Vjom - Fotolia

Shared responsibility model transparency boosts cloud security

The shared responsibility model delineates where company and CSP security responsibilities start and end. This is critical not only for compliance, but also the big security picture.

As organizations begin their digital transformation and transition from on-premises data centers to cloud services, it's critical to understand the shared responsibility security model in order to manage risks associated with protecting business processes and data. Through the adoption of shared responsibility, organizations can define their own responsibilities for protecting their data and IT assets, as well as the responsibilities of their cloud service provider as part of their organization's overall security and compliance picture.

Knowing precisely where each party's responsibilities begin and end plays a vital role in determining if any gaps exist that create risks within business processes and their related technologies. With this view, companies can work with their CSPs to determine how to best close the gaps impacting their security posture, with the ultimate goal to ensure corporate and customer data are fully protected from cyberattacks. Of course, with shared attestation of properly implemented controls and other mitigating elements, organizations can also ensure their security posture complies with pertinent regulations.

Gaining visibility into security controls deployed by many cloud providers

A common challenge many businesses encounter is the lack of visibility into the security controls their CSPs have deployed. Sometimes, CSPs don't share this information, and often, the information that is shared with customers regarding their own security controls is not easily understood or in a format that is readily usable. This lack of transparency creates a major headache when trying to identify risk and validate mitigating controls.

This, in turn, affects the entire supply chain ecosystem -- including CSPs, third-party vendors, business partners and, ultimately, customers. If a security breach or compliance violation occurs, everyone in the supply chain is impacted in a negative way, regardless of who is at fault.

Synchronize shared responsibility with a security control framework

Keeping enterprise cloud security posture strong -- to protect the sensitive information with which it has been entrusted -- should be one of the highest priorities of any IT team. As teams collaborate with CSPs, they can use their shared responsibility model to prove corporate security and compliance postures to clients and partners.

It's especially helpful if enterprises sync their CSPs' shared responsibility models with a security control framework that enables companies to attest their security posture complies with major privacy and security regulations. If an enterprise's security posture attestation report is completed on an annual basis by an independent third-party assessor, it may be accepted by clients as proof that its security posture satisfies their data security compliance requirements.

A service like this is mandatory for anyone operating in industries where critically sensitive information is highly regulated, such as in healthcare, finance and education. A security control framework can also save internal IT teams a lot of time. Instead of having to fill out security posture questionnaires that each client asks for, teams can often hand over the results of the company's frameworks assessment. This eliminates the need to respond to security audits, which can number anywhere from 300 to 400 questions.

Cloud customers can inherit compliance controls

One task to ensure compliance with a set of security control frameworks is the process of mapping each security measure applied by a cloud provider to the appropriate framework control and then to each of the regulations or standards that an enterprise must adhere to and abide by. If IT teams approach this process manually, they'll find it requires extensive technical expertise, and in many cases, an external assessor is needed.

While this process is good in that it forces an enterprise to think about the risk it is incurring by digitally enabling business processes and placing those processes and related data in the cloud, it's a lot of work. The work may even go beyond what organizations need to do -- in many cases, the responsibility for a control lies completely in the hands of a CSP anyway.

This task becomes much less frustrating if enterprises partner with a cloud provider that offers an automated process to map its security measures to security framework controls. For example, many cloud providers rely on Service Organization Control (SOC) 2 audit reports to validate their security measures. While most will share their SOC 2 reports with companies to digest manually, some leading CSPs offer an automated process that maps their SOC 2 security reports directly to the controls of the security framework an enterprise has implemented.

In addition, a cross-mapping service clearly delineating which security controls a cloud provider covers within its shared responsibility model also benefits organizations if the frameworks provider builds an inheritance component directly into its assessments. IT teams can automatically inherit the controls their CSPs have deployed in their own cloud environments. Thus, the controls enable companies to prove to auditors -- and other interested parties -- that what they deliver, together with their cloud providers, meets SOC 2 and the guidelines and certification requirements of the frameworks from end to end. In other words, for this to fully work, organizations must select a framework that supports inbound mapping and that makes use of this mapping in support of reporting and attestation requirements for SOC 2, HITRUST, GDPR, NIST, and any other required regulations and standards.

The automated inheritance process also improves the credibility of assessment reports completed by auditors. Automated inheritance takes a lot of the guesswork and human error out of the cross-mapping process. In the end, auditors are left with the simpler task of verifying there is no gap between an organization's share of the control responsibility compared to the share provided by its CSPs -- as opposed to spending unnecessary cycles determining whether or not the controls are applicable and adequate for the specified certifications and standards being audited.

The automated process also saves companies the time of mapping various standards and regulations to framework controls for reporting purposes, which can otherwise be an onerous nightmare to complete manually.

Shared responsibility and inheritance help organizations maintain certification with a control framework more efficiently and effectively. In a broader sense, the combination improves business relationships with clients and vendors. Sharing a company's responsibility and frameworks reports with partners and clients helps them see how seriously the enterprise takes security, privacy and compliance in relation to its data and their data.

Part of a bigger security movement

CSPs and organizations that provide security frameworks and use the shared responsibility model enable businesses to easily inherit control compliance from their CSPs. By making the process simple and transparent, they're making a major impact on the world of cybersecurity and creating a way for supply chains to collaborate closely on risk management and related security controls.

Leading security framework organizations contribute by creating a common language for businesses and vendors to measure and discuss each other's security controls. At the same time, the shared responsibility model championed by CSPs helps transparently delineate the cloud security responsibilities of CSPs and their customers. These capabilities can facilitate conversations across supply chain partnerships to determine how vulnerability risk gaps can be closed, regardless of the underlying platforms and technologies.

These firms are vital to a bigger movement across all industries that seeks to build security controls into technology offerings right from the start -- not as an afterthought. Achieving true data security is not a matter of "ticking the box" on items; it's a process that takes time, a certain mindset and the right company culture.

To complete that process efficiently, it's critical to work with a leading framework attested to by third-party assurance and a CSP that offers a clearly stated shared responsibility model. Both tools are all about protecting the entire ecosystem -- an enterprise, its cloud providers, its customers and its partners.

Lee PennLee Penn

Lee Penn an inaugural member of the HITRUST Third Party Assurance Council. Penn is also CFO, chief compliance officer, HIPAA privacy officer and a member of the risk management team at PDHI. He joined PDHI after holding financial management positions at the S/L/A/M Collaborative, Yale University and Xerox Corporation. Penn holds a Bachelor of Science degree from Cornell University and a Master of Business Administration degree from the University of Connecticut.

Dig Deeper on Compliance