, there are a few things you can look at that might help make it easier to determine the division of responsibility. 

Your Responsibility: Security IN the Cloud 

For the most part, cloud providers expect you to take ownership of the following: 

  • Identity - You will be responsible for the people on your team using the cloud service. 
  • Data Protection - In addition, protecting your data from your side with proper storage and file sharing policies is also part of your responsibility. 
  • Access Management - You also need to manage who can get access to what. That includes granting permission to users within your organization and those outside of it. 
  • Endpoints - This refers to the devices and endpoint security you will use while connected to the service. You are accountable for ensuring they are always patched and up-to-date. 

While there might be some slight variations as to the level of responsibility that falls on your lap, the items mentioned above are the key things you need to secure from your end. As a rule of thumb, if it's something you can control, like granting permissions for data access and using endpoint protection on your devices, then it's your responsibility. 

CSP Responsibility: Security OF the Cloud 

Unless you have an on-prem cloud server, your CSP will be accountable for ensuring the software and hardware of the service are secure and working properly. That includes the operating system, the physical security of the data centers and the network, and the host infrastructure. In other words, if it's something you can't touch that belongs to your provider, then the responsibility falls solely on them. 

Shared Responsibility: Dependent on Different Factors 

It's been pretty straightforward so far. However, this is where it gets a little muddy. According to Swarowski, some cloud providers offer advanced tools and settings that allow you to customize certain features of their service. 

AWS calls those shared controls. It refers to controls that apply to the infrastructure and customer layers but in separate contexts or perspectives. In shared control, your CSP will provide the requirements for the infrastructure, and you must provide your own control implementation within your use of the cloud service. 

For example, your CSP will maintain the configuration of its infrastructure devices. However, you have to share the responsibility by configuring things on your side, like your guest operating systems, databases, and applications. While that level of control is great for helping you tailor things to your needs, it also makes the division of responsibility a little trickier. 

"It's very easy to spin those things up," Swarowski says. "But if you just [leave] the default settings, it may be completely exposed to the Internet where anybody could stumble across your stuff and gain access," he adds. And, if that happens, the responsibility falls on you, not your CSP. 

Knowing how to configure your cloud settings properly is critical to getting the desired output from it and securing the service correctly. That is your responsibility. 

Ready to Take On Your Responsibility to Secure Your Cloud?

Securing the cloud is a responsibility both you and your CSP share. While they are tasked with ensuring the security of the cloud service, you need to take ownership of protecting data from your end as well. 

As a rule of thumb, anything you can control, like granting access permissions and other setting configurations, is your responsibility. Your CSP is accountable for everything outside of it, such as data center location and security. 

ITS has helped hundreds of businesses secure the cloud. Learn more about it by checking out our Ultimate Guide to Cloud Computing. In it, you'll discover useful information about the different types of cloud, how much they cost and how they can benefit your business. 

Managed Cloud Solutions