A common misconception among customers considering a cloud migration is that once they’re in the cloud, their security concerns will be taken care of by their cloud provider. This is only partially the case, as all cloud providers adhere to a shared responsibility model, where security responsibilities are split between the provider and the customer.
In the case of AWS, this model is known as the AWS Shared Responsibility Model, and a clear understanding of your responsibilities as an AWS customer is a hallmark of a mature and secure cloud environment.
The AWS Shared Responsibility Model underpins all aspects of AWS, but this isn’t always obvious to customers. When getting started in AWS, or increasing your usage and dependencies on AWS, you should take the time to understand and appreciate the implications of the model.
Moving to the cloud doesn't instantly solve all your security problems. While the cloud can make things easier and can dramatically improve the visibility into your security posture, these outcomes don’t come by default or without effort. Stax can help make customers' jobs easier by leveraging automation to apply best practices from Day One, consistently and automatically.
This post aims to provide an overview of the AWS Shared Responsibility Model and its implications for customers, and to explain where Stax fits in to this model and how it can help customers overcome security challenges.
What is the AWS Shared Responsibility Model?
The AWS Shared Responsibility Model is the reason AWS can scale their service offering out to over 25 regions worldwide. Simply put, the model explains how both the customer and AWS have a part to play in staying secure:
- The customer is responsible for security in the cloud
- AWS is responsible for the security of the cloud
What this means is that while AWS will do everything they can to develop, build, and run their services securely, you as an AWS customer have the responsibility to use those services in a secure way. What this means will vary from service to service, but the key takeaway is that responsibility is shared, and not just the responsibly of AWS.
AWS is excellent at providing cloud-based services for their customers to use. These services are like tools in the real world, you can build things with them, or break things with them. AWS can't imagine and anticipate all the ways customers will use their services, so they focus on what they can control, and provide secure service offerings for customer to use. If AWS didn’t follow this approach, they wouldn’t be able to offer the powerful services that they offer today. Instead, they would have to build for an extremely narrow set of use-cases, since AWS would be responsible for everything that happened on its platform, which would make it far less useful, and ultimately less valuable to customers.
Once you’ve got a secure set of services to build with, you can start to build your own offerings on top. Therefore. it’s so important to have a secure cloud platform provider, because if your cloud isn’t secure, then your applications in the cloud won’t be either! How you secure your applications in the cloud will depend on the applications. Is it run on a server, a container, or a serverless function? While some of your data might be sharable with the world (e.g., your public-facing website), some data will not be (e.g. your customer’s personal data). This variation is why AWS relies on their customers to do the right thing for the applications.
Here's how AWS likes to visualise the difference between the responsibilities taken from the AWS website.
We get the "above the line/below the line" concept from this diagram, and it shows how important it is to build on a secure cloud platform. When building on AWS, you might hear people talk about something being "below the line," which makes it AWS' problem to solve, or "above the line", which means the customer (or a friendly software vendor they partner with) must address it.
AWS is focused on enablement and catering to needs of customers. To take responsibility for activities above the line would be a very different business model. By limiting the scope of their responsibility, they can continue innovating and delivering excellent services below the line.
Stax Can Help Customers
When it comes to the AWS Shared Responsibility Model, Stax is on the customer’s side. Take a look at the following graphic for an overview:
Stax is above the line and helps the customer use and configure many AWS services securely to keep up their side of the model. Stax uses the power of automation to configure foundational services, especially those that relate to security, compliance, cost management, and networking. These are services that all customers on AWS find themselves configuring, regardless of their industry or vertical, and aligns with recommendations from AWS like the Well-Architected Framework.
Stax offers an evergreen approach to an AWS landing zone, which means Stax provides ongoing updates and improvements as AWS continues to release new features and services. Since Stax deploys resources into the customers' accounts, it can improve and give visibility to their cloud environment. Stax takes compliance seriously so that customers can be sure they're safe.
Your applications in the cloud will still need your attention because all applications are different when it comes to their security. Are they fit for the cloud? How have they been tested? Are they secure by default? What data do they use and depend on? These are all things that only your teams can answer.
Focus on Innovation
Stax helps you focus on these tasks by taking the configuration of AWS foundational services off your to-do list. Your teams are then free to innovate and focus on your core business business applications, able to give them the attention and focus they deserve.
Reach out to our team to learn more and arrange a demo.