Blog Posts Business Management

Cloud security – a team sport

Blog: Capgemini CTO Blog

The cloud security is evolving at a rapid rate and 2021 is going to be another year of transformation – one that will enable enterprises to be more secure, agile, resilient and adaptive. Interestingly, even today in majority of Cloud adoption surveys, cybersecurity and regulatory concerns are identified as the top barriers inhibiting adoption of cloud. Ironically, this happens after years of heavy investment from the main cloud providers in controls, audits, and certifications. As a result, the main risks are shifting to customers and according to Gartner, by 2023, most security compromises over the cloud will be due to the customer negligence, not the cloud providers.

This phenomenon can already be seen in multiple cybersecurity incidents that make headlines every day – lack of proper patching, hardening, weak passwords, misconfigurations, employee mistakes or frauds, application vulnerabilities on the customer side – causing the main breaches, not the cloud provider.

Does this mean that data in the cloud is more secure than on-premises data?

Unfortunately, the answer isn´t so easy. First and foremost, customers must make sure the cloud provider in fact has a robust set of controls in place, get information and proof of it, and make sure it meets your cybersecurity and regulatory needs.

But, more importantly, cloud security isn´t dependent on the cloud provider or the company alone, and it will never be about finding who´s fault caused a security breach. Cloud security is a team sport, and as in any successful team, to win here each team player must know its role and responsibilities and act accordingly.

Shared responsibility model

The general rule is what it is known as the “shared responsibility model,” where customers are responsible for choosing how their data is handled IN the cloud, and the provider is responsible for the security OF the cloud. Note that the line between what IS the cloud depends on the service model considered – IaaS, PaaS, or SaaS.

Just a reminder:

Having these definitions in mind makes it easier to identify what IS the cloud in each case and to distinguish data protection IN the cloud versus OF the cloud. Now we can understand the responsibilities of each party in each case. While we tried to be thorough, the examples below are illustrative rather than exhaustive.

Responsibilities in an IaaS model

When talking about IaaS, cloud provider responsibilities include physical access control, surveillance, proper environmental conditions, network (LAN) security, server (hardware and hypervisor levels) security, incident monitoring, response, disaster recovery, and continuity in physical and IT infrastructure levels.

Customer responsibilities will include the security of all layers, starting from operating systems: vulnerability management, updates, patching, hardening, log and audit management, security incident monitoring and response, application control, data-in-motion, and data-at-rest encryption, identity, and access management, firewalls, VPNs, among others. Take note of which operating system image is used – standard (provided by the cloud) or custom (if yours).

Responsibilities in a PaaS model

When the cloud model is PaaS, cloud provider responsibilities are the same, in addition to the security of the platform is offered as a service and at the operating system level. Customer responsibilities with regards to the components on top of the platform, for example, application and data, are described in more detail in the next model.

Responsibilities in a SaaS model

Finally, in the SaaS model, the cloud provider is responsible for pretty much all the layers, from the physical infrastructure up to the application security. This may lead to the misunderstanding that the customer has no responsibility at all. However, customer responsibilities include:


So, as many customers consume cloud services from different providers and in different models, proper governance of cybersecurity in cloud services becomes a complex topic. If knowing the responsibilities of each team player is key to success, it will be via orchestration, governance, and management of the entire “team” that will be the real competitive advantage to your company in your digital transformation journey. Don’t be afraid to accelerate the journey but be sure the responsibilities are clear as well as the risks and manage it all accordingly.

To find out more about how we can help you, visit

Follow Leonardo Carissimi on LinkedIn.

Leave a Comment

Get the BPI Web Feed

Using the HTML code below, you can display this Business Process Incubator page content with the current filter and sorting inside your web site for FREE.

Copy/Paste this code in your website html code:

<iframe src="" frameborder="0" scrolling="auto" width="100%" height="700">

Customizing your BPI Web Feed

You can click on the Get the BPI Web Feed link on any of our page to create the best possible feed for your site. Here are a few tips to customize your BPI Web Feed.

Customizing the Content Filter
On any page, you can add filter criteria using the MORE FILTERS interface:

Customizing the Content Filter

Customizing the Content Sorting
Clicking on the sorting options will also change the way your BPI Web Feed will be ordered on your site:

Get the BPI Web Feed

Some integration examples