Menu

Security: Building a foundation of trust through robust security

orange cubes on top of orange background with on blue cube

Sharing responsibility in a data-driven world

Digital transformation requires a fundamental shift in how we think about and treat data, particularly as information technology transforms from on-premises infrastructure to hybrid, private cloud, and public cloud infrastructure and services. Sharing responsibility with service providers for the security of data is key to this fundamental shift.

What is shared responsibility?

Shared responsibility is a model describing how the confidentiality, integrity, and availability of data are managed in a cloud computing environment. The shared responsibility model addresses which parties in a shared service environment are responsible for different areas of data management, information systems security, data security, compliance programs, and governance programs. Responsibilities are typically assigned based on which party in a transaction has both the ability and an individualized need to control the data at the applicable cloud layer.

At a high level, the layers of a cloud computing service can be separated into the data layer, the cloud application layer, the operating system layer, and the physical layer, which are explained in the next section. These layers are most easily understood in the context of software as a service (SaaS), where users’ experience of the software is disassociated from all but the data layer. One or more cloud service providers manage the underlying hardware and software that provides the computational resources and data storage that historically were managed by the user on his or her personal computer. A SaaS customer trusts the cloud service provider or providers to manage the privacy, security, and compliance controls related to the layers of technology supporting the web browser, which the customer then inherits in their own operations. However, the inheritance may not be complete. The customer may still be responsible for secure operations in the cloud, while the cloud service provider is responsible for the secure operations of the cloud.


Responsibilities in the cloud

Responsibility for security, privacy, and compliance while operating in the cloud remains with the customer of the cloud services. For example, your company may have corporate policies on password complexity, personal data anonymization, or even what data types are authorized to be used in specific cloud computing services. These policies would need to be followed in a cloud environment just as they would be in an on-premises environment. Cloud administrators need to be familiar with the underlying operations, features, and functionality of the cloud service to ensure that corporate policies are enabled in the cloud resources.


Responsibilities of the cloud

Responsibility for security, privacy, and compliance of the underlying cloud layers are the responsibility of the cloud service provider. These responsibilities include ensuring the physical security of data centers; scanning for and patching vulnerabilities at the cloud application layer, operating system layer, or physical layer; and managing underlying network access. Because cloud services are, by definition, pooled resources operated for the benefit of multiple tenants, the applicable policies on privacy and data security will be the policies of the cloud service provider. Enterprises with privacy or security policy needs that are not or cannot be implemented by a public cloud service provider may find that a community cloud, a private cloud, or a hybrid cloud environment is needed to meet specific policy requirements.

What are the cloud layers?

Data layer

The data layer (or service application layer) refers to the layer in a computing infrastructure in which data is input or managed before the application processes the data. For example, the data layer could be data that a user manually entered into an application, or it could be data in a database that an analytics application calls when processing a request for information.


Cloud application layer

The cloud application layer refers to the layer that provides services to a software application or application program to ensure that data in the application program can communicate with other aspects of the network so data can be stored, processed, or further transmitted. Application layers can be deployed as part of a public, private, or community cloud model, or in a hybrid cloud model that combines more than one of the other deployment models.

In the framework of shared responsibility, the cloud application layer is the layer with the highest level of customer responsibility and control. For example, an application program that provides SaaS could have runtime software deployed on a local machine. The local runtime software communicates with software that processes the data using virtual machines in a public cloud, and the resulting analytics are then delivered to and stored in a private cloud storage server.


Operating software layer

The operating software layer refers to the first level of software applications that virtualizes and hosts the cloud application layer. It includes the cloud hosts and operating systems, as well as hosted hypervisors used to segregate virtualized workloads. In the shared responsibility model, the operating software layer may be under the control and responsibility of either the customer or the cloud service provider, based on whether the customer is using an infrastructure as a service (IaaS) or a platform as a service (PaaS) deployment model. 


Physical layer

The physical layer refers to the physical products, such as servers, wires, switches, routers, buildings and real estate that make all of the software operations possible. It also includes the “bare-metal” components such as firmware, BIOS, embedded software, and bare-metal hypervisors. In the shared responsibility model, the physical layer is under the control of the cloud service provider.

Digital transformation and cloud computing

True digital transformation includes scalable systems for bringing innovations to market as quickly and efficiently as possible. Cloud computing is the leading way that the enterprise can convert data to dollars—it outsources varying levels of infrastructure to pooled resources that are scalable on demand based on point in time needs. Doing so in a responsible manner requires a knowledge of the shared responsibilities required to secure data and protect personal information.

 

transluscent gray cube frame with blue corners