Understanding the security shared responsibility model in an as-a-service world
As
organizations
shape
the
contours
of
a
secure
edge-to-cloud
strategy,
it’s
important
to
align
with
partners
that
prioritize
both
cybersecurity
and
risk
management,
with
clear
boundaries
of
shared
responsibility.
As
organizations
shape
the
contours
of
a
secure
edge-to-cloud
strategy,
it’s
important
to
align
with
partners
that
prioritize
both
cybersecurity
and
risk
management,
with
clear
boundaries
of
shared
responsibility.
The
security-shared-responsibility
model
is
essential
when
choosing
as-a-service
offerings,
which
make
a
third-party
partner
responsible
for
some
element
of
the
enterprise
operational
model.
Outsourcing
IT
operations
has
become
a
smart
business
strategy.
But
outsourcing
operational
risk
is
untenable,
given
the
criticality
of
data-first
modernization
to
overall
enterprise
success.
“Intellectual
property
is
key
to
a
company’s
success,”
notes
Simon
Leech,
operational
security
lead
for
HPE
GreenLake
Cloud
Services.
“Therefore,
it’s
up
to
CIOs
to
do
due
diligence
about
what
sort
of
security
controls
are
in
place
and
to
ensure
data
is
well
protected
in
an
[as-a-service]
operating
model.
The
security-shared-responsibility
model
provides
a
clear
definition
of
the
roles
and
responsibilities
for
security.”
Having
a
well-articulated
and
seamlessly
integrated
security-shared-responsibility
model
is
table
stakes.
Organizations
are
spending
far
more
time
grappling
with
the
costs
and
consequences
of
highly
complex
cyberattacks,
to
the
tune
of
a
72%
spike
in
costs
over
the
last
five
years,
according
to
the
Accenture/Ponemon
Institute’s
“Ninth
Annual
Cost
of
Cybercrime”
study.
Specifically,
the
study
attributed
an
average
$4
million
loss
to
business
disruption,
with
another
$5.9
million
associated
with
information
losses.
In
total,
the
global
cost
of
cybercrime
is
skyrocketing,
expected
to
grow
15%
annually
to
hit
the
$10.5
trillion
mark
by
2025,
noted
the
“2020
Cybersecurity
Ventures”
report.
HPE
GreenLake:
Security
by
Design
Against
this
backdrop
of
heightened
cybercrime
activity,
organizations
are
more
vulnerable
as
the
proliferation
of
platforms,
internet-of-things
(IoT)
devices,
and
cloud
applications
has
created
an
expanded
attack
surface
and
widened
security
gaps.
A
new
security-by-design
approach
infuses
security
practices
and
capabilities
directly
into
new
systems
as
they
are
built
—
versus
addressing
security
requirements
later
as
an
afterthought.
An
organization’s
approach
to
security
must
also
scale
at
the
speed
of
digital
transformation.
This
means
that
security
must
be
automated
and
integrated
directly
into continuous-integration/continuous-delivery
(CI/CD)
pipelines,
ensuring
that
safeguards
are
applied
consistently
across
workloads,
no
matter
where
data
resides.
This
also
makes
it
easier
for
developers
to
create
secure
code.
As
organizations
grapple
with
additional
complexity
challenges,
they
need
access
to
third-party
security
experts
to
close
any
internal
security
gaps.
The
HPE
GreenLake
security-shared-responsibility
model
differs
from
that
of
the
typical
cloud
provider,
because
the
as-a-service
platform
delivers
a
public
cloud
experience
everywhere,
including
in
a
company’s
private
data
center
and/or
in
a
shared
colocation
facility.
The
company
or
colocation
provider
maintains
responsibility
for
securing
the
connectivity
and
physical
data
center,
and
HPE’s
responsibilities
vary,
depending
on
the
chosen
HPE
GreenLake
consumption
model.
