The Shared Responsibility model in Cloud Computing
In as much as Cloud Computing makes running businesses easier, there are some things that are solely the responsibility of the cloud provider, and some that are the responsibilities of the client (the cloud user) — think of it as a student-teacher relationship where the teacher is responsible for delivering the course content, and the student is responsible for studying the content. In cloud computing, this is called The Shared Responsibility Model, and is mainly dependent on the type of the service model that the cloud user purchases. Click here to see a detailed explanation of the types of service models.
To make The Shared Responsibility Model easy to understand, we will start by explaining how things work when you host the resources in your own datacenter. In an On-premises environment, you own everything, from the physical infrastructure to ensuring security of your data, including the resource tools needed to make all these come together. This means that you are literally responsible for every part of the system and infrastructures. When you decide to move to the cloud, these responsibilities are shared between you and the cloud provider. Now let’s look at how these responsibilities are shared in the three cloud services.
IaaS offering model
This service model helps the client avoid the expenses of buying and managing their own physical servers and datacenter infrastructures. As a result, the cloud provider provides the physical infrastructures by hosting them in their own data centers, and the client can access them through the internet. It is therefore the responsibility of the cloud provider to make sure that the underlying physical cloud infrastructures are available to the client. These include servers, storage, networking, and virtualization. The rest are the responsibilities of the client. These include purchasing, installing, configuration of their own software, applications, operating systems, and middleware. An example of this type of a service model is a virtual machine.
PaaS offering model
When you need a platform with all the right resources that will allow you to only focus on the development and deployment of your applications, and not worry about the rest, the PaaS offering model is the way to go! Your responsibility is to only manage the applications and services that you develop. Like IaaS, it is the responsibility of the cloud provider to handle all the administrative tasks of the underlying infrastructures that you need. In addition, they are responsible for the underlying resources needed to power your application such as the operating systems, middleware, development tools, etc. The cloud provider is essentially responsible for everything except the applications that the client wants to run. An example of such services include Azure App Services, Azure Storage, Azure SQL databases, etc, in Microsoft Azure.
SaaS offering model
In the SaaS offering, users are mainly responsible for configuring and using a finished product from the cloud provider. It is the responsibility of the cloud provider to provide, manage, and maintain that product, including its underlying infrastructure, operating systems, middleware, etc. A good example of such a service is Gmail.
In conclusion, the customer responsibility decreases as you move from IaaS, to PaaS, and is even lower in SaaS. The opposite is the case when it comes to cloud provider responsibility. However, data security is always an important task, whether it is located On-premises, or in the cloud. This is why for all service types, including the On-premises environment, the client is responsible for the protection and security of their own data and identities. In simple terms, the responsibility of the client is to protect all the data IN the cloud, while the cloud provider is responsible for the security OF the cloud. For example, setting your username as ‘admin’ and password as ‘password’, or any of the weak passwords makes it easy for intruders to figure them out. This is one of the reasons why multifactor authentication is important— to help you securely protect your data in the cloud.