While taking the use of the cloud, we always overlook the issue of security and assume the cloud provider will for sure handle that. However, it is important to understand the security responsibility does not solely lie with the cloud provider. Security is a shared responsibility when using the cloud.
Below I try to outline the different responsibilities in securing the cloud for each of the stakeholders
Designed to provide the highest degree of flexibility and management control to customers, IaaS services also place more security responsibilities on customers. Let’s use Amazon Elastic Compute Cloud (Amazon EC2) as an example.
When customers deploy an instance of Amazon EC2, the customer is the one who manages the guest operating system, any applications they install on these instances and the configuration of provided firewalls on these instances. They are also responsible for overseeing data, classifying assets, and implementing the proper permissions for identity and access management.
While IaaS customers retain a lot of control, they can lean on CSPs to manage security from a physical, infrastructure, network, and virtualization standpoint.
In PaaS, more of the heavy lifting is passed over to CSPs. While customers focus on deploying and managing applications (as well as managing data, assets, and permissions), CSPs take control of operating the underlying infrastructure, including guest operating systems.
From an efficiency standpoint, PaaS offers clear benefits. Without having to worry about patching or other updates to operating systems, security and IT teams recoup time that can be allocated to other pressing matters.
Of the three deployment options, SaaS places the most responsibility on the CSP. With the CSP managing the entire infrastructure as well as the applications, customers are only responsible for managing data, as well as user access/identity permissions. In other words, the service provider will manage and maintain the piece of software—customers just need to decide how they want to use it.