I found an interesting piece on Shared Responsibility Models (SRMs), with a linkedin discussion, which essentially raised the issue that often the customer stated the SRM was broken.
Do you agree, or is it about the customer actually understanding the SRM, and doing their own due diligence or even carrying out a Cloud Posture Security Management assessment to ensure that they themselves have configured their systems appropriately?
The Shared Responsibility Model delineates the tasks each party should carry out.
So it is about due diligence from the customer and understanding the corresponding tasks.
For example, a typical misconception is who "patches the virtual infrastructure".
If you are a IaaS customer, you need to patch those virtual server instances.
However, if you are a PaaS or SaaS then it is the responsibility of the Cloud Service Provider.
Hope that helps.
I think it is a bad practice if the person pushing the SRM also sells consulting or software to help you be secure on the platform they just sold you. It would be like selling you a car and then going "You might want to put a windshield and seatbelts in your new car, AND we just happen to be selling them right over here!"
I understand setting expectations of making the right platform choice based on informed consent, but don't sell them something (or let them purchase it) without the customer understanding what they are responsible for.
@CISOScott I wholly agree with you in the case of AWS and Azure for instance they offer these services, but from an auditors perspective this is not acceptable. Take for instance that AWS kindly provide their mapping of NIST SP800-53 Cloud Security Controls which is very useful. But from an auditors perspective even though the SOC2 certificate is available along with others this is not acceptable. The auditors actually an independent, objective assessment, along with the ability to record the findings etc. I have heard this issue being raised a number of times, to the point that a number of organisations actually demand external independent assessments be conducted. So do not wholly sign up to the SRM without doing your own due diligence first.
@fcerullo I suggest you review the NIST SP800-53 Cloud security mapping that the cloud providers gives away free, and conduct your assessment upon your own security requirements, and I believe suddenly you will see lots of different interesting issues arise, and has it becomes very apparently, there is a lot of responsibilities on the client or even the third party involved.
The Kraken Awakes https://www.goodreads.com/book/show/91092.The_Kraken_Wakes