*Per Carlos Sampaio
Israel is known for having a strong emphasis on technology and innovation, particularly when it comes to cybersecurity. This is a significant relationship, which makes the country play a prominent role in the development of advanced solutions in this field. Discussions on cloud computing security, cybersecurity and information security are prevalent in the corporate world on a global level. However, there is a widely held view that migrating to the cloud automatically guarantees business security. This is a scenario where a sympathetic look between colleagues can lead to the unspoken question: “Who should reveal the truth?”
While a business may be more secure in the cloud, critical considerations arise. One of them is to understand the Shared Responsibility Model (MRC), which defines the limits between the responsibilities of a business and those of a provider. This model is crucial to address two vital aspects for a comprehensive assessment: “safety at cloud” and “security gives cloud". It is important to highlight that the MRC is not a proprietary model, but rather a widely accepted framework in the industry, which is based on the best practices/guidelines of the main service providers, such as Amazon Web Services, Microsoft Azure and Google Cloud Platform. This model emphasizes the shared responsibility that both the provider and the customer must guarantee for the security of this technological platform.
The MRC is a fundamental principle that outlines the collaborative duties of cloud service providers (CSPs) and users to ensure robust security in this environment. Examining the model in depth, we identified two components: “security at cloud” and “security gives cloud”, which underlie the understanding of this complex interaction between users and providers, emphasizing their joint efforts to strengthen services and protect data within the cloud. The security at cloud” refers to the measures and practices implemented by users to protect their data, applications and interactions in the cloud. However, the “security gives cloud” places the responsibility on the cloud service provider, who must ensure the security of the underlying infrastructure. This comprehensive model ensures that parties contribute distinct yet interdependent roles, fostering a collaborative approach essential to the overall security and integrity of the ecosystem.
As we delve deeper into the intricate realm of “security gives cloud”, a deep understanding emerges, revealing the responsibilities that fall under the purview of CSPs. In this critical sphere, the CSP plays a fundamental role in ensuring infrastructure security. This involves implementing advanced security measures, including, but not limited to, encryption, strict access controls, robust network security protocols, and a firm commitment to regulatory requirements. Through these proactive measures, the CSP establishes a fortified foundation, advancing the fundamental principles for the safe operation of services.
It is important to highlight that users benefit significantly from the provision of security and infrastructure services through the cloud. However, collaboration between the CSP and users is emphasized by the shared responsibility framework: while the primary responsibility for securing the infrastructure rests with the CSP, users are integral participants in the security equation, actively contributing to implementation and adherence to recommended security measures, fostering a cooperative environment that is fundamental to maintaining the integrity and resilience of the ecosystem.
This symbiotic relationship between CSPs and users is the cornerstone of effective and robust cloud security measures. As we approach the domain of “security at cloud”, the focus is on the role that users play in preserving the integrity and stability of their data and applications. This transition implies specific responsibilities and actions that must be adopted consciously. In practice, users become custodians of their digital assets, actively implementing a variety of security measures. This involves prudent use of encryption, identity and access management, adherence to compliance standards, and proactive adoption of security protocols.
In this scenario usercentric, users act as the first line of defense against vulnerabilities, requiring a deep understanding of the dynamic threat landscape and security proactivity. Collaboration between user-driven security practices and actions taken by CSPs forms the basis of a robust posture. In this cooperation, users not only protect their interests, but also collectively contribute to strengthening the entire ecosystem, ensuring a safe and reliable digital environment for all parties involved.
The pursuit of cloud security requires a strategy that goes beyond siled measures, involving the integration of robust governance structures, meticulous risk management practices, and ongoing collaboration between CSPs and users. Critical recognition of the MRC becomes crucial, emphasizing the distinct (and interdependent) roles played by the parties in maintaining the global security and integrity of the cloud.
As we navigate the complex landscape of cloud security, it is imperative to recognize that the pursuit of business security transcends the technical scope, extending to the fundamental essence of safeguarding not only networks, data and applications, but, more fundamentally, the very businesses that rely on of these digital assets. This perspective highlights the interconnection of security measures with business sustainability and prosperity. Through this lens, collaboration emerges as a foundation, fostering collective responsibility to create a resilient, secure and reliable digital ecosystem that ensures business longevity and success in the dynamic and constantly evolving landscape of cloud computing.
*Carlos Sampaio is leader of the Cybersecurity Working Group of the Brazilian Association of Software Companies (ABES), CISO of Bidweb, Professor and Advisor.
Notice: The opinion presented in this article is the responsibility of its author and not of ABES - Brazilian Association of Software Companies
EN 
PT 
