Martin Walsham, director of AMR CyberSecurity, examines the importance of the Shared Responsibility Model (SRM) in cloud security and its implications for procurement processes.

The Shared Responsibility Model (SRM) is crucial for cloud security, delineating the roles and responsibilities between cloud service providers and their customers. In the procurement sector, understanding and implementing SRM is essential for ensuring security and compliance when selecting cloud services.

The Need for Shared Responsibility in Cloud Security

SRM suggests that cloud providers are responsible for the security of the cloud infrastructure, while customers must secure their applications and data within that infrastructure. This clear division of responsibilities helps manage risks and ensures both parties are accountable for their specific roles.

For procurement professionals, SRM is vital in evaluating and selecting cloud services. It provides a framework to assess which security measures are managed by the provider and which must be handled internally. This clarity is essential for mitigating risks and ensuring comprehensive security coverage.

SRM delineates the security obligations between cloud service providers and their customers. It ensures there are no gaps in security responsibilities, which can otherwise lead to vulnerabilities.

And of course, by delegating certain security responsibilities to cloud providers, organisations can reduce the costs associated with managing and maintaining their own security infrastructure. Procurement teams can negotiate service agreements that include robust security measures, ensuring more cost-effective and efficient security management.

Background  

Cloud-hosted IT systems provide numerous advantages, enabling organisations to scale quickly, without the upfront costs of data centres and hardware infrastructure. They also deliver access to a wide variety of turnkey services and applications.  

Historically, an organisation was responsible for all of its data centre security – including the physical security of the data centre and the room, management and security of physical servers and networking devices, along with the operating systems and applications that reside on them and user administration.  

In a cloud environment, a shared responsibility model is developed so the cloud provider is responsible for some things, the customer is responsible for others, and they share responsibility for other aspects.  

SRM is fast becoming a foundational concept in cloud security management practices, growing in importance as organisations increasingly migrate their workloads, data, and applications to the cloud. It is a recognition of the need for a clearer understanding of who is responsible for securing the various components of a cloud environment. This understanding is crucial for an organisation’s effective risk management, compliance with regulatory requirements and trust in cloud services.  

Where does responsibility sit? 

The exact demarcation of responsibility will depend on the cloud services used by the organisation and the cloud hosting service provider.  

Depending on the type of cloud service (such as SaaS, PaaS, or IaaS), the provider and the customer may have distinct levels of responsibility for different aspects of the cloud environment, such as hardware, infrastructure, data, applications and settings.   

The general principle is that the customer should delegate as much security responsibility as possible to the trusted cloud provider, which has the expertise and resources to effectively manage security. However, an organisation should always retain some responsibility for their data, endpoints, accounts and access management.  

Advantages of SRM in Cloud Security

SRM defines the security roles of both providers and customers, reducing the risk of misunderstandings that could lead to security gaps. Procurement teams can use SRM to ensure that all necessary security controls are in place and that responsibilities are clearly outlined in service agreements.

SRM allows organisations to adapt their security strategies as they scale cloud deployments or adopt new services. This flexibility is crucial for maintaining robust security as business needs and technologies evolve.

Note that before procuring cloud services, it is essential to conduct thorough risk assessments. Understand the potential impacts of data breaches and identify the controls needed to mitigate these risks. Ensure that you clearly define both the cloud provider’s and your organisation’s responsibilities.

Evaluate the cloud provider’s security measures through due diligence. Verify that the provider effectively implements the controls they are responsible for. Additionally, ensure your organisation has robust processes to manage the controls it is responsible for.

By clearly defining roles and responsibilities, SRM fosters a collaborative approach to security. Procurement can leverage the expertise of cloud providers while maintaining control over critical data and applications.

Benefits of SRM for Compliance and Innovation

SRM also helps organisations align with regulatory requirements and industry standards by providing clear guidelines for security practices. This alignment not only ensures compliance but also builds trust with customers and partners.

And by focusing on securing data and applications rather than managing infrastructure, organisations can take a more proactive approach to security. This shift supports business objectives, enabling innovation and growth within a secure cloud environment.

Incorporating the Shared Responsibility Model into procurement processes is essential for robust cloud security. It ensures clarity, accountability and flexibility, allowing organisations to effectively manage risks and comply with regulations. By leveraging SRM, procurement professionals can enhance their organisation’s security posture and support business innovation.

By adopting SRM, organisations can confidently navigate the complexities of cloud security, ensuring their digital assets are protected in a collaborative and compliant manner.

Martin Walsham is director of AMR CyberSecurity.

Related Stories

We believe in a personal approach

By working closely with our customers at every step of the way we ensure that we capture the dedication, enthusiasm and passion which has driven change within their organisations and inspire others with motivational real-life stories.