The dangers of the Shared Responsibility Model

Technology

Ian Wood at Veritas Technologies argues that shared responsibility assumptions are costing millions in soaring cloud costs

When political philosopher Eugene Lewis Fordsworthe coined the phrase “assumption is the mother of all mistakes”, it’s unlikely he had enterprise cloud deployments in mind. However, as our latest global research shows, dangerous assumptions are leading to costly oversights.

As well as misunderstandings around Shared Responsibility Models, an over-reliance on Cloud Service Providers’ (CSP) standard data protection tools means the adage holds firm.

The result of these assumptions? As our research reveals, an overwhelming 85% of organisations confess they have overspent when using a public CSP. On average, overspending amounted to 33% of the original budget; over three in ten organisations overspent by between a third and 100%.

When you consider that a quarter of those surveyed invest between $1-2.5m on public CSPs, a 40% overspend could equate up to $1m! With over a quarter of organisations predicting that cloud spend will increase between 21-25% in the next five years, this figure rockets further.

As cloud deployments become ever more complicated, it’s natural to assume that these overspends were inevitable. But this is not the case. We uncovered that much of this overspend stems from assumptions around the remit of Shared Responsibility Models, especially who ‘owns’ responsibility for mission-critical aspects including backup and recovery, storage, and data access.

Worryingly, many organisations fail to realise they are responsible for key data resiliency elements in the cloud, such as data backup and recovery. Within our study, few respondents were able to correctly identify which cloud responsibilities fell to the CSP and which to them. According to Gartner, over the next three years, “at least 95% of cloud security failures will be the customer’s fault.”

With all the top CSPs adopting a Shared Responsibility Model it is imperative that enterprises understand exactly what this means, and what failure could cost.

Divide and conquer; what the shared model really means

The Shared Responsibility Model does not mean equal distribution of responsibility. Each CSP manages their model in slightly different ways (even differing between its own services). CSPs are generally responsible for the resiliency of the cloud itself (the infrastructure), while the customer is accountable for resiliency in the cloud.

It is essential that enterprises rid themselves of any assumptions and ensure they have a full understanding of the CSP end-user licensing agreement (EULA), wherein the fact that the CSP is responsible for protecting the infrastructure only is often buried.

In addition, depending on the type of cloud service provision, model responsibilities will vary. For example, within a SaaS model, the CSP will take on more responsibility in terms of applications, network controls, and operating systems than they would within an IaaS deployment. In a PaaS model, more of these responsibilities would be deemed ‘shared’.

Further complicating the picture is the increasing use of multiple clouds. And with CSPs constantly adding new services, closing gaps in data resilience across multiple clouds, within numerous evolving services can be regarded as a complex challenge.

What does this mean in terms of over-spend? With a lack of understanding about the Shared Responsibility Model it is perhaps no surprise then that the additional costs are incurred by organisations using public CSPs relate to areas within the user’s remit. Backup and recovery (42%), storage (41%), and data access (43%) all attracted additional costs. When the ever-present threat of cyberattack is also considered, the impact is felt even more strongly.

A high cost for insecure convenience

According to Ponemon Institute research, the average cost of a data breach in 2022 is estimated at $4.35m, with ransomware costing organisations an average of $4.54m. Concerningly, the average data breach cost for organisations with public clouds topped $5m.

Nearly nine in ten organisations we surveyed had been the victim of a ransomware attack. As a result, they experienced exposure of sensitive data (29%), organisational downtime (35%), financial losses in terms of data recovery (34%) and financial loss for ransom payments (24%).

Unfortunately, such fallout is compounded by the choice many organisations make to rely on CSPs’ standard, add-on services for data security, backup, and recovery. Our research highlighted that companies who rely solely on native tools are often much more severely impacted by ransomware and the financial and data loss it brings.

To avoid budget over spend, organisations need to understand their responsibilities within the Shared Responsibility Model and enact stringent strategies to meet them. However, just as essential is that they must not assume that the tools on offer from CSPs will meet the needs of these strategies.

When executing cloud deployments, it’s essential to not allow a false sense of security to mask a deluge of expensive oversights. If mistakes are born of assumption, countering soaring costs relies upon focussing on the details.

Moving from blind assumption to visible knowing is the key. And, within increasingly complex, multi-cloud environments this requires working with experts whose knowledge, experience, and tools close the gaps and provide complete visibility.

Ian Wood is Head of Technology UK&I at Veritas Technologies

Main image courtesy of iStockPhoto.com