For
example:
-
In
a bare
metal
model,
HPE
is
responsible
for
securing
the
HPE
GreenLake
infrastructure
and
cloud
experience,
but
the
customer
takes
ownership
of
everything
on
top
of
that
infrastructure,
including
the
operating
system
(OS),
hypervisor,
container
orchestration,
applications,
and
more.
-
With containers
and
virtual
machines,
the
responsibility
shifts
and
HPE
GreenLake
handles
security
for
the
lower
layers
that
includes
the
hypervisors,
software-defined
networking,
and
container
orchestration.
Here
again,
the
customer
is
responsible
for
securing
the
guest
OS,
applications,
and
data.
-
For workloads,
such
as
SAP
Hana
delivered
as
a
service
or
electronic
health
records
as
a
service,
HPE
GreenLake
takes
security
responsibility
for
everything
up
through
the
application
layer
whereas
the
customer
maintains
ownership
of
data
security.
“In
all
three
scenarios,
security
of
customer
data
is
always
the
responsibility
of
the
customer,”
Leech
says.
“It’s
ultimately
their
responsibility
to
decide
what
data
they
put
in
the
cloud,
what
data
they
keep
out
of
the
cloud,
and
how
they
keep
that
data
protected.”
Best
Practices
for
Security
Success
Drill
down
into
the
details. Leech
cautions
that
the
No.
1
rule
for
security
success
is
understanding
the
boundaries
of
responsibility
and
not
making
any
premature
assumptions.
Organizations
should
confer
with
their
cloud
service
provider
to
clearly
understand
and
delineate
who
has
responsibility
for
what.
Most
cloud
providers,
including
HPE,
offer
collateral
that
drills
down
into
the
details
of
their
security-shared-responsibility
model,
and
customers
should
take
full
advantage.
“The
risk
is
really
one
of
blissful
ignorance,”
he
says.
“The
assumption
can
be
made
that
security
is
there,
but
unless
you
actually
go
into
the
contract
and
look
at
the
details,
you
might
be
making
a
wrong
assumption.”
Include
the
enterprise
risk
management
team. Invite
the
enterprise
risk
management
team
into
the
discussion
early
on,
so
it
has
a
clear
understanding
of
the
potential
risks.
With
that
knowledge,
it
can
help
determine
what
is
acceptable,
based
on
a
variety
of
factors,
including
the
industry,
specific
regulatory
climate,
and
customer
demands.
Follow
security-by-design
principles. Use
the
security-shared-responsibility
model
as
an
opportunity
to
address
security
early
on
and
identify
potential
gaps.
In
addition
to
automation
and
ensuring
that
security
is
code-driven,
embrace
zero
trust
and
identity
and
privilege
as
foundational
principles.
“By
understanding
what
those
gaps
are
early
enough,
you
can
build
compensating
controls
into
your
environment
and
make
sure
it
is
protected
in
a
way
you’d
expect
it
to
be,”
Leech
explains.
Know
that
visibility
is
essential. Security
monitoring
should
be
a
part
of
the
routine
to
gain
a
full
understanding
of
what’s
happening
in
the
environment.
Organizations
can
opt
to
do
security
monitoring
on
their
own
or
enlist
additional
services
as
part
of
an
HPE
GreenLake
contract.
“It
goes
back
to
that
idea
of
blissful
ignorance,”
Leech
says.
“If
I’m
not
doing
any
security
monitoring,
then
I
never
have
any
security
incidents,
because
I
don’t
know
about
them.”
The
HPE
GreenLake
edge-to-cloud
platform
was
designed
with
zero-trust
principles
and
scalable
security
as
cornerstones
of
its
architecture
and
development
—
leveraging
common
security
building
blocks,
from
silicon
to
cloud,
that
continuously
protect
your
infrastructure,
workloads,
and
data
so
you
can
adapt
to
increasingly
complex
threats.
For
more
information,
visit https://www.hpe.com/us/en/solutions/security.html
About Author
