What is the Shared Security Model?

What is the Shared Security Model?

If the cloud provider offers encryption services and things go well, why do organizations need to own their encryption capabilities? The question is obvious and repetitive—yet crucial.

When cloud providers provide complete data encryption to safeguard your data, organizations need to know what data is encrypted, at what time, and in which way.

In most cases (if not all), the data, despite being encrypted at the source, must be decrypted by the CSP upon hitting the cloud instance for obvious computational and operational purposes. This is the point of vulnerability where data loses its confidentiality.

Organizations must have full control of data residing in and moving between the clouds and different environments to avoid violating hefty fines and levying regulations such as GDPR, FIPS, PCI DSS, etc.

A cloud-native encryption approach frees your data security architecture from severe hardware and scalability limitations. It takes an a la carte approach to data security services at the click of a button. But who holds the encryption keys?

Most major cloud vendors, such as AWS or GCP, practice a shared security model, wherein the Cloud service provider (CSP) and the customer work together to roll out the security measures. The CSP secures its infrastructure, and customers secure their cloud data.

Cloud-native key management systems offer organizations of any size and complexity a low-cost option for meeting their needs for key management, particularly for cloud services within the same provider.

The BYOK model allows the customers to generate the keys themselves and upload them to the cloud provider's KMS. To take security a notch higher, they are additional external layers to BYOK schemes to provide key management within the CSP's interface without the CSP ever storing or controlling the keys themselves. For example, the Google Cloud External Key Management (EKM) Program allows customers to manage access to their externally managed keys, whether the data they protect resides in the cloud or on-prem.