Report argues ‘concerning’ lack of understanding over IaaS shared responsibility models

It is a question almost as old as the concept: who should look after cloud security, the vendor or the customer? A new report from Barracuda Networks argues there is a ‘concerning’ lack of understanding with regard to the shared responsibility model for infrastructure as a service (IaaS) providers.

For Amazon Web Services (AWS) and Microsoft, the two leading IaaS providers, the meaning is clear. Microsoft points out the difference between software as a service (SaaS), platform as a service (PaaS), and IaaS. For IaaS, while the provider looks after physical security and shares demands on host infrastructure and network controls, as Microsoft puts it, the customer is responsible for app level controls, identity and access management, endpoint protection and data classification. AWS describes the vendor and customer as being responsible for security ‘of’ and ‘in’ the cloud respectively.

So why, therefore, did almost two thirds (64%) of the 550 EMEA IT decision makers polled by Barracuda say they believed securing customer data in the public cloud was the vendor’s responsibility? 61% believed the same around applications, 60% for operating systems, while only 57% said service providers control the physical security of infrastructure.

“The lack of clarity regarding organisations’ versus IaaS providers’ cloud security responsibilities creates grey areas that IT decision makers must address if they want to keep key data and systems secure,” the report noted.

Issues regarding public cloud security do seem to have been picked up by the organisations polled, however. 57% of all respondents said they had added additional security to its public cloud, with 37% saying they were planning to. The figure was highest in the Belgium and Netherlands – 70% affirmative – with the UK lowest on just 43%, albeit with 39% planning to invest.

Naturally, the advice from Barracuda was to ‘partner with a vendor agnostic security expert to advise on exactly which pieces of the IaaS puzzle is the customer’s responsibility’. “The bottom line is that organisations are continuing to invest in public cloud projects, but they need a trusted vendor-neutral partner to help them navigate the choppy waters of cybersecurity if they want to minimise risk in the process,” the report wrote.

“With sweeping new European data protection regulations landing in May 2018, no organisation can afford to ignore security today.”

You can read a blog post here and download the full report (registration required) here.