Lessons from the future: Why shared fate shows us a better cloud roadmap
Security Advisor, Office of the CISO, Google Cloud
Security Editor, Google Cloud
As a model for assigning cyber-risk management, it’s time for shared responsibility to evolve into shared fate. Here’s why.
When living with a spouse, partner, roommate, or child old enough to take out the trash, assigning responsibility for household chores is a shared but often fraught task. One person washes the dishes (or doesn’t,) cleans the bathroom (or doesn’t,) and makes sure that the bills are paid on time (or not.) This is a shared responsibility model: You are responsible for this, and I’m responsible for that. Back when the cloud was still emerging, it was a fair way to assign ownership of common cloud security risks.
The cloud is now growing up — and growing more complex — and the mental models we use to help understand the public cloud have begun to evolve to match its sophistication. This evolution is why Google Cloud takes a matured, mutually-beneficial shared fate approach to risk management. Shared fate can better serve cloud service providers, their customers, and the broader community of cloud users, because a trust issue in one cloud can impact the trust in all clouds.
From a high level, shared fate puts the impetus on the cloud provider to work more actively with customers to help achieve stronger security outcomes — for them and for us. As Google Cloud CISO Phil Venables said, “Shared fate drives a flywheel of cloud adoption. Visibility into the presence of strong default controls and transparency into their operation increases customer confidence, which in turn drives more workloads coming onto cloud.”
Shared fate centers around the customer’s needs. Instead of shifting responsibility to customers who may not have the expertise to properly manage it, the cloud provider uses its expertise to help the customer be secure in the cloud.
In practical terms, our shared fate approach can help business leaders manage the risks they face by tapping into secure-by-default configurations, secure blueprints, secure policy hierarchies, consistent availability of advanced security features, and a high assurance attestation of controls. We also offer our Risk Protection Program, which brings risk management via automation, guidance, and access to cyber insurance designed exclusively for Google Cloud customers.
Shared fate drives a flywheel of cloud adoption. Visibility into the presence of strong default controls and transparency into their operation increases customer confidence, which in turn drives more workloads coming onto cloud.
Hardly an act of magic or an accident of intelligent design, our approach evolved because we became more attuned to the shortcomings in the shared responsibility model over time. We’ve identified four challenges to shared responsibility that underscored the need to update our mental models for risk management.
Challenge 1: More than a slight case of misunderstanding
Some cloud customers lack a practical understanding of where their responsibility begins and ends.. In the past, we encountered customers who assume that their cloud provider handles all security tasks and is responsible for all security outcomes. “The cloud is so secure, we won’t have to do a thing,” is as much a misconception as, “The cloud is so insecure, we can’t use it.”
Sometimes the shared responsibility model is not understood at all, which can lead to an abdication of responsibility. The notion that if responsibility is shared, nobody is really accountable oversimplifies the complexity of risk management in an attempt to get customers to understand what’s at stake for them. “A common cause of failure with this approach is when customers do not take the time to understand their security responsibilities,” said technology writer Will Kelly.
Shared fate says: We take steps to develop a much closer client-provider relationship, one that dispenses with throwing security issues over the shared responsibility fence for the other partner to manage. With shared fate, we work together as a team for a common goal, and share a fate greater than the dollars that pass between us.
Challenge 2: Presuming service provider responsibility
Sometimes shared responsibility has failed because the cloud users presume that the cloud service provider (CSP) has taken on more risk responsibility than it actually has. We’ve seen cases of cloud users who haven’t read or understood their service provider documentation, even when it clearly states that a particular risk falls to the customer to manage.
We’ve also seen the inverse, where a security activity has been pushed to the cloud user even though the cloud provider is more skilled and better equipped to handle it. This challenge often appears when customers have been told to configure a particular security system, without having a cloud security expert on their team.
Shared fate says: Ideally, we rely on close communication and working together, a “JointOps” in a sense, where a cloud user and a CSP collaborate on security. This eliminates the possibility of erroneous security presumptions that can increase the risk level.
Challenge 3: Confusing capability with responsibility
We have seen examples of cloud providers limiting actions the customer can take to secure their environments and simultaneously shifting the risk responsibility to the customer. For example, with some managed-cloud services, the customer bears the responsibility even though the cloud provider can make changes to the system.
Another mode of failure occurs because the provider’s security technology has changed and the customer’s security team has struggled to keep up. For example, the customer may be responsible for enabling a helpful new control mechanism that the provider has created, but nobody has told the customer that the control exists.
Shared fate says: We can use our resources and knowledge as the CSP to help make security improvements on the customer side, which helps the customer and the CSP reduce their security risk.
Challenge 4: “Default” confusion
You might think that the responsibility for adjusting default cloud control settings to align with a cloud customer’s security goals would lie with the customer. However, that assumption can actually increase the level of risk faced by customers and CSPs. The confusion stems from overestimating the cloud client’s security abilities, a problem that often manifests in two situations:
When defaults are less secure than what a specific customer needs, it falls to the customer to change them — but they may not have the expertise to do so efficiently and accurately.
When defaults are stricter than what the customer needs, it falls to the customer to adjust them — but explicitly not to turn the controls completely off.
Both scenarios raise questions about who is really responsible for a failure: a CSP with permissive defaults, or a customer who didn’t change them to match their risk profile? The lack of clarity into default settings ownership unnecessarily widens the gap between the default security provided by the CSP and the risk-driven security needed by the client.
Under the shared fate approach, the cloud provider plays a significantly more active role in the customer’s security.
Shared fate says: We believe that the CSP should focus on delivering robust defaults for most services. Shared fate also encourages acquiring cyber-insurance to cover for cases where the customer suffers an incident despite proper configuration.
How your organization can encourage a shared fate approach to risk
Of course, there will always be some responsibility on the customer for their security, as no cloud provider can claim accountability for 100% of an organization’s security or activity in the cloud. There will always be a set of tasks and activities focused on security that cloud customers will need to undertake, and CSPs don’t understand, such as how important to the organization certain kinds of data and business processes are.
The difference is that under the shared fate approach, the cloud provider plays a significantly more active role in the customer’s security — to the point where, if something were to go wrong, the cloud provider would be heavily invested and can better support the customer through that journey.
Shared fate is a mental model that can help guide CSPs and their customers in determining who should manage specific risks. It also can create opportunities to have conversations about risk management more broadly, and more accurately lay out the customer’s journey to the cloud.
Those conversations can help business leaders talk about the practicalities of risk management and delegation, while also transforming their business and IT for tomorrow’s opportunities. And as we noted last year, the sooner we adopt shared fate as standard practice, the safer we all can become.