How the Cloud Shared-Responsibility Model Works
The shared-responsibility model defines which areas of security are managed by the provider — companies such as Amazon Web Services, Microsoft Azure, Google Cloud Platform and others — and which are handled by the business. The type of cloud service selected impacts both sides of the security equation.
Infrastructure as a Service providers deliver the IT infrastructure necessary for small businesses to run custom cloud environments.
- Provider responsibilities: hardware, virtualization and networking
- Customer responsibilities: operating systems, applications, identity and access management, and data
Platform as a Service vendors, such as AWS Lambda or Azure App Service, provide the IT environment that teams need to run cloud-based apps and services.
- Provider responsibilities: infrastructure, runtime and OS
- Customer responsibilities: application logic, IAM and data
Software as a Service solutions are tools businesses use daily, such as Google Workspace or Microsoft 365. Other popular SaaS options include HR, e-commerce, customer relationship management and payroll tools.
- Provider responsibilities: everything from physical devices to the application layer
- Customer responsibilities: user access, data integrity, compliance
DISCOVER: The small business solutions and services that can power your team.
What Are the Top Small Business Threat Vectors?
While customer responsibilities may change based on service type, two components — data governance and user access — remain constant. In practice, this creates four common security concerns:
- Misconfigurations and human errors. Small businesses often have IT staff who take on multiple roles rather than specialist tasks. This can lead to mismanaged storage buckets or misconfigured identity policies that may expose sensitive data.
- Compromised identity. Users with access to resources they don’t need, or permissions that aren’t removed for ex-staff members, open the door to potential compromise.
- Compliance failures. Even small businesses are bound by regulations that govern data privacy and security. Failure to obtain user consent, maintain audit logs or ensure data encryption can lead to compliance challenges.
- Ineffective threat detection and incident response. Without the budget for security operations centers and 24/7 monitoring, SMBs often struggle to detect and respond to emerging threats.
Small businesses usually need outside help to manage all of this. Managed security service providers now offer everything from comprehensive security assessments to automated monitoring solutions and 24/7 threat response. CDW can help SMBs assess, design, orchestrate and manage cloud security solutions that can help them live up to their end of the shared-responsibility bargain.
READ: A Q&A with Crowdstrike’s security officer explains why cloud security is hard to manage.