It is time for ‘shared responsibility’ to evolve. This is why.
“Shared responsibility” for security emerged from the early days of cloud computing as a useful model for assigning responsibilities between cloud providers and their customers. While it made sense at first, the rapidly changing security landscape means we can reinvent the shared responsibility model to better capture the full spirit of the relationship required for a true partnership to transform security in the cloud. That may sound trivial, but not having the correct conceptual model in cybersecurity can lead to problems in the real world. It’s time for cloud service providers (CSPs) to elevate their shared responsibility to a more resilient model. We call it “shared destiny”.
Shared responsibility was born out of questions about whether the cloud was secure and how best to protect it. We now know that the answers to these questions are generally yes. It makes a few areas of security very clear: the CSP owns the physical security of the servers, the security of various layers of operating systems and other software depending on the nature of the service. The customer typically owns the configuration, identity and access management, and security of the application software running in the cloud. (It’s worth noting that some compliance mandates like PCI DSS include their own versions of shared responsibility models.)
But shared responsibility can sometimes set too strict a boundary between cloud provider and customer. The result of this hard limit can paradoxically be uncertainty about who handles what aspects of threat detection, configuration best practices, and alerts for security breaches and anomalous activity.
When security issues arise, many cloud customers question the usefulness of the shared responsibility model. Shared destiny is the next evolutionary step in creating a closer partnership between cloud service providers and their customers so that they can all better meet current and growing security challenges while delivering on the promise of digital transformation. .
Shared destiny: what is it, why is it important
Introduced to IT operations in 2016, shared destiny occurs when a cloud provider and customer “work together as a team for a common goal and share a destiny greater than the dollars being exchanged..It is a broader version of shared responsibility that encompasses it, but also transcends it. It’s not exactly The Force, but thinking of it as a security model that bridges the cloud isn’t a bad place to start, either.
Security Shared Destiny is about setting up a safe landing zone for a customer, guiding them while they’re there, being clear and transparent about the security controls you can set up, offering guardrails, and helping with cyber insurance. We want to build shared responsibility to better protect our customers, and part of the challenge of adopting a shared destiny mindset is that it is less of a checklist and more of a perpetual interaction to continually improve security.
In practical terms, Shared Destiny’s multi-ingredient foundation is stronger than its components, which we are always working to improve for ourselves and our customers. These features are:
- Secure default settings. Our default configurations can ensure that security basics have been enabled and customers start from a highly secure baseline, even if some customers change that later.
- Secure plans. Recommended default secure configurations for products and services, with configuration code, to make it easier for customers to launch a secure cloud environment.
- Secure policy hierarchies. Setting the policy intent at a level in an application environment should automatically configure the stack, so there are no surprises or extra effort in lower-level security configuration.
- Constant availability of advanced security features. We provide advanced features to customers for new products at launch and then build security consistency across the platform and tools.
- Availability of security solutions. Our security solutions connect security products and security features to customer cloud experiences, enabling them to not only use our secure cloud, but also use our cloud securely.
- Attestation of high security controls. We provide an independent review of our cloud services through compliance certifications, audit content, regulatory compliance support, and configuration transparency.
- insurance companies. Through our Risk Protection Program (currently in preview), we connect cloud customers with insurers that offer specialized insurance for Google Cloud workloads that reduces security risk. Google works with Allianz Global Corporate and Specialty (AGCS) and Munich Re to provide a unique risk management solution to Google Cloud customers.
Why the future depends on shared destiny
The shared target approach may be better for cloud customers precisely because it focuses customer needs when deploying resources and applying knowledge of the cloud environment to security tasks. Instead of imposing the liability on customers who may not have the expertise to properly manage it, the CSP uses their considerable experience to help the customer be truly secure in the cloud.
Because the shared target model originated in IT operations, it can improve defense-in-depth against misconfigurations and defense-in-depth against attacks. In other words, the cloud provider can support you, in terms of security, rather than simply providing a secure platform. And by participating in the insurance ecosystem, we help bridge the gap between technical controls in the cloud environment and risk coverage.
Shared destination means “no customer responsibility” for security. No cloud provider can do 100% of the work to secure the customer’s use of the cloud, and the customer will remain ultimately responsible for their risks. There will always be a set of security-focused tasks and activities that cloud customers will need to perform. Instead, we believe that CSPs can and should do more to build the shared security destiny with customers and use their substantial cloud and security expertise to help reduce risks for customers as they transition to cloud computing. cloud.
The shared destiny model can more accurately represent the journey to the cloud, helping manage and reduce risk as organizations and their leaders transform their business, IT, and cybersecurity for the modern age. The sooner we adopt it as standard practice, the safer we all will be.
To learn more about shared destiny and its role in the changing cloud security landscape, read Phil Venables’ post on the 8 megatrends driving cybersecurity today.