Question: What is the shared fate model, and how does it differ from the shared responsibility model?
Nick Godfrey, Director of Office of the CISO, Google Cloud: Shared responsibility is a framework as old as cloud technology, designed to delineate security and privacy responsibilities between cloud service providers (CSPs) and their customers. For example, the CSP would be responsible for the physical environments that underpin the cloud, while the customer would be responsible for identity and access management. The problem with this model is that these rigid boundaries lead to gaps in security if either party fails to fulfill their role effectively.
At the end of the day, if an organization has a security issue related to their operational responsibilities as part of the shared responsibility model, it’s also a problem for cloud providers. Today’s security landscape is more complex than ever before; new AI-powered threats, a growing talent shortage, and increasing regulatory pressures call for CSPs to go beyond the restricted shared responsibility framework and support a more resilient model — we call it “shared fate.”
The shared fate model is centered on the customer’s needs, where the CSP leverages its expertise to play an active role in the customer’s security. This model provides enhanced support for organizations in three key ways:
-
Enhanced collaboration: This model fosters a partnership where both cloud provider and customer work collaboratively to ensure a secure environment. Providers are not just delineating responsibilities but actively supporting the customer’s security posture. This results in a more integrated and supportive approach to managing risks.
-
Actionable steps and guidance: Through frameworks and best practices, providers can establish actionable steps and guidance to help customers meet policy, regulatory, and business objectives. This includes resources for securing data, access control, and threat protection. Offering customers tailored resources, advice, and support can significantly reduce the burden of implementing and managing complex security measures independently.
-
Robust defaults for cloud services: The shared fate model suggests a CSP focus on delivering robust defaults for cloud services. This requires cloud providers to build products that are secure by design and secure by default, helping customers with the toil of securing their environment, not adding to it.
The shift from a shared responsibility model to a shared fate model creates a more collaborative approach to security. Of course, there will always be some responsibility on the customer for their security, as no cloud provider can claim accountability for 100% of an organization’s security or activity in the cloud. The difference with shared fate is that, under this approach, the cloud provider plays a significantly more active role in the customer’s security — to the point where, if something were to go wrong, the cloud provider would be heavily invested and can better support the customer through that journey. By having cloud providers and customers work closely together, we’re creating an environment that fosters a more integrated, and overwhelmingly more secure landscape and stronger cyber strategy.