It’s time for ‘shared responsibility’ to evolve. Here’s why.
“Shared responsibility” for security emerged from the earliest days of cloud computing as a helpful model for assigning responsibilities between cloud providers and their customers. While it made sense in the beginning, the rapidly-changing security landscape means we can reimagine the shared responsibility model to better capture the full spirit of the relationship required for a true partnership to transform security in the cloud. That may sound trivial, but not having the right conceptual model in cybersecurity can lead to real-world issues. It’s time for cloud service providers (CSPs) to elevate their shared responsibility into a more resilient model. We call it “shared fate.”
Shared responsibility was borne of questions about whether the cloud was secure, and how to best secure it. We now know that the answers to these questions are generally yes. It makes some areas of security very clear – the CSP owns physical security of servers, the security of various layers of operating systems, and other software depending on the nature of the service. The customer typically owns the configuration, identity and access management, and the security of the application software running in the cloud. (It’s worth noting that some compliance mandates like PCI DSS include their own versions of shared responsibility models.)
But shared responsibility can sometimes set too hard of a boundary between cloud provider and customer. The result of this hard boundary can be, paradoxically, uncertainty as to who handles which aspects of threat detection, configuration best practices, and alerts for security violations and anomalous activities.
When security issues arise, many cloud customers question the usefulness of the shared responsibility model. Shared fate is the next evolutionary step to create closer partnership between cloud service providers and their customers so that everyone can better face current and growing security challenges – while still delivering on the promise of digital transformation.
Shared fate: What it is, why it matters
Introduced in IT operations in 2016, shared fate happens when a cloud provider and a client “work together as a team for a common goal and share a fate greater than the dollars that pass between them.” It’s a bigger-picture version of shared responsibility that encompasses it, but also transcends it. It’s not quite The Force, but thinking of it as a security model that binds the cloud together is not a bad place to start, either.
Security shared fate is about preparing a secure landing zone for a customer, guiding them while there, being clear and transparent about the security controls they can configure, offering guardrails, and helping them with cyber-insurance. We want to evolve the shared responsibility to better secure our customers, and part of the challenge in adopting a shared fate mindset is that it’s less of a checklist and more of a perpetual interaction to continuously improve security.
In practical terms, shared fate’s multi-ingredient foundation is stronger than its component parts, which we’re always working on making better for ourselves and our customers. These features are:
- Secure-by-default configurations. Our default configurations can ensure security basics have been enabled and that customers start from a high security baseline, even if some customers change that later.
- Secure blueprints. Recommended secure-by-default configurations for products and services, with configuration code, so customers can more easily bootstrap a secure cloud environment.
- Secure policy hierarchies. Setting policy intent at one level in an application environment should automatically configure down the stack, so there’s no surprises or additional toil in lower-level security settings.
- Consistent availability of advanced security features. We provide advanced features to customers for new products at launch, and then develop security consistency across the platform and tools.
- Availability of security solutions. Our security solutions bridge security products and security features to customer cloud experiences, that can allow them to not just use our secure cloud, but also to use our cloud securely.
- High assurance attestation of controls. We provide independent review of our cloud services through compliance certifications, auditing content, regulatory compliance support, and configuration transparency.
- Insurance partnerships. Via our Risk Protection Program (currently in Preview), we connect cloud customers with insurers who offer specialized insurance for Google Cloud workloads that reduce security risk. Google works with Allianz Global Corporate and Specialty (AGCS) and Munich Re to bring a unique risk management solution to Google Cloud customers.
Why the future depends on shared fate
The shared fate approach can be better for cloud customers precisely because it centers the customer’s needs when deploying resources and applying cloud environment knowledge to security tasks. Instead of pushing responsibility to customers who may not have the expertise to properly manage it, the CSP uses its considerable expertise to help the customer actually be secure in the cloud.
Given that the shared fate model originated in IT operations, it can improve defense in depth from configuration errors and defense in depth from attacks. In other words, the cloud provider can have your back, security-wise, rather than merely providing a secure platform. And by participating in the insurance ecosystem, we help bridge the gap between the technical controls in the cloud environment and risk coverage.
Shared fate does not mean “no customer responsibility” for security. No cloud provider can do the 100% of work securing customer’s use of the cloud, and the customer will continue to be ultimately accountable for their risks. There will always be a set of tasks and activities focused on security that cloud customers will need to undertake. Instead, we believe that CSPs can and should do more to build the security shared fate with customers and use their substantial cloud and security experience to help reduce risks for clients as they transition to the cloud.
The shared fate model can more accurately represent the journey to the cloud, helping to manage and reduce risk while organizations and their leaders transform their business, IT, and cybersecurity for the modern era. The sooner we adopt it as standard practice, the safer we all can become.
For more on shared fate and its role in the changing cloud security landscape, read Phil Venables’ post on the 8 megatrends driving cybersecurity today.