The purpose of this blog entry help define what the model of shared responsibility means for organisations considering movement from on-premise to cloud-hosted data centres.
The shared responsibility model is included in the service documentation from all major cloud service providers.
It refers to the security and privacy obligations of both the cloud-computing provider and the users of those cloud services to ensure appropriate accountability for protecting the cloud service(s) utilised.
The nature of these obligations varies with the cloud service model in use.
On-Premise to IaaS, PaaS, and SaaS
When an organisation hosts and runs all applications on-premise, the organisation takes responsibility for all aspects, from the security of the infrastructure to the applications that run on it.
As an organisation moves from on-premise hosting to Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS) and Software-as-a-Service (SaaS) models, more responsibility shifts from the organisation to the cloud service provider.
For example at the IaaS level, the cloud provider normally assumes responsibility for the physical security of the datacentre together with basic infrastructure components such as virtual machines, networks, etc., but the organisation still retains responsibility for everything from the operating system to the application and the data being processed.
At the SaaS level, the cloud provider typically assumes responsibility for everything up to and including the application, as well as functionality to enable identity and access management, end-point protection and integration. However, the user organisation is still responsible for configuring the application and the security frameworks delivered by the cloud provider, any integration options, as well as ensuring appropriate data classification and processing.
For a graphic representation of this model, pages 28 and 29 of the Alliance 2018 “Hands on with PeopleSoft. Develop Practices to Harden and Protect PeopleSoft” slide deck detail this model.
The motivations for organisations migrating to the cloud will vary but often include a combination of –
- Reducing cost, testing effort, and administrative complexity
- Improving performance, security, and user interface/experience
- Quicker maintenance deployment
- Greater scalability and flexibility
Organizations seeking to realize these benefits need to consider that cloud security is not set-and-forget, but instead requires the same level of monitoring and maintenance as with on-premise hosted applications.
For example, a SaaS application will often be subject to continual development by the vendor, resulting in frequent updates to the system that may require configuration and user permissions changes ensure appropriate access to newly released functionality.
The same issue applies to other aspects of the infrastructure and security frameworks, which also change and evolve over time and need constant review to ensure the system(s) remain suitably protected.