Some might say that if marketing departments and encryption have anything in common, it’s the ability to obfuscate a message. A perfect example of this is the term “cloud”—surely one of today’s most overused and abused terms. You can’t turn on the television or go anywhere without being reminded that “the future is cloud” or without being encouraged to buy a “cloud-enabled t-shirt.” (Yes, it’s a thing.) With so much focus on the cloud, I’d like to illustrate the alignment of NSS Labs’ usage of the term with the most widely accepted standard, NIST SP 800-145, which defines cloud computing as:

“ . . . a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.” (NIST SP 800-145)

In addition to defining cloud computing, NIST SP 800-145 recognizes four deployment models and three service models. Each of the four deployment models (public, private, hybrid, and community) is defined by how the tenancy of cloud consumers is handled. The three service models (Infrastructure as a Service [IaaS], Platform as a Service [PaaS], and Software as a Service [SaaS]) are differentiated according to how a cloud provider presents an environment to consumers.

The Challenge of Co-Managing Cloud Deployments

As if the marketing message wasn’t confusing enough, attempting to understand the delineation of responsibilities related to maintaining a cloud deployment can be positively bewildering. Managing and securing these deployments can be tricky, and providers and consumers must work together to ensure security and availability.

Traditional IaaS deployments by design require cloud providers to maintain an underlying physical infrastructure, i.e., servers, storage arrays and core networks, while the cloud consumer manages the hypervisors, virtual machines, virtual networks, operating systems, applications, and security policies. This arrangement allows the consumer to move away from maintaining hardware and focus on ensuring the availability and security of the services its users depend on.

This co-management of a cloud deployment and its security controls is often referred to as “shared responsibility.” Within this model, the role of both the provider and the consumer will vary depending on the deployment model and service model being used. Fortunately, these roles and responsibilities typically are defined within the cloud provider’s service level agreement (SLA). These agreements should be studied carefully as they establish clear expectations for both parties. Where necessary, the language should be adjusted to best fit organizational needs. It is too late to argue the point after a breach; an enterprise that does not understand the management roles and responsibilities of these NIST-defined models could be in for a rude awakening.

Regardless of who’s managing what in this new world of shared responsibility, cloud consumers are ultimately liable for the security of their data in the cloud. There are many who argue to the contrary, but they should keep in mind that choosing to migrate to cloud services is optional, not required. Enterprises that are unwilling to accept liability for the security of their data in the cloud should keep their data in-house.

Studying Cloud Adoption

Q4 2017 marks the launch of our first study on cloud computing and shared responsibility. This qualitative and quantitative study will investigate US enterprise adoption of cloud computing deployment models, service models, cloud security controls/services. It will also examine the drivers for and inhibitors of these controls and look at who is managing and maintaining them.