Sharing responsibility in a data-driven world

Purple multidimensional discs stacked on blue backdrop

February 2021

Digital transformation, a strategy of leveraging the opportunities of new technologies to improve operational processes and products, requires a fundamental shift in how we think about and treat data. This is especially true as information technology transforms from an on-premises infrastructure to hybrid cloud, private cloud, and public cloud infrastructure and services. Sharing responsibility with service providers for the security of data is key to this fundamental shift.

What is shared responsibility?

Shared responsibility is a model that describes how the confidentiality, integrity, and availability of data are managed in a cloud computing environment. The shared responsibility model addresses which parties in a shared service environment are responsible for different areas of data management, information systems security, data security, compliance programs, and governance programs. Responsibilities are typically assigned based on which party in a transaction has both the ability and an individualized need to control the data at the applicable cloud layer.

At a high level, the layers of a cloud computing service can be separated into the data layer, the cloud application layer, the operating system layer, and the physical layer, which are explained in the next section. These layers are most easily understood in the context of software as a service (SaaS), where the user’s experience of the software is disassociated from all but the data layer. One or more cloud service providers manage the underlying hardware and software that provides the computational resources and data storage that were historically managed by the user on his or her personal computer. A SaaS customer trusts the cloud service provider or providers to manage the privacy, security, and compliance controls related to the layers of technology supporting the web browser, which the customer inherits in their own operations. However, the inheritance may not be complete. The customer may still be responsible for secure operations in the cloud, while the cloud service provider is responsible for the secure operations of the cloud.

Responsibilities in the cloud

Responsibility for security, privacy, and compliance while operating in the cloud remains with the cloud services customer. For example, your company may have corporate policies on password complexity, personal data anonymization, or even what data types are authorized to be used in specific cloud computing services. These policies must be followed in a cloud environment just as they would be in an on-premises environment. Your cloud administrators need to be familiar with the underlying operations, features, and functionality of the cloud service to ensure that corporate policies are enabled in the cloud resources.

Responsibilities of the cloud

Responsibility for security, privacy, and compliance of the underlying cloud layers are the responsibility of the cloud service provider. These include ensuring the physical security of data centers; scanning for and patching vulnerabilities at the cloud application layer, operating system layer, or physical layer; and managing underlying network access. Because cloud services are, by definition, pooled resources operated for the benefit of multiple tenants, the applicable policies on privacy and data security are the policies of the cloud service provider. Enterprises with privacy or security policy needs that are not or cannot be implemented by a public cloud service provider may find that they need a community cloud, a private cloud, or a hybrid cloud environment to meet specific policy requirements.

What are the cloud layers?

Data layer

The data layer (or service application layer) is the layer in a computing infrastructure in which data is input or managed before the application processes the data. For example, the data layer could be data that a user manually entered into an application, or it could be data in a database that an analytics application calls when processing a request for information.

Cloud application layer

The cloud application layer is the layer that provides services to a software application program to ensure that data residing there can communicate with other aspects of the network so that data can be stored, processed, or further transmitted. Application layers can be deployed as part of a public, private, or community cloud model, or in a hybrid cloud model that combines more than one of the other deployment models. 

In the framework of shared responsibility, the cloud application layer is the layer with the highest level of customer responsibility and control. For example, an application program that provides software as a service (SaaS) could have runtime software deployed on a local machine. The local runtime software communicates with software that processes the data using virtual machines in a public cloud, and the resulting analytics are then delivered to and stored in a private cloud storage server.

Operating software layer

The operating software layer is the first level of software applications that virtualizes and hosts the cloud application layer. It includes the cloud hosts and operating systems, as well as hosted hypervisors used to segregate virtualized workloads. In the shared responsibility model, the operating software layer may be under the control and responsibility of either the customer or the cloud service provider, based on whether the customer is using an infrastructure as a service (IaaS) or a platform as a service (PaaS) deployment model.

Physical layer

The physical layer refers to the physical products, such as servers, wires, switches, routers, buildings and real estate, that make all of the software operations possible. It also includes the “bare-metal” components such as firmware, BIOS, embedded software, and bare-metal hypervisors. In the shared responsibility model, the physical layer is under the control of the cloud service provider.

Digital transformation and cloud computing

True digital transformation includes scalable systems for bringing innovations to market as quickly and efficiently as possible. Cloud computing is the leading way in which the enterprise can convert data to dollars—it outsources varying levels of infrastructure to pooled resources that are scalable on demand based on point in time needs. Outsourcing responsibly in this way requires a deep understanding of the shared responsibilities needed to secure data and protect personal information.

Back To Top

More information