It’s safe to say the cloud today is a wee more complex than what it used to be — In fact, its complexity is a main reason why Google Cloud believes orgs should take a “shared fate model” approach to risk management in order to meet today’s cloud sophistication.
Shared responsibility models are quite simple: I am responsible for this, you are responsible for that, yada yada yada. Organizations have been using shared responsibility models since the cloud first erupted and took over, well, everything.
However, “the cloud is now growing up,” according to a blog by Google Cloud’s Anton Chuvakin, security solution strategy, and Seth Rosenblatt, security editor. They both argue that the mental models on businesses’ brains today need to be re-programmed with a strategy that is mutually beneficial for cloud service providers (CSPs) and customers alike. Cue rolling of the red carpet for…. Shared fate.
Shared fate is basically getting cloud providers “to work more actively with customers to help achieve stronger security outcomes,” according to Chuvakin and Rosenblatt. This model revolves around the customer’s needs, rather than shifting responsibility to customers with limited expertise whose “troubleshooting” may actually set the office on fire.
“We developed shared fate in Google Cloud to start addressing the challenges that the shared responsibility model doesn't address,” wrote Google Cloud’s Jess Leroy, senior director of product management to Silverlinings via email. “This means it is our responsibility as the cloud provider to be active partners as our customers deploy securely on our platform, not delineators of where our responsibility ends.”
Confusion among the masses
Now, customers aren’t going to be getting away that easily, because, “there will always be some responsibility on the customer for their security, as no cloud provider can claim accountability for 100%,” wrote Chuvakin and Rosenblatt.
Instead the shared fate model will place a heavier burden on cloud providers to invest more time and support for helping customer’s security.
“The shared fate approach is better for enterprises because it prioritizes an organization's needs when deploying resources and applying cloud environment knowledge to security tasks,” continued Leroy. “Instead of pushing responsibility to customers who may not have the skills to properly manage it, the cloud provider uses its considerable security expertise to help an organization be secure in the cloud.”
While Google Cloud pushes this model to “impact the trust in all clouds,” they have also identified challenges to shared responsibility that reiterate a much needed update for companies’ models for risk management overall.
The main challenges? Ironically, they are communication barriers, mass “default” confusion and — look at that — more confusion.
Who's in charge?
Google Cloud noted that many of the challenges associated with shared responsibility models stem from cloud customers' lack of understanding where their responsibilities lie versus what a cloud provider oversees.
Plus, when a basic understanding isn't laid out between a customer and cloud provider, customers may over assume a CSP’s responsibility — unknowingly or due to not having a cloud security expert on board — which can lead to a multitude of security vulnerabilities and risks, according to Chuvakin and Rosenblatt.
To remediate this, “organizations need to adopt controls and capabilities to meet their security and compliance objectives and they need the knowledge and operating expertise to achieve and maintain their desired security and risk posture,” said Leroy.
To not entirely throw cloud customers under the bus, there are challenges CSPs must overcome as well to step up to a growing, more complex cloud world we live in.
There have been examples of cloud providers reducing the actions a customer can take to secure environments — yet shifts responsibility to the customer “even though the cloud provider can make changes to the system,” wrote Chuvakin and Rosenblatt.
Google Cloud’s dive into the shared fate model also noted a CSP should focus on delivering defaults for most services, which could remediate confusion over the customer’s security abilities. Thus, preventing common security vulnerabilities from the get-go.