Understanding the security shared responsibility model in an as-a-service world

As organizations shape the contours of a secure edge-to-cloud strategy, it’s important to align with partners that prioritize both cybersecurity and risk management, with clear boundaries of shared responsibility.

The security-shared-responsibility model is essential when choosing as-a-service offerings, which make a third-party partner responsible for some element of the enterprise operational model. Outsourcing IT operations has become a smart business strategy. But outsourcing operational risk is untenable, given the criticality of data-first modernization to overall enterprise success.

“Intellectual property is key to a company’s success,” notes Simon Leech, operational security lead for HPE GreenLake Cloud Services. “Therefore, it’s up to CIOs to do due diligence about what sort of security controls are in place and to ensure data is well protected in an [as-a-service] operating model. The security-shared-responsibility model provides a clear definition of the roles and responsibilities for security.”

Having a well-articulated and seamlessly integrated security-shared-responsibility model is table stakes. Organizations are spending far more time grappling with the costs and consequences of highly complex cyberattacks, to the tune of a 72% spike in costs over the last five years, according to the Accenture/Ponemon Institute’s “Ninth Annual Cost of Cybercrime” study. Specifically, the study attributed an average $4 million loss to business disruption, with another $5.9 million associated with information losses. In total, the global cost of cybercrime is skyrocketing, expected to grow 15% annually to hit the $10.5 trillion mark by 2025, noted the “2020 Cybersecurity Ventures” report. 

HPE GreenLake: Security by Design

Against this backdrop of heightened cybercrime activity, organizations are more vulnerable as the proliferation of platforms, internet-of-things (IoT) devices, and cloud applications has created an expanded attack surface and widened security gaps. A new security-by-design approach infuses security practices and capabilities directly into new systems as they are built — versus addressing security requirements later as an afterthought. 

An organization’s approach to security must also scale at the speed of digital transformation. This means that security must be automated and integrated directly into continuous-integration/continuous-delivery (CI/CD) pipelines, ensuring that safeguards are applied consistently across workloads, no matter where data resides. This also makes it easier for developers to create secure code. As organizations grapple with additional complexity challenges, they need access to third-party security experts to close any internal security gaps.

The HPE GreenLake security-shared-responsibility model differs from that of the typical cloud provider, because the as-a-service platform delivers a public cloud experience everywhere, including in a company’s private data center and/or in a shared colocation facility. The company or colocation provider maintains responsibility for securing the connectivity and physical data center, and HPE’s responsibilities vary, depending on the chosen HPE GreenLake consumption model. For example:

In a bare metal model, HPE is responsible for securing the HPE GreenLake infrastructure and cloud experience, but the customer takes ownership of everything on top of that infrastructure, including the operating system (OS), hypervisor, container orchestration, applications, and more.

With containers and virtual machines, the responsibility shifts and HPE GreenLake handles security for the lower layers that includes the hypervisors, software-defined networking, and container orchestration. Here again, the customer is responsible for securing the guest OS, applications, and data.

For workloads, such as SAP Hana delivered as a service or electronic health records as a service, HPE GreenLake takes security responsibility for everything up through the application layer whereas the customer maintains ownership of data security.

“In all three scenarios, security of customer data is always the responsibility of the customer,” Leech says. “It’s ultimately their responsibility to decide what data they put in the cloud, what data they keep out of the cloud, and how they keep that data protected.”

Best Practices for Security Success

Drill down into the details. Leech cautions that the No. 1 rule for security success is understanding the boundaries of responsibility and not making any premature assumptions. Organizations should confer with their cloud service provider to clearly understand and delineate who has responsibility for what. Most cloud providers, including HPE, offer collateral that drills down into the details of their security-shared-responsibility model, and customers should take full advantage.

“The risk is really one of blissful ignorance,” he says. “The assumption can be made that security is there, but unless you actually go into the contract and look at the details, you might be making a wrong assumption.”

Include the enterprise risk management team. Invite the enterprise risk management team into the discussion early on, so it has a clear understanding of the potential risks. With that knowledge, it can help determine what is acceptable, based on a variety of factors, including the industry, specific regulatory climate, and customer demands. 

Follow security-by-design principles. Use the security-shared-responsibility model as an opportunity to address security early on and identify potential gaps. In addition to automation and ensuring that security is code-driven, embrace zero trust and identity and privilege as foundational principles. “By understanding what those gaps are early enough, you can build compensating controls into your environment and make sure it is protected in a way you’d expect it to be,” Leech explains.

Know that visibility is essential. Security monitoring should be a part of the routine to gain a full understanding of what’s happening in the environment. Organizations can opt to do security monitoring on their own or enlist additional services as part of an HPE GreenLake contract. “It goes back to that idea of blissful ignorance,” Leech says. “If I’m not doing any security monitoring, then I never have any security incidents, because I don’t know about them.”

The HPE GreenLake edge-to-cloud platform was designed with zero-trust principles and scalable security as cornerstones of its architecture and development — leveraging common security building blocks, from silicon to cloud, that continuously protect your infrastructure, workloads, and data so you can adapt to increasingly complex threats. For more information, visit https://www.hpe.com/us/en/solutions/security.html