Does shared responsibility help to prevent data breaches? Does it simply create confusion? Many organizations struggle where no one accepts responsibility for the breach. Having worked with cloud computing for a while, I have encountered this firsthand many times. Have you ever assumed that someone else was responsible for the security of your data but learned later that they were not?
I have seen examples where the cloud service provider expected end-users to take the proper action to change default settings. That gap between what the provider expects and what is actually done creates problems.
Confusion usually arises from these misunderstandings:
One of the reasons is that the idea of Shared Responsibility implies that:
If we look back at the breach reports, we often see terminology like "misconfigured." This tends to indicate unclear lines of responsibility between teams.
In order for the concept of Shared Responsibility to work successfully:
Understanding Shared Responsibility
On paper, shared responsibility appears simple. The cloud provider is responsible for securing its system(s) and the end-user/customer is responsible for securing their own data. But reality has proven this is far from simple.I have seen examples where the cloud service provider expected end-users to take the proper action to change default settings. That gap between what the provider expects and what is actually done creates problems.
Confusion usually arises from these misunderstandings:
- Cloud service providers are responsible for maintaining the hardware, infrastructure, and the data centers where the cloud resides.
- End users/customers are responsible for their data, passwords, and configuration settings to access their cloud services.
- Cloud service providers and customers both assume the responsibility of the other party is taken care of.
- This confusion is where mistakes are made.
What Causes Breaches
The majority of breaches are not from sophisticated hacking attacks. Most breaches result from mistakes made along the way. There have been plenty of examples where companies were compromised by their storage being publicly accessible. So why do these breaches keep happening?One of the reasons is that the idea of Shared Responsibility implies that:
- There are no distinct owners of security responsibilities
- Security settings are left incorrect for too long
- Companies trust the default settings
Does Shared Responsibility Create Issues?
In my opinion, shared responsibility does not inherently cause problems. Rather, the issue lies with inadequate communication among teams. When you have multiple teams with shared responsibility, and there is no way to clearly define who is responsible for what, security gaps will appear.If we look back at the breach reports, we often see terminology like "misconfigured." This tends to indicate unclear lines of responsibility between teams.
In order for the concept of Shared Responsibility to work successfully:
- All teams must define the roles that each team member has regarding security
- Each Provider clearly articulates their limitations
- Each customer regularly evaluates their security systems.