Skip to content

How to Leverage the Shared Responsibility Model During Your Security Audit

May 24, 2021

Ben Phillips, Jordan Kassing

If your company is responsible for maintaining security in a cloud-based environment, your information security program should consider how your Cloud Service Provider (CSP) uses and defines its Shared Responsibility Model. And if your company is undergoing an annual audit of your security controls – such as a System and Organization Controls (SOC) 2 examination – these considerations are more than just a good idea. They are critical.

What Is the Shared Responsibility Model?

The Shared Responsibility Model determines the security obligations of a CSP and its customers to promote accountability. Although it was pioneered by Amazon Web Services (AWS), this model is implemented by other leading CSPs, including Microsoft Azure (Azure) and Google Cloud Platform (GCP). Understanding the model is critical for customers whose services are hosted in the cloud, and it becomes mandatory for entities undergoing a SOC 2 examination.

The collaborative effort between the CSP and its customer depends on which cloud computing model is being pursued by the customer for a solution: Infrastructure as a Service (IaaS), Platform as a Service (PaaS), or Software as a Service (SaaS).

Cloud Computing Models

Infrastructure as a Service (IaaS)
Allows for pay-as-you-go pricing for infrastructure hosted by the CSP.
Examples include: AWS, Azure, and GCP
Customer manages: Applications, data, runtime, middleware, and operating systems
CSP manages: Virtualization, servers, storage, and networking
Platform as a Service (PaaS)
Allows for developing applications using web-based tools, all running on systems software and hardware hosted by the CSP. This removes the need for your organization to manage the underlying infrastructure.
Examples include: AWS Elastic Beanstalk, Azure, Heroku, Force.com, Google App Engine, Apache Stratos, and OpenShift
Use case example: An ecommerce website where the CSP hosts the website, shopping cart, checkout, and payment method
Customer manages: Applications and data
CSP manages: Runtime, middleware, operating systems, virtualization, servers, storage, and networking
Software as a Service (SaaS)
Allows for a complete application to be hosted on a provider’s infrastructure systems.
Examples include: Web-Based Email, Google Workspace (includes Docs, Sheets, etc.), Dropbox, Salesforce, Cisco WebEx, Concur, and GoToMeeting
Customer manages: No dedicated responsibilities are held as customers receive software that is ready to be consumed by the end user
CSP manages: Applications, data, runtime, middleware, operating systems, virtualization, servers, storage, and networking

How Should the Shared Responsibility Model Factor Into a SOC 2 With AWS as the CSP?

Amazon makes it clear in its IaaS offerings that the CSP (AWS) is responsible for security of the cloud while the customer is responsible for security in the cloud:

AWS Amazon

Source: http://aws.amazon.com/

The Shared Responsibility Model relieves many customer capital expenses and operational burdens since AWS operates, manages, and controls the configurations from the host operating system and virtualization layer to the physical security of the facilities in which the service operates. In turn, the customer assumes responsibility and management of the “guest” operating system (the operating system on the server instance), including OS updates and security patches, other associated application software, and the configuration of the security group firewall provided by AWS. Customers fully “inherit” physical and environmental controls from AWS, but must play a role in shared controls with AWS, including:

  • Patch Management: AWS patches infrastructure while customers patch guest OS and applications
  • Configuration Management: AWS maintains the configuration of its infrastructure while customers are responsible for configuring their own guest OS, databases, and applications
  • Awareness and Training: AWS trains AWS employees, but AWS customers must train their own employees

As part of a SOC 2 examination, AWS will be a critical part of your system description, and you will receive credit for the areas in which AWS holds responsibility through their classification as a Subservice Organization and the implementation of Complimentary Subservice Organization Controls (CSOCs).

  • Subservice Organization: A vendor used by the service organization that performs controls that are necessary, in combination with controls at the service organization, to provide reasonable assurance that the service organization’s service commitments and system requirements were achieved.
  • CSOCs: Controls at the service organization that management assumed, in the design of the service organization’s system, would be implemented by the subservice organization and that are necessary, in combination with controls at the service organization, to provide reasonable assurance that the service organization’s service commitments and system requirements are achieved.

For example, you will most likely have CSOCs for the following, but not limited to, criterion within Security and Availability, as AWS would be disclosed as an integral part in your system description.

  • Common Criteria
    • CC6.4: The entity restricts physical access to facilities and protected information assets (for example, data center facilities, back-up media storage, and other sensitive locations) to authorized personnel to meet the entity’s objectives.
    • CC6.5: The entity discontinues logical and physical protections over physical assets only after the ability to read or recover data and software from those assets has been diminished and is no longer required to meet the entity’s objectives.
  • Additional Criteria for Availability
    • A1.1: The entity maintains, monitors, and evaluates current processing capacity and use of system components (infrastructure, data, and software) to manage capacity demand and to enable the implementation of additional capacity to help meet its objectives.
    • A1.2: The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives.

The Shared Responsibility Model plays a pivotal role in a SOC 2 examination for entities whose infrastructure and services reside in the cloud. For assistance with these conversations, contact your KSM advisor or complete this form.

Ben Phillips Director, IT Risk Advisory Services

We're Looking for
Remarkable People

At KSM, you’ll be encouraged to find your purpose, exercise your creativity, and drive innovation forward.

Explore a Career Full of Possibilities