February 2021
Digital transformation, a strategy of leveraging the opportunities of new technologies to improve operational processes and products, requires a fundamental shift in how we think about and treat data. This is especially true as information technology transforms from an on-premises infrastructure to hybrid cloud, private cloud, and public cloud infrastructure and services. Sharing responsibility with service providers for the security of data is key to this fundamental shift.
Shared responsibility is a model that describes how the confidentiality, integrity, and availability of data are managed in a cloud computing environment. The shared responsibility model addresses which parties in a shared service environment are responsible for different areas of data management, information systems security, data security, compliance programs, and governance programs. Responsibilities are typically assigned based on which party in a transaction has both the ability and an individualized need to control the data at the applicable cloud layer.
At a high level, the layers of a cloud computing service can be separated into the data layer, the cloud application layer, the operating system layer, and the physical layer, which are explained in the next section. These layers are most easily understood in the context of software as a service (SaaS), where the user’s experience of the software is disassociated from all but the data layer. One or more cloud service providers manage the underlying hardware and software that provides the computational resources and data storage that were historically managed by the user on his or her personal computer. A SaaS customer trusts the cloud service provider or providers to manage the privacy, security, and compliance controls related to the layers of technology supporting the web browser, which the customer inherits in their own operations. However, the inheritance may not be complete. The customer may still be responsible for secure operations in the cloud, while the cloud service provider is responsible for the secure operations of the cloud.
The data layer (or service application layer) is the layer in a computing infrastructure in which data is input or managed before the application processes the data. For example, the data layer could be data that a user manually entered into an application, or it could be data in a database that an analytics application calls when processing a request for information.
The cloud application layer is the layer that provides services to a software application program to ensure that data residing there can communicate with other aspects of the network so that data can be stored, processed, or further transmitted. Application layers can be deployed as part of a public, private, or community cloud model, or in a hybrid cloud model that combines more than one of the other deployment models.
In the framework of shared responsibility, the cloud application layer is the layer with the highest level of customer responsibility and control. For example, an application program that provides software as a service (SaaS) could have runtime software deployed on a local machine. The local runtime software communicates with software that processes the data using virtual machines in a public cloud, and the resulting analytics are then delivered to and stored in a private cloud storage server.
The physical layer refers to the physical products, such as servers, wires, switches, routers, buildings and real estate, that make all of the software operations possible. It also includes the “bare-metal” components such as firmware, BIOS, embedded software, and bare-metal hypervisors. In the shared responsibility model, the physical layer is under the control of the cloud service provider.
True digital transformation includes scalable systems for bringing innovations to market as quickly and efficiently as possible. Cloud computing is the leading way in which the enterprise can convert data to dollars—it outsources varying levels of infrastructure to pooled resources that are scalable on demand based on point in time needs. Outsourcing responsibly in this way requires a deep understanding of the shared responsibilities needed to secure data and protect personal information.
