Cloudy Security Responsibilities
6 July 2018 · Cloud & compliance
After a decade of moving to the cloud, a harsh reality is starting to confront companies: outsourcing services doesn't mean outsourcing responsibility.
While it's nice to imagine Uncle Amazon and Aunt Azure taking care of everything you give them, the reality is that Amazon AWS, Microsoft Azure, Google, Digital Ocean, and other cloud providers only take care of the security of the cloud as opposed to the security of data in the cloud. Some Software As A Service (SAAS) providers take care of a bit more than others; however, they still don't absolve you of all of your information security and compliance responsibilities.
This chart outlines some of the key divisions of responsibility for your cloud-based systems:
| Responsible/Shared Responsibility | |
| $ | Usually Costs an additional fee |
| ? | Sometimes available or covered in contracts |
| N/A | Not applicable or not typically available |
| Activity for cloud-hosted services | You and/or ThreeShield |
AWS Azure |
Typical SASS |
|
| Physical Security | ||||
| Infrastructure Maintenance | ||||
| Internet connection(s) at the data centre and physical networking | ||||
| Location redundancy | $ | ? | ||
| Highly available Internet connection at your office(s) | ||||
| Backup, version control, and ransomware protection in the cloud | ||||
| Failover, backups, version control, and ransomware protection for office computer(s) | ||||
| Database security for fully-managed storage solutions | ||||
| Security for databases in AWS / Azure / Hosted instances | N/A | |||
| Configuration of network segmentation and isolation | ||||
| Configuration of virtual firewalls, security groups, and access control | ||||
| Policies and procedures for remote storage and access | ||||
| Malware protection | $ | |||
| Vulnerability assessments for hosted services | ? | |||
| Operating System configuration | ||||
| Removal of default services and accounts | ||||
| File integrity monitoring | ||||
| Patch management | ||||
| Hardware and virtual system encryption | ||||
| Database and sensitive information encryption | ||||
| Password hashing and secure system design | ||||
| Encryption and protection of data in transit | ? | |||
| Encryption and protection of data among systems | ? | |||
| Multi-factor authentication | ||||
| Password configuration and Single-Sign-On (SSO) | ||||
| Checking for breached/shared passwords | ||||
| Access Control | ||||
| Segregation of duties | ||||
| Administrator activity monitoring | ||||
| Employee training | ||||
| Virtual asset management | ||||
| Data leakage monitoring and configuration | $ | |||
| Service-level agreement monitoring and reporting | ||||
| Data Classification and restrictions | ||||
| Logging and monitoring | ||||
| Validation of provider's compliance with your regulatory needs | ||||
| Forensic investigations | $ | $ |
Ready to get protected?