How to Leverage the Shared Responsibility Model During Your Security Audit
If your company is responsible for maintaining security in a cloud-based environment, your information security program should consider how your Cloud Service Provider (CSP) uses and defines its Shared Responsibility Model. And if your company is undergoing an annual audit of your security controls – such as a System and Organization Controls (SOC) 2 examination – these considerations are more than just a good idea. They are critical.
What Is the Shared Responsibility Model?
The Shared Responsibility Model determines the security obligations of a CSP and its customers to promote accountability. Although it was pioneered by Amazon Web Services (AWS), this model is implemented by other leading CSPs, including Microsoft Azure (Azure) and Google Cloud Platform (GCP). Understanding the model is critical for customers whose services are hosted in the cloud, and it becomes mandatory for entities undergoing a SOC 2 examination.
The collaborative effort between the CSP and its customer depends on which cloud computing model is being pursued by the customer for a solution: Infrastructure as a Service (IaaS), Platform as a Service (PaaS), or Software as a Service (SaaS).
|Infrastructure as a Service (IaaS)|
|Allows for pay-as-you-go pricing for infrastructure hosted by the CSP.|
|Examples include:||AWS, Azure, and GCP|
|Customer manages:||Applications, data, runtime, middleware, and operating systems|
|CSP manages:||Virtualization, servers, storage, and networking|
|Platform as a Service (PaaS)|
|Allows for developing applications using web-based tools, all running on systems software and hardware hosted by the CSP. This removes the need for your organization to manage the underlying infrastructure.|
|Examples include:||AWS Elastic Beanstalk, Azure, Heroku, Force.com, Google App Engine, Apache Stratos, and OpenShift|
|Use case example: An ecommerce website where the CSP hosts the website, shopping cart, checkout, and payment method|
|Customer manages:||Applications and data|
|CSP manages:||Runtime, middleware, operating systems, virtualization, servers, storage, and networking|
|Software as a Service (SaaS)|
|Allows for a complete application to be hosted on a provider’s infrastructure systems.|
|Examples include:||Web-Based Email, Google Workspace (includes Docs, Sheets, etc.), Dropbox, Salesforce, Cisco WebEx, Concur, and GoToMeeting|
|Customer manages:||No dedicated responsibilities are held as customers receive software that is ready to be consumed by the end user|
|CSP manages:||Applications, data, runtime, middleware, operating systems, virtualization, servers, storage, and networking|
How Should the Shared Responsibility Model Factor Into a SOC 2 With AWS as the CSP?
Amazon makes it clear in its IaaS offerings that the CSP (AWS) is responsible for security of the cloud while the customer is responsible for security in the cloud:
The Shared Responsibility Model relieves many customer capital expenses and operational burdens since AWS operates, manages, and controls the configurations from the host operating system and virtualization layer to the physical security of the facilities in which the service operates. In turn, the customer assumes responsibility and management of the “guest” operating system (the operating system on the server instance), including OS updates and security patches, other associated application software, and the configuration of the security group firewall provided by AWS. Customers fully “inherit” physical and environmental controls from AWS, but must play a role in shared controls with AWS, including:
- Patch Management: AWS patches infrastructure while customers patch guest OS and applications
- Configuration Management: AWS maintains the configuration of its infrastructure while customers are responsible for configuring their own guest OS, databases, and applications
- Awareness and Training: AWS trains AWS employees, but AWS customers must train their own employees
As part of a SOC 2 examination, AWS will be a critical part of your system description, and you will receive credit for the areas in which AWS holds responsibility through their classification as a Subservice Organization and the implementation of Complimentary Subservice Organization Controls (CSOCs).
- Subservice Organization: A vendor used by the service organization that performs controls that are necessary, in combination with controls at the service organization, to provide reasonable assurance that the service organization’s service commitments and system requirements were achieved.
- CSOCs: Controls at the service organization that management assumed, in the design of the service organization’s system, would be implemented by the subservice organization and that are necessary, in combination with controls at the service organization, to provide reasonable assurance that the service organization’s service commitments and system requirements are achieved.
For example, you will most likely have CSOCs for the following, but not limited to, criterion within Security and Availability, as AWS would be disclosed as an integral part in your system description.
- Common Criteria
- CC6.4: The entity restricts physical access to facilities and protected information assets (for example, data center facilities, back-up media storage, and other sensitive locations) to authorized personnel to meet the entity’s objectives.
- CC6.5: The entity discontinues logical and physical protections over physical assets only after the ability to read or recover data and software from those assets has been diminished and is no longer required to meet the entity’s objectives.
- Additional Criteria for Availability
- A1.1: The entity maintains, monitors, and evaluates current processing capacity and use of system components (infrastructure, data, and software) to manage capacity demand and to enable the implementation of additional capacity to help meet its objectives.
- A1.2: The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives.
The Shared Responsibility Model plays a pivotal role in a SOC 2 examination for entities whose infrastructure and services reside in the cloud. For assistance with these conversations, contact your KSM advisor or complete this form.
We're Looking for
At KSM, you’ll be encouraged to find your purpose, exercise your creativity, and drive innovation forward.