Varonis announces strategic partnership with Microsoft to accelerate the secure adoption of Copilot.

Learn more
Blog Cloud Security

Understanding and Applying the Shared Responsibility Model at Your Organization

To avoid significant security gaps and risks to sensitive data, organizations need to understand the shared responsibility model used by many SaaS providers.
Tristan Grush
2 min read
Last updated March 7, 2024

Contents

    As companies increasingly incorporate SaaS, IaaS, and other applications into their environments and processes, some orgs are unaware of their role in securing sensitive data. 

    This can leave a significant gap in an organization’s security stack when they rely solely on SaaS providers to protect their information. 

    Understanding which security aspects an organization is responsible for versus which fall under the SaaS application’s domain is known as the shared responsibility model.

    Security teams must understand this model to mitigate risks from today’s top cyber threats and protect their sensitive information.  

    What is a shared responsibility model? 

    The shared responsibility model holds SaaS providers accountable for securing the infrastructure and providing a highly available solution. The consumer is responsible for protecting and securing their data within the platform, which many orgs are unaware of.  

    The misunderstanding of who is responsible for data security usually stems from internal teams purchasing SaaS products without involving their IT department or security teams. 

    You can see a traditional breakdown of the shared responsibility outlined below, which several cloud providers such as Salesforce, AWS, and Microsoft adhere to at their organizations.  

    Blog_SharedResponsibilityModel_Diagram_202402_V1

    A traditional shared responsibility model.

    Shared responsibility in action 

    Salesforce is a notable example of the shared responsibility model in action.  

    Salesforce employs security-by-design for its infrastructure, but it’s up to the end user to implement the correct security controls and best practices to keep their critical data safe from threats and breaches. 

    Varonis helps organizations uphold their end of the shared responsibility model by providing real-time visibility into their Salesforce data security posture, ensuring only the right people have access to crown-jewel data, automatically remediating misconfigurations, and detecting suspicious activity.  

    When organizations purchase Salesforce, sales teams tend to manage the CRM tool and are focused on ensuring information is easily accessible to users.

    However, it’s quite common for security teams to have limited visibility or awareness of the risks associated with a SaaS platform like Salesforce, despite the sensitive nature of the data it contains.  

    The need for quick access combined with zero security oversight often leads to data security and data governance falling by the wayside. This is especially true when SaaS applications are purchased and rolled out with little to no IT oversight, significantly increasing the probability of a data breach. 

    That’s why implementing a shared responsibility model is paramount to data protection.  

    How to implement the shared responsibility model at your org 

    To keep sensitive data out of the wrong hands, the components of a shared responsibility model must be acknowledged and understood by your security team and the application owners.  

    A collaborative relationship between your internal teams and application owners helps ensure your cloud data is properly protected and treated with as much care as data that sits on a file server. 

    Give your security team and application owners access and proper controls to ensure both groups can answer these three questions: 

    1. Where is my sensitive data being stored in this application? 
    2. Who can access this data?
    3. Who is accessing my data?

    Team members must understand which security components your company is responsible for protecting versus the aspects the SaaS provider owns and what security aspects need to be addressed by them specifically. All SaaS platforms your org uses should be evaluated with the shared responsibility model in mind. 

    Varonis helps organizations understand where their sensitive data lives, maps access to your data, and delivers auditing and threat detection capabilities.  

    We provide a clear, contextual understanding of SaaS data, protecting your org with automated outcomes without impacting business continuity. Our coverage includes a variety of SaaS, IaaS, on-premises data, and more.  

    Don’t wait for a breach to occur.  

    If organizations do not adequately define their shared responsibility with SaaS apps, the lack of ownership and preparedness could lead to an inability to appropriately respond to a data breach or insider threat. 

    Curious to know if your sensitive data is protected?  

    Get started with our free Data Risk Assessment. In less than 24 hours, you’ll have a clear, risk-based view of the data that matters most and a clear path to automated remediation. 

    What you should do now

    Below are three ways we can help you begin your journey to reducing data risk at your company:

    1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
    2. Download our free report and learn the risks associated with SaaS data exposure.
    3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.
    Tristan Grush
    Tristan Grush Tristan Grush is a Senior Sales Engineer covering the New York Metro and Western New York territories at Varonis. He joined Varonis in 2020 and helps organizations protect data across all data domains.

    Try Varonis free.

    Get a detailed data risk report based on your company’s data.
    Deploys in minutes.
    Get started View sample

    Keep reading

    Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

    rewards-and-risks:-what-generative-ai-means-for-security
    Rewards and Risks: What Generative AI Means for Security
    rewards-and-risks:-what-generative-ai-means-for-security
    Lexi Croisdale
    August 28, 2023
    As AI has grown in popularity, concerns are being raised about the risks involved with using the technology. Learn the rewards and risks of using generative AI.
    varonis-adds-data-classification-support-for-amazon-s3
    Varonis Adds Data Classification Support for Amazon S3
    varonis-adds-data-classification-support-for-amazon-s3
    Nathan Coppinger
    June 15, 2022
    Varonis bolsters cloud security offering with data classification for Amazon S3.
    threat-update-30-–-no-trust?-no-problem!-an-overview-of-zero-trust
    Threat Update 30 – No trust? No problem! An Overview of Zero Trust
    threat-update-30-–-no-trust?-no-problem!-an-overview-of-zero-trust
    Kilian Englert
    March 18, 2021
    With the constant barrage of cyberattacks in the news, it would be natural to wonder if there’s a security model to help. Enter Zero Trust! This popular security model has...
    generative-ai-security:-preparing-for-salesforce-einstein-copilot
    Generative AI Security: Preparing for Salesforce Einstein Copilot
    generative-ai-security:-preparing-for-salesforce-einstein-copilot
    Collaborative Article - Mike Smith, Salesforce
    March 12, 2024
    See how Salesforce Einstein Copilot’s security model works and the risks you must mitigate to ensure a safe and secure rollout.