Cloud Security: The Shared Responsibility Model
When you host applications in the cloud, security responsibilities are divided between the cloud provider (AWS, Azure, GCP) and you (and us, as your development partner). Understanding this division is critical to ensuring nothing falls through the gap.
What the Cloud Provider Is Responsible For
Cloud providers secure the "security of the cloud" — the underlying physical and virtualisation infrastructure:
- Physical security of data centres
- Hardware security
- Hypervisor and virtualisation security
- Managed service security (the underlying infrastructure of managed databases, storage, etc.)
What You (and We) Are Responsible For
You are responsible for "security in the cloud" — how you use cloud services:
- Identity and Access Management: Who has access to your cloud account and with what permissions
- Network security: Security groups, firewall rules, VPC configuration
- Data encryption: Enabling encryption at rest and in transit for your data
- Application security: Security of the code and applications you deploy
- OS and runtime patching: Keeping operating systems and runtimes up to date (for IaaS resources)
- Secrets management: How credentials and API keys are stored and accessed
Common Gaps
The most common security failures in cloud environments are: overly permissive IAM policies (too many users with admin access), public S3/Blob Storage buckets containing sensitive data, unpatched EC2/VM instances, and exposed secrets in code repositories.