Defense in Depth
Has the Shared Security Model for SaaS Shifted?

Are we all on board with the shared security model in cloud security? We always said it, but I don't know if everyone knew what the cloud provider and the customer's responsibilities were.

Check out this post by Justin Pagano at Klaviyo for the discussion that is the basis of our conversation on this week’s episode co-hosted by David Spark, the producer of CISO Series, and Geoff Belknap. Joining them is Jesse Webb, CISO and svp information systems, Avalon Healthcare Solutions.

Listen to the full episode here.

Align the incentives

Cloud security often fails not because of flawed models, but because organizations misunderstand their role within them. “The shared responsibility model is a well thought out business model. The issue stems from companies not understanding their own responsibilities when using the cloud,” said Owain Bainbridge-Rees of NCC Group. He argued against shifting that responsibility onto providers, noting that “companies should take responsibility for their deployments on cloud or pay for a fully managed service,” rather than expecting default secure configurations or enforced compliance out of the box. Travis McPeak of Resourcely emphasized that changing behavior comes down to smart incentives. “We need to use nudges to push people towards the outcomes we want,” he said, suggesting models like upcharging for insecure configurations. “The more negative and positive nudges we can use to incentivize the behavior we want, the better.”

The feature and enforcement disconnect

The criticism of the shared responsibility model centers on placing too much burden on customers without sufficient guardrails. “Shared Responsibility = Defer Risk to Customers,” said Patrick Garrity of VulnCheck, capturing a sentiment echoed by others who view the model as a convenient offload rather than a true partnership. Jason Allen of Traceable by Harness pointed to the disconnect between available features and actual enforcement, arguing, “If they built the functionality, made it available, and you chose not to enforce it, that doesn’t seem like a shared responsibility. That seems like negligence.” Jaroslaw Postawa of Dorvin.Net highlighted the operational complexity that makes securing cloud environments even harder than traditional infrastructure. “People not only have to manage the abstraction layer of the cloud provider but also the infrastructure behind it, managed in a very restrained way,” he said, adding that some outdated computing models may need to be revisited for modern cloud security to keep pace.

Putting the right people in the right place

Even when cloud and SaaS providers draw clear lines in the shared responsibility model, most organizations still struggle to operationalize their side of the equation. “The real challenge is that most companies do not have a scalable way to ensure the qualified employees are in the right place to take responsibility for their side,” said Russell Spitler of Nudge Security. Even default security features like MFA won’t close the gaps without the right internal ownership. Adi Chemoul of Token Security pointed to recent breaches as evidence of these lapses, noting that “things like not using MFA, failing to rotate keys, and weak network restrictions” continue to cause damage, despite being fundamental controls. Providers should do more to minimize these gaps or warn customers about the consequences of neglecting them.

A need for transparency

Shared responsibility may define the surface of cloud security, but much of what matters remains buried and opaque. “Shared controls are just the tip of the iceberg; only what you can see and control above the surface. What's beneath is hidden and largely beyond scrutiny or control,” said Justin Francesconi of Bowtie. He called for a reimagined model that prioritizes transparency, enforces security defaults, and doesn't sacrifice usability.

Please listen to the full episode on your favorite podcast app, or over on our blog where you can read the full transcript. If you’re not already subscribed to the Defense in Depth podcast, please go ahead and subscribe now.

Huge thanks to our sponsor, ThreatLocker

Subscribe
Subscribe to Defense in Depth podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "Defense in Depth" into your favorite podcast app.

Join us Friday, 06-20-25 for "Hacking What It Takes to Become a CISO"

Join us on Friday, June 20, 2025, for Super Cyber Friday: “Hacking What It Takes to Become a CISO.”

It all kicks off at 1 PM ET / 10 AM PT, when Rich Stroffolino will be joined by Montez Fitzpatrick, CISO, NavVis, and David B. Cross, CISO, Atlassian for an hour of insightful conversation and engaging games. And at 2 PM ET / 11 AM PT, stick around for our always-popular meetup. This time, it will be hosted right inside the event platform.

We’re trying something new this week: We’re hosting the show on Airmeet! The experience will feel familiar, but you’ll register through a new link.

Register now on Airmeet

LIVE!
Cyber Security Headlines - Week in Review

Make sure you register on YouTube to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Christina Shannon, CIO, KIK Consumer Products.

Thanks to our Cyber Security Headlines sponsor, Vanta

Cyber chatter from around the web...
Jump in on these conversations

“cyberattacks nightmare” (More here)

“What do you think is the biggest flaw in modern cybersecurity?” (More here)

“Thoughts on OSWE? Any appsec people here?” (More here)

Thank you!
Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.