The Shared Responsibility of Securing the Cloud

The Shared Responsibility of Securing the Cloud


John Whetstone, Will Fisher, Jason Pappalexis


By adopting the cloud, enterprises extend their network beyond the traditional perimeter.  This forces them to adopt a new security posture -  one in which the cloud service provider plays a pivotal role. Many enterprises assume the cloud service provider will protect the data as if it were its own, but is this the right approach? And, more importantly, are the boundaries of responsibility clearly recognized by both parties?

The more enterprises migrate data and processes to the cloud, the more control they relinquish. Moving enterprise data off premises requires that both the enterprise and the cloud service provider manage security controls to ensure the confidentiality, integrity, availability, and non-repudiation of the enterprise’s data. This approach, often referred to as shared responsibility, requires enterprises and cloud service providers to agree upon specific management roles for each component of the cloud computing infrastructure.


This report presents results from the NSS Labs 2017 Cloud Security Study. The goal of this research was to gain insight into enterprise adoption of cloud models; security controls and management within these models, and enterprise perception of who is responsible for securing data in the cloud. Data in this report was compiled from responses from 205 cloud security practitioners and decision makers within small and medium-sized enterprises (SMEs), large enterprises (LEs), and very large enterprises (VLEs), representing 41 US industries.

As with all NSS Labs group tests, there was no fee for participation. All testing was conducted independently and was not paid for by any vendor.