Everyone must’ve heard about the AWS Shared Responsibility Model referred to as Security OF the Cloud versus Security IN the Cloud.

Let’s simplify the AWS model: Imagine you're building a house. You hire a construction company to build the foundation, walls, and roof (eg: Amazon Web Services - AWS). They make sure the structure is strong and secure, and they also put up some basic security measures like fences and gates around the property (eg: physical data center security).

However, once the house is built, it's up to us to make sure everything inside is safe. we need to lock the doors, close the windows (eg: preventative controls like SCPs), and install a security system (eg: detective/monitoring controls) - this is our responsibility as the customer for using AWS services.

That’s a good model, right? We have clear segregation in terms of responsibilities between our cloud provider and us as a customer BUT often what most organizations miss is that the Security IN the Cloud which is the customer responsibility needs to have a clear division and definition of responsibilities within their organization.

So in session, we’ll take you through Booking.com journey to define our own Shared Responsibility Model which helped us optimise resource allocation, mitigate risks, ensure compliance, adopting a collaborative approach to safeguarding our AWS resources and setting the expectation right for development teams in an ever-changing threat landscape.