It is time for “shared responsibility” to evolve. Here’s why.
“Shared responsibility” for security emerged from the early days of cloud computing as a useful model for dividing responsibilities between cloud providers and their customers. While that makes sense at first, the rapidly changing security landscape means we can rethink the shared responsibility model to better capture the spirit of the relationship needed for true partnership to transform security in the cloud. It may seem trivial, but not having the right cybersecurity conceptual model can lead to real problems. It’s time for cloud service providers (CSPs) to elevate their shared responsibility to a more resilient model. We call it “shared destiny”.
Shared responsibility was born out of questions about cloud security and how best to secure it. We now know that the answers to these questions are generally yes. This makes certain areas of security very clear – the CSP owns the physical security of the servers, the security of the different layers of operating systems and other software depending on the nature of the service. The customer typically owns the configuration, identity and access management, and security of the application software running in the cloud. (It should be noted that some compliance mandates such as PCI DSS include their own versions of shared responsibility models.)
But shared responsibility can sometimes draw too strict a line between cloud provider and customer. The result of this tight boundary can be, paradoxically, uncertainty about who manages which aspects of threat detection, configuration best practices, and alerts for security breaches and anomalous activity.
When security issues arise, many cloud customers question the usefulness of the shared responsibility model. Shared Destiny is the next evolutionary step to create a closer partnership between cloud service providers and their customers so that each can better address today’s and growing security challenges – while delivering on the promise of digital transformation.
Shared Destiny: What It Is, Why It Matters
Introduced to IT operations in 2016, shared destiny occurs when a cloud provider and customer “work together as a team for a common goal and share a destiny greater than the dollars that pass between them.”.“It’s a broader version of shared responsibility that encompasses it, but also transcends it. It’s not quite The Force, but viewing it as a cloud-binding security model isn’t a bad place to start, either.
The shared destiny of security is to prepare a safe landing zone for a guest, to guide them during their stay, to be clear and transparent about the security checks they can set up, to offer guardrails and to help him with cyber insurance. We want to evolve shared responsibility to better secure our customers, and part of the challenge in embracing a shared destiny mindset is that it’s less of a checklist and more of a perpetual interaction to continuously improve safety.
Concretely, the multi-ingredient base of shared destiny is stronger than its components, which we always strive to improve for ourselves and our customers. These features are:
- Default secure configurations. Our default configurations can ensure that security baselines have been enabled and that clients boot from a high security baseline, even if some clients change it later.
- Secure plans. Recommended default secure configurations for products and services, with configuration code, so that customers can more easily start a secure cloud environment.
- Secure policy hierarchies. Setting a single-level policy intent in an application environment should automatically configure the stack, so there are no surprises or extra work in lower-level security settings.
- Constant availability of advanced security features. We provide advanced features to customers for new products at launch and then develop security consistency across platform and tools.
- Availability of security solutions. Our security solutions connect security products and security features to customers’ cloud experiences, which can enable them to not only use our cloud secure, but also use our cloud securely.
- Certificate of high assurance of controls. We provide independent review of our cloud services through compliance certifications, audit content, regulatory compliance support, and configuration transparency.
- Insurance partnerships. Through our Risk Protection Program (currently in preview), we connect cloud customers with insurers who offer specialized insurance for Google Cloud workloads that reduce security risk. Google is working with Allianz Global Corporate and Specialty (AGCS) and Munich Re to deliver a unique risk management solution to Google Cloud customers.
Why the future depends on shared fate
The shared destiny approach may be better for cloud customers precisely because it centers the needs of the customer when deploying resources and applying knowledge of the cloud environment to security tasks. Instead of shifting the blame onto customers who may not have the expertise to handle it properly, the CSP uses their considerable expertise to help the customer be truly secure in the cloud.
Since the shared fate model originates in IT operations, it can improve defense-in-depth against misconfigurations and defense-in-depth against attacks. In other words, the cloud provider can support you, in terms of security, rather than just providing a secure platform. And by participating in the insurance ecosystem, we help bridge the gap between technical controls in the cloud environment and risk coverage.
Shared fate does not mean “no customer responsibility” for safety. No cloud provider can do 100% of the work in securing the customer’s use of the cloud, and the customer will continue to be ultimately responsible for its risks. There will always be a set of security-focused tasks and activities that cloud customers will need to undertake. Instead, we believe CSPs can and should do more to build the shared destiny of security with customers and use their substantial cloud and security experience to help reduce risk to customers as they transition. to the cloud.
The Shared Destiny Model can more accurately represent the journey to the cloud, helping to manage and reduce risk as organizations and their leaders transform their business, IT and cybersecurity for the modern age. The sooner we adopt this as standard practice, the safer we will all become.
To learn more about shared fate and its role in the changing cloud security landscape, read Phil Venables’ article on the 8 megatrends driving cybersecurity today.