What is a Shared Responsibility Model?

Introduction

The Shared Responsibility Model is a fundamental concept in cloud computing that delineates the security and compliance responsibilities between the cloud service provider and the customer. This model is crucial for understanding how to maintain a secure and compliant cloud environment. In this article, we will explore the shared responsibility models of two major cloud platforms: Microsoft Azure and Salesforce.

Microsoft Azure’s Perspective

According to Microsoft Azure, the shared responsibility model varies depending on the type of cloud service—Software as a Service (SaaS), Platform as a Service (PaaS), or Infrastructure as a Service (IaaS). In an on-premises data center, you own the entire stack, but as you move to the cloud, some responsibilities transfer to Microsoft. Regardless of the deployment type, you always retain responsibilities for:

Data
Endpoints
Account
Access management

Azure emphasizes that the cloud offers significant advantages for solving long-standing information security challenges. By shifting day-to-day security responsibilities to the cloud provider, organizations can reallocate resources and budget to other business priorities.

Salesforce’s Perspective

Salesforce also takes security seriously and provides multiple security controls to mitigate risks. Their shared responsibility model clearly defines roles and responsibilities between the B2C Commerce platform and the customer. Responsibilities include:

Secure design and implementation of infrastructure, platform, and applications
Firewall rules management
Two-factor authentication (2FA)
Data isolation per tenant
Proactive code scans and pen tests
Third-party security assessments and audits

Customers are responsible for secure communication protocols, application-level access controls, 2FA on customer-managed interfaces, and continuous monitoring, among other things.

Where is Data Backup?

The surprise to many people is that data backup is not usually the job of the platform provider and that makes sense. In the days of on-premise servers, data backup was clearly outside the responsibility of the (OS) company. We all had backup systems in place so we could recover. Not much has changed with the cloud.

If you think about it, it’s not the job of Salesforce to look over the shoulder of the client and validate what they are doing. If you edit a record, they need to assume is that you wanted to record changed. While they could technically do it, being able to roll back changes is a massive overhead (cost) for them. That is a very good reason for the shared responsibility model.

Why Share Responsibilities?

Risk Mitigation

Sharing responsibilities allows for a more robust security posture. Cloud providers have the expertise and resources to handle security at the infrastructure level, allowing customers to focus on application-level security.

Resource Optimization

It enables organizations to optimize resources by offloading certain responsibilities to the cloud provider. This is especially beneficial for smaller organizations with limited in-house IT capabilities.

Compliance

Both parties have a vested interest in ensuring compliance with industry standards and regulations. Shared responsibility ensures that both the cloud provider and the customer are accountable for maintaining a compliant environment.

Conclusion

The shared responsibility model is a collaborative approach to cloud security. While the specifics may vary between Microsoft Azure and Salesforce, the underlying principle remains the same: both the cloud provider and the customer have roles to play in ensuring a secure and compliant cloud environment.

Thought-Provoking Questions

How does the shared responsibility model affect your organization’s cloud strategy?
Are there any challenges in implementing the shared responsibility model in a multi-cloud environment?
How can organizations ensure they are fulfilling their part of the shared responsibility model?

By understanding and implementing the shared responsibility model, organizations can better navigate the complexities of cloud security, ensuring a more secure and compliant cloud environment.

Paul Bergman runs a business strategy and cybersecurity consulting company in San Diego. He writes on cybersecurity and board management for both corporate and nonprofit boards.

Author
Recent Posts

Follow me

Paul Bergman

CEO at Tracc Development, Inc.

Paul Bergman runs a business strategy and cybersecurity consulting company in San Diego. He is also CEO of a mentoring non-profit in San Diego, Lamp of Learning. He writes on cybersecurity and board management for both corporate and nonprofit boards.