Cloud security and compliance is a shared responsibility between the Cloud Providers and the Customers...
While Cloud providers stand firmly committed to provide the security, confidentiality, integrity, and transparency of the customer’s business-critical data, however, the security of the data, workloads & applications deployed in the Cloud is equally dependent upon the customers as well.The Cloud providers are responsible for the “Security of the Cloud“, while the customers are responsible for the “Security in the Cloud“.
The Cloud Provider is responsible for “Security of the Cloud”
The Cloud provider is responsible for the Security of the Cloud, which means that it is responsible for all the security aspects of the Global infrastructure that offer the Cloud services. This infrastructure includes the software, hardware and networking facilities. In addition to that, Cloud provider is also responsible for the security configuration of its Managed-Services products – be it Servers, Databases, and OS configurations.
Broadly the key responsibility areas of the Cloud provider are :
The Physical Security of the Cloud
Physical security of the Cloud infrastructure is maintained at the highest level, For example, AWS data-centers are hosted in the nondescript facilities and the physical access is strictly controlled. The power supply into these facilities are fully redundant and equipped with 24|7 USP backups.
Configuration Security of the Cloud
Any configuration changes to the Cloud infrastructure is performed under a well-defined industry best practices and guidelines by the Cloud provider.These changes whether routine or emergency are well authorized, logged, tested, approved and documented to be able to back-track every single activity point.
Service level Security of the Cloud
In Cloud, security is built in every single layer of the infrastructure. Each service that the Cloud service provider provides to its customer, is architected to work efficiently and securely with all the networks and the platforms. Service level security is one of the core responsibilities of the Cloud service provider.
Cloud Security with Automation
Cloud provider build and implement security tools to allow customers to automate routine tasks. This helps them to eliminate many human configuration errors and focus on high-priority areas.Customers leverage this security automation to become more agile and responsive, which makes easy for them to create more secure Cloud solutions and deploy.
The Customer is responsible for “Security in the Cloud”
Customers are responsible for the “Security