How to manage cloud security when providers and customers share responsibility
Image: Ponemon Institute and Gemalto5 things to know about cloud security Watch NowWhen it comes to securing data in the cloud, the importance of deciding who's responsible for what cannot be overstated. Currently, there are three choices: Cloud-serv

5 things to know about cloud security Watch Now

When it comes to securing data in the cloud, the importance of deciding who's responsible for what cannot be overstated. Currently, there are three choices: Cloud-service customers, cloud-service providers, or customers and providers sharing the responsibility.

A 2018 Global Cloud Data Security Study (Figure A) conducted by the Ponemon Institute for Gemalto found that:

"[In 2017] Fewer respondents (32 percent of respondents) say it is a shared responsibility [between the cloud provider and the cloud user]. Respondents are evenly divided between responsibility resting with the cloud provider or cloud user (both 34 percent)."

Figure A

SEE: Cloud computing policy (Tech Pro Research)

The shared-responsibility model

Jenna Kersten, content marketing specialist at KirkpatrickPrice, in her blog post Who's Responsible for Cloud Security? sides with the survey respondents opting for shared responsibility. In her post, Kersten takes it a step further and discusses one way to divvy up responsibility between cloud-service customers and cloud-service providers in the following cloud-service models: Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS).

IaaS solutions: In IaaS, the cloud-service provider manages facilities, data centers, network interfaces, processing, and hypervisors. The cloud-service customer is responsible for the virtual network, virtual machines, operating systems, middleware, applications, interfaces, and data. PaaS solutions: With the PaaS model, Kersten adds virtual networks, virtual machines, operating systems, and middleware to the cloud-service provider's responsibilities. The customer is still responsible for securing and managing applications, interfaces, and data. SaaS solutions: The SaaS model, according to Kersten, moves responsibility for everything except interfaces and data to the cloud-service provider.

"Cloud-service providers and cloud-service customers both have a responsibility to protect data," continues Kersten. "It's also important to note that execution of individual security-management tasks can be outsourced, but accountability cannot. The responsibility to verify that security requirements are being met always lies with the customer."

SEE: How to choose and manage great tech partners (ZDNet special report) | Download the report as a PDF (TechRepublic)

Next, Kersten focuses on the cloud-service customer:

Define cloud-security requirements before selecting a cloud-service provider. "If you know what you're looking for in a cloud service provider, you can better prioritize your needs," adds Kersten. Harmonize the corporate governance program between traditional and cloud-based IT delivery. Migrating systems and applications into the cloud is going to require policy changes. Establish contractual clarity on the roles and responsibilities of each party, especially with regards to the public cloud, including:
* Who's responsible for cloud security?
* How far does the cloud-service provider go? Develop a responsibility matrix that defines the security roles and responsibilities for you and for each vendor, including cloud-service providers.

SEE: Vendor management: How to build effective relationships (free PDF) (TechRepublic)

Do not forget about compliance

Compliance and cloud security might be considered a digital symbiotic relationship--one cannot exist without the other the way regulations are structured. Duane Tharp pulls no punches when talking about compliance and security:

"The first reason is regulatory. Businesses have to be compliant to a regulatory regime, whether state, federal, or internal. The other reason is fear. The nominal additional investment in security potentially can prevent a bad situation from arising in the future. There is a positive net return."


This article is republished from under a Creative Commons license.