Cloudy Security Responsibilities

6 July 2018 · Cloud & compliance

After a decade of moving to the cloud, a harsh reality is starting to confront companies: outsourcing services doesn't mean outsourcing responsibility.

While it's nice to imagine Uncle Amazon and Aunt Azure taking care of everything you give them, the reality is that Amazon AWS, Microsoft Azure, Google, Digital Ocean, and other cloud providers only take care of the security of the cloud as opposed to the security of data in the cloud. Some Software As A Service (SAAS) providers take care of a bit more than others; however, they still don't absolve you of all of your information security and compliance responsibilities.

This chart outlines some of the key divisions of responsibility for your cloud-based systems:

  Responsible/Shared Responsibility
$  Usually Costs an additional fee
?  Sometimes available or covered in contracts
N/A  Not applicable or not typically available

  Activity for cloud-hosted services You
  Physical Security
  Infrastructure Maintenance
  Internet connection(s) at the data centre and physical networking
  Location redundancy $ ?
  Highly available Internet connection at your office(s)
  Backup, version control, and ransomware protection in the cloud
  Failover, backups, version control, and ransomware protection for office computer(s)
  Database security for fully-managed storage solutions
  Security for databases in AWS / Azure / Hosted instances N/A
  Configuration of network segmentation and isolation
  Configuration of virtual firewalls, security groups, and access control
  Policies and procedures for remote storage and access
  Malware protection $
  Vulnerability assessments for hosted services ?
  Operating System configuration
  Removal of default services and accounts
  File integrity monitoring
  Patch management
  Hardware and virtual system encryption
  Database and sensitive information encryption
  Password hashing and secure system design
  Encryption and protection of data in transit ?
  Encryption and protection of data among systems ?
  Multi-factor authentication
  Password configuration and Single-Sign-On (SSO)
  Checking for breached/shared passwords
  Access Control
  Segregation of duties
  Administrator activity monitoring
  Employee training
  Virtual asset management
  Data leakage monitoring and configuration $
  Service-level agreement monitoring and reporting
  Data Classification and restrictions
  Logging and monitoring
  Validation of provider's compliance with your regulatory needs
  Forensic investigations $ $