Jakub Jirsák - stock.adobe.com

Sharing responsibility: Why we need to work together to keep the cloud secure

The education sector has been fundamentally altered by months of lockdown, with cloud services topping must-have lists for academic staff, but now it’s time to consider security

Andy Powell
  • Andy Powell, JISC

In recent months, especially following the forced online shift through lockdown, there has been a rush across industries to adopt more cloud technology. Education is no exception, and tools such as Microsoft 365 have shot to the top of must-have lists for educators.

Even for institutions that have already started a digital transformation journey, there will likely be conversations happening around how systems can be streamlined and security measures regulated, as more work is being completed remotely.

recent ransomware attack on US-based software-as-a-service (SaaS) provider Blackbaud shows how student and staff data within universities can fall prey to cyber criminals.

True cyber security relies on a secure digital infrastructure, and as some of the biggest cyber security suppliers on the planet, cloud providers are aware of the implications. Security has always been a top priority for cloud providers, and they are continually investing in making sure their infrastructure is highly secure. The use of public cloud by high-profile clients such as the military and government organisations also means the level of security across the board is of the highest standard.

Most of the major cloud providers, such as Amazon Web Services (AWS), Microsoft and Google, use a “shared responsibility” model, which means there are various steps a user needs to take to ensure that they are using cloud services in a secure way – it doesn’t all fall on the provider.

What is a shared security model?

A shared responsibility model means that all players assume some level of security responsibility. For example, this is often a two-way split between cloud provider and customer, or a three-way split between cloud provider, customer and managed service provider. However, many players are involved in the process, and each will have a role to play in ensuring the security of data.

A good example is the evolution of AWS’s digital storage facility, S3. It used to be very easy for a user to create an S3 storage location, called a “bucket”, which is automatically open to the public, and viewable by anyone with access to the URL. If a bucket was compromised, the blame would have been directed at the user for not switching the settings to private.

For this reason, AWS has updated the service so the standard configuration is private, and the user has to manually make the bucket publicly viewable, should they choose to. AWS is, technically, not responsible for how a user configures a bucket, but has altered the infrastructure to make it easier for the user to select the most secure options.

How does a shared security model work?

There are various levels of security that come into play with a shared responsibility model. The physical security of a datacentre is the responsibility of the cloud provider, as they own the physical estate.

This means the cloud provider is responsible for regulating who is allowed to enter the centre and so on. The provider also carries responsibility for the security of the underlying infrastructure. This includes ensuring that security features are built into the cloud platform but does not stretch to elements such as password strength or enabling multifactor authentication (MFA), which are the responsibility of the user.

Users are also responsible for how they deploy cloud applications, and whether they encrypt any data stored on them. These elements use the security tools built by the cloud provider, but the configuration and use of these tools is the responsibility of the user.

For example, if a lecturer uses Microsoft Teams to gather and store coursework from students, there is an implicit trust between the student and lecturer that the lecturer will store the work in a secure way. But there is also onus on the student to upload it safely – for example, not making the document public or sending it over an insecure connection. The responsibility of Microsoft, the cloud provider of Teams, is to make sure that, in building and hosting the application, these security measures are possible and easy to implement.

With an increased move to cloud in the education sector, understanding the dividing lines within this model is essential. Moving services to the cloud doesn’t mean abdicating all responsibility – the security of cloud platforms and the data within is a collaborative effort.

To hear more about cyber security and get involved in the discussion, sign up for JISC’s security conference, running online from 3-5 November 2020. Entry is free, book your place here.

Content Continues Below

Read more on Cloud security

Start the conversation

Send me notifications when other members comment.


  • 5 ways to keep developers happy so they deliver great CX

    Companies need to work on ensuring their developers are satisfied with their jobs and how they're treated, otherwise it'll be ...

  • Link software development to measured business value creation

    Companies must balance customer needs against potential risks during software development to ensure they aren't ignoring security...

  • 5 digital transformation success factors for 2021

    With the right planning, leadership and skills, companies can use digital transformation to drive improved revenues and customer ...


  • 8 benefits of a security operations center

    A security operations center can help lessen the fallout of a data breach, but its business benefits go much further than that. ...

  • Weighing remote browser isolation benefits and drawbacks

    Remote browser isolation benefits end-user experience and an organization's network security. Compare the pros, cons and cost ...

  • Compare 5 SecOps certifications and training courses

    Explore five SecOps certifications available to IT professionals looking to demonstrate and enhance their knowledge of threat ...


  • Network pros share Cisco DevNet certification advice

    Cisco DevNet certifications require a lot of time investment, but network pros who pursue the certifications say the gained ...

  • Cloud automation use cases for managing and troubleshooting

    Cloud automation use cases highlight the benefits these tools can provide to companies evaluating how best to manage and ...

  • A look inside the official Cisco DEVASC 200-901 guidebook

    In this book excerpt, readers can explore the Cisco DEVASC 200-901 official guide and get a flavor of one of Cisco's newest exams...


  • Avoid server overheating with ASHRAE data center guidelines

    Finding the right server operating temperature can be tricky. ASHRAE standards provide guidance for all server classes and what ...

  • Hidden colocation cost drivers to look out for in 2021

    These unexpected charges and fees can balloon colocation costs for enterprise IT organizations.

  • 5 ways a remote hands data center ensures colocation success

    Off-site hardware upkeep can be tricky and time-consuming. With remote hands options, your admins can delegate routine ...


  • Ataccama automates data governance with Gen2 platform update

    Data management vendor Ataccama adds new automation features to its Gen2 platform to help organizations automatically discover ...

  • IBM to deliver refurbished Db2 for the AI and cloud era

    IBM has a tuned-up version of Db2 planned, featuring a handful of AI and machine learning capabilities to make it easier for ...

  • Fauna improves data API collaboration and security

    A database company founded by former Twitter engineers is pushing forward its vision of a way to consume database as a service ...