The shared responsibility model in cloud security

Cloud computing has fundamentally altered the way financial institutions operate. The promise of scalability, cost-efficiency, and increased agility has driven widespread adoption of cloud services across the sector. However, this shift to the cloud introduces a critical element that financial institutions must grasp to ensure the security and integrity of their operations: the shared responsibility model.

This model is not merely a suggestion or a guideline; it is a fundamental framework that dictates how security is approached and implemented in the cloud. It clarifies that security is not solely the domain of the cloud provider, nor is it entirely the burden of the financial institution. Instead, it’s a collaborative effort, a partnership where both parties have distinct yet interconnected security obligations. A clear understanding of this shared framework is paramount for financial institutions to effectively manage risk, maintain compliance, and build a secure foundation for their cloud initiatives.

What exactly is the shared responsibility model?

At its core, the shared responsibility model defines the boundaries of security accountability between the cloud provider and the cloud customer. In the context of finance, the “cloud customer” refers to the bank, investment firm, or other financial institution utilizing cloud services.

While the specifics can vary slightly depending on the cloud provider and the service model, the general principle remains consistent:

• The cloud provider assumes responsibility for the security of the cloud itself. This encompasses the underlying physical infrastructure, the virtualization layer, and the core services that make up the cloud platform.
• The financial institution retains responsibility for security in the cloud. This includes protecting the data it stores in the cloud, the applications it runs on the cloud, and the access controls it implements to manage user permissions.

It’s crucial to recognize that this is a shared model. There’s an overlap and interdependence between these responsibilities. For instance, while the cloud provider secures the physical servers, the financial institution is responsible for encrypting the data stored on those servers.

A closer look at cloud provider responsibilities

Cloud providers, whether they are large public cloud providers or smaller specialized firms, typically shoulder the following security responsibilities:

• Physical security: This is the foundation of cloud security. Providers are responsible for securing the physical data centers, servers, and hardware that constitute the cloud infrastructure. This involves stringent access controls, surveillance, environmental controls, and disaster recovery measures to protect against physical threats like unauthorized entry, theft, and natural disasters.
• Network security: Providers must secure the cloud network infrastructure. This includes firewalls, routers, switches, and other networking components that facilitate data transfer and communication within the cloud. Robust network security is essential to prevent unauthorized access and network-based attacks.
• Infrastructure security: This encompasses the security of the virtualization layer, compute resources, storage, and databases that underpin cloud services. Providers must ensure that these components are hardened against vulnerabilities and that they are properly patched and maintained.

Financial institution responsibilities: securing data and access

Financial institutions, on the other hand, carry the weight of securing their own data and controlling access to it. Their responsibilities typically include:

• Data security: Protecting data in the cloud is paramount for financial institutions. This involves implementing strong encryption mechanisms to safeguard data at rest and in transit. It also includes data loss prevention (DLP) measures to prevent sensitive data from leaving the cloud environment without authorization, and robust access controls to restrict who can view or modify data.
• Application security: Financial institutions are responsible for the security of the applications they deploy and run in the cloud. This requires secure coding practices during application development, regular vulnerability assessments and penetration testing, and ongoing monitoring to detect and address potential security flaws.
• Identity and access management (IAM): Effective IAM is crucial. Financial institutions must implement robust systems to manage user identities, authenticate users attempting to access cloud resources, and enforce the principle of least privilege. This means granting users only the minimum level of access necessary to perform their job functions.¹
• Compliance: The financial sector is heavily regulated. Financial institutions are ultimately responsible for ensuring that their cloud deployments comply with all relevant regulations and industry standards. This may include data residency requirements, audit logging, and specific security controls mandated by regulations like DORA, GDPR, or PCI DSS.

The nuances of the shared responsibility model across cloud service models

It’s important to recognize that the precise division of responsibilities within the shared model can shift depending on the specific cloud service model being utilized:

• Infrastructure as a Service (IaaS): In IaaS, the financial institution has the most responsibility. They essentially rent the raw computing resources (servers, storage, networks) from the cloud provider. The institution is then responsible for managing the operating systems, middleware, applications, and data. This model provides the greatest flexibility but also places the greatest security burden on the institution.
• Platform as a Service (PaaS): PaaS offers a middle ground. The cloud provider manages the underlying infrastructure (servers, operating systems), while the financial institution focuses on developing, deploying, and managing its applications and data. This model reduces the institution’s security burden compared to IaaS.
• Software as a Service (SaaS): In SaaS, the cloud provider assumes the most responsibility. They manage the infrastructure, the application, and often some of the data. The financial institution primarily uses the application. However, even in SaaS, the institution retains responsibility for data security, user access, and ensuring compliance with regulations.

Best practices for navigating the shared responsibility model

To effectively operate within the shared responsibility model and ensure robust cloud security, financial institutions should adhere to these essential best practices:

• Establish clear agreements: The foundation of a secure cloud relationship is a well-defined and detailed agreement with the cloud provider. This agreement must explicitly outline the security responsibilities of each party, leaving no room for ambiguity. It should cover areas like data ownership, access control, incident response, and audit rights.
• Thoroughly understand the provider’s security controls: Financial institutions must not simply assume that the cloud provider’s security is adequate. They must actively and thoroughly understand the specific security controls the provider has implemented. This includes reviewing security certifications, audit reports, and security documentation.
• Implement robust security controls on your end: Financial institutions must not solely rely on the cloud provider’s security. They must implement their own strong security controls to protect their data, applications, and access. This includes encryption, strong authentication, intrusion detection, and vulnerability management.
• Continuously monitor security: Security is not a “set it and forget it” endeavor. Financial institutions must continuously monitor the security of their cloud deployments. This involves logging and analyzing security events, tracking user activity, and regularly assessing the effectiveness of security controls.
• Proactively maintain compliance: Compliance is an ongoing requirement. Financial institutions must proactively ensure that their cloud deployments adhere to all applicable regulations and industry standards. This requires regular audits, compliance assessments, and staying up-to-date with evolving regulatory requirements.

The imperative of clarity and collaboration for cloud security success

The shared responsibility model underscores the critical importance of clarity and collaboration between financial institutions and cloud providers. Both parties must have a shared understanding of their respective roles and responsibilities. Effective communication, open dialogue, and a collaborative approach are essential to build a robust and secure cloud environment. By embracing this shared responsibility and working together, financial institutions and cloud providers can unlock the benefits of cloud computing while mitigating the inherent security risks and ensuring the continued trust and stability of the financial ecosystem.