The shared responsibility model for compliance in cloud computing environments requires cooperation between service providers and enterprise customers to ensure complete coverage of cloud security issues and privacy controls. The division of responsibility varies based upon the type of regulation, scope of the cloud service and data involved. That said, the most important determinant of responsibility is the type of cloud platform that your organization uses for storing, processing and transmitting regulated information.
It depends on service scope
IT professionals classify cloud computing platforms into three main categories based upon the scope of the service provided. Software as a service (SaaS), in which the vendor offers a hosted application -- for example, Salesforce's customer relationship management -- is at one end of the spectrum. Platform as a service (PaaS), such as Microsoft Azure, lies somewhere in the middle; with PaaS the vendor offers customers a platform upon which they can develop or customize applications. Infrastructure as service (IaaS) such as Amazon Web Services is at the other end of the spectrum. The vendor provides the customer with core computing services, such as server instances, storage capacity and network bandwidth. In all of the cases, the vendor's responsibility for cloud security compliance depends upon where its services fall on this spectrum.
Vendors are definitely responsible for running their services in a compliant fashion, but this compliance doesn't automatically translate to complete customer compliance. The consumers of cloud services are always responsible for their own actions. Imagine, for example, an enterprise customer is running a virtual server on a cloud provider's platform. If the IT staff has the ability to alter the firewall settings, the secure configuration of the firewall is clearly outside the scope of the cloud provider's responsibility, and the enterprise has the ability to take an otherwise compliant service and make it non-compliant.
The key to cloud security compliance in these environments is clearly documenting the division of responsibilities so that each party knows what they must do.
Shared responsibility scenarios
In an IaaS implementation, the vendor is responsible for the foundational security of the underlying compute services. For example, if a cloud provider offers virtual server instances, the vendor is often responsible for everything from the physical security of its data centers up through the hypervisor that controls virtual instances and isolates them from each other. This may include network connectivity, firewalls, data center surveillance systems, hardware security and similar controls.
You, on the other hand, are responsible for whatever IT does on top of that hypervisor. If the IT team installs and configures the operating system, it is clearly the enterprise's responsibility to maintain the security of that configuration. Similarly, your IT staff must correctly install and configure any application services running on servers in the IaaS platform. From a software security perspective, there is little difference between the responsibilities that an organization has for services hosted in an IaaS environment and those in an on-premises data center.
At the other end of the spectrum, SaaS vendors bear a more significant burden for cloud security issues and software compliance. They control everything from the physical security of data centers all the way up the stack to the configuration of the application. For example, Salesforce is responsible for cloud security issues such as confidentiality and availability. Enterprise responsibility is limited to those configuration settings that the provider permits the customer to alter and the security of data fed into the service. For example, IT security teams might choose to encrypt files before uploading them into a SaaS collaboration tool. PaaS blurs the lines between SaaS and IaaS, so the division between customer and vendor responsibilities in terms of compliance and cloud security issues will shift based upon the specifics of the service.
The bottom line for cloud security compliance is that both vendors and customers must understand who bears the burden of satisfying each requirement of the laws or regulations governing customer information stored, processed or transmitted by the system. There's simply no substitute for a common understanding and written agreement governing the shared responsibility model for each cloud service implementation.
What is cloud compliance? Learn more about compliance and how to achieve it.
Follow the latest news on cloud security
Learn about the Cloud Security Alliance here