Posted in:

Cloud security: whose responsibility?

Public cloud services may well be harder to hack – but how are issues like shared responsibility confusion giving rise to additional cloud security challenges? Part 1 of a two-part Special Report. By James Hayes.

In the Spring 2019 edition of Cyber Security Europe this magazine reported how Gemalto’s Global Cloud Data Security Study 2018 had indicated that of the companies surveyed, more had moved their data to public Cloud Service Providers (CSPs) in the expectation that it would be safer hosted on their systems.

While, for the Gemalto study’s sample, cost and faster deployment time were the most important criteria for selecting a CSP, security as a winning factor increased from 12% of the poll in 2015 to 26% by 2017.

According to some sources, that level of confidence has continued to make gains over the 12 months since. Some 72% of organisations surveyed by the Oracle and KPMG Cloud Threat Report 2019 held that they view public clouds as ‘much more/somewhat more secure’ than the security assurance they can deliver on-premises – a 10% increase from the previous year’s report’s response on this question. However, as the cloud market has further matured, new security-related issues have also emerged that could indicate that confidence in the resilience of public clouds may have passed an apex.

As public cloud service offerings have diversified and commoditised, giving rise to extra complexity and costs, it has brought new challenges for cloud security management. Confusions around the public cloud Shared Responsibility Security Model (SRSM) is an instructive case in point.

The SRSM depicts the division of assigned responsibility between CSPs and the customer of a given cloud service (or services) for how that service, and the data it contains, is secured. This model is regarded in many quarters as the primary foundational construct of cloud security strategies, although it is more a simple reference model than an industry standard.

This confusion has fermented for at least three years. A 2017 survey of 1,000 enterprise IT practitioners by consultancy 2nd Watch found that 73% of IT professionals did not fully understand the public cloud SRSM, with many under the impression that their cloud providers had greater responsibility for securing applications and data than they in fact did.

Forty percent of respondents believed their applications and data were ‘fully protected’ by their CSP at the time, while 34% believed security is their own company’s responsibility entirely – an equally erroneous working assumption. The establishment of ‘demarcation lines’ between CSP and customer, and disestablishment of ambiguity in regard to where security responsibilities lie, is critical for businesses that use cloud services – for several reasons.

These reasons have become more tangled in recent years due to the complex managed infrastructures that users have assembled due to ‘as-a-Service’ products from CSPs, and the added compliance obligations imposed by data protection regulations; it is at this nexus that senior executive leadership could be drawn into what might otherwise seem a fairly straightforward IT procurement issue.


Popular ‘as-a-Service’ options provide virtualised alternatives to the basic building blocks of IT infrastructure that organisations would, otherwise, have to build and operate themselves in their own physical data centres. The three principle service categories are Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS) and Software-as-a-Service (SaaS). Each category has eight service delivery layers: the security responsibility for each of those layers is assigned to either the CSP or its customer.

However, while the SRSM defines how those responsibilities should fall, it does not constitute a mandated industry standard; and while it might be customary for CSPs to provide levels of native cloud security controls (e.g., data encryption), typically it remains the responsibility of their customers to apply/manage those controls or those provided by a third-party.

The Oracle/KPMG report findings are echoed by a survey from Barracuda Networks, which indicates that many IT buyers – and it’s not altogether clear whether these are IT practitioners or business managers – buy into public cloud on the assumption that because they are effectively outsourcing the running of their infrastructure to a trusted third-party, the CSP ‘will take care of everything’. But Barracuda found that this ain’t necessarily so.

Sixty-four percent of EMEA IT leaders polled here asserted that their public IaaS provider is ‘responsible for securing customer data in the public cloud’, applications security (61%), and Operating Systems security (60%). These assertions are at odds with what Amazon Web Services, Microsoft, and others say, Barracuda Networks adds – a misunderstanding that ‘exposes countless organisations to unnecessary risk’.

The fact that 61% of the survey respondents declare themselves to ‘fully understand their cloud obligations’ further underlines the ‘dangerous disconnect between perception and reality’ when it comes to public cloud security adoption, Barracuda concludes.


Fifty-four percent of respondents to the Oracle/KPMG report registered confusion with the SRSM for SaaS and 47% polled the same with respect to IaaS. The study also found that many customer personnel who should have the best knowledge of the SRSM do not, in fact, seem to possess it. Just 10% of the CISOs surveyed, and 25% of CIOs, declared that they ‘fully understand’ the SRSM.

This is more of a revelation than it might, at first, seem. The report suggests that the cyber security leaders’ lack of assured clarity indicates a lack of involvement in the use of cloud services; that’s because use is often driven autonomously by line-of-business heads, who (perhaps) are none too concerned about potential security liabilities.

And they should be: 82% of public cloud users polled by the Cloud Threat Report 2019 say that they have experienced adverse security incidents due to ‘confusion over SRSM’. Thirty-four percent of organisations polled state that such confusion about SRSM has led to the introduction of malware (34%) and a similar number of respondents (32%) think it has exposed them to increased risk of auditory and regulatory penalties.

This lack of a clear understanding of the SRSM also puts data at risk: 30% of organisations report that, as a result, data was accessed by persons unauthorised to do so. Additionally, 29% of respondents said an unpatched or misconfigured system was compromised due to SRSM confusion.

Another contributory confusion factor is a lack of consistency in SRSMs between CSPs, which has also had ramifications. These days it is fairly usual for an organisation to use two or more difference CSPs. Keeping current with the differences between CSPs, sometimes nuanced ones, is a ‘significant challenge’, and one that 46% of Cloud Threat Report 2019 respondents indicate requires one or more dedicated human resources to manage.

Indeed, it could well be argued that confusion, and the resulting consequences, around the differences in the SRSM between CSPs is, in part, the cost of using multiple CSPs. The old promise that cloud adoption would make the administration of IT simpler now looks very last-decade indeed…

Another survey by McAfee approached the subject from the perspective of trust, and uncovered more disparities between assumed responsibility and actual risk. McAfee’s Cloud Adoption and Risk Report 2019 asked respondents how much they ‘trusted their cloud providers to keep their organisation’s data secure’.

What happens to data once uploaded to a CSP continues to be one of the biggest concerns of respondents to McAfee’s poll. Fewer than 50% of service providers specify that customer data is ‘owned by the customer’; the rest either claim ownership over all data uploaded, or do not legally specify who actually owns the data. An even smaller number of CSPs delete data ‘immediately’ on account termination, with the remainder keeping data up to 12 months, with some claiming even the ‘right to maintain copies of [customer] data indefinitely’.

However, a total of 69% of McAfee’s respondents reported that they did ‘trust the cloud providers to keep their data secure’, and 12% of same respondents claimed that the CSP is ‘solely responsible for securing their data’, despite the provisions of SRSM, and there is no CSP delivers total security assurance The McAfee report opines that it’s likely, therefore, that (the polled) organisations’ lack of knowledge (at best) and/or ignorance (at worst) means that they are ‘underestimating’ security risks they are subject to by trusting CSPs entirely without applying their own set of controls.

Part 2 of this cloud security Special Report will be published on 8 May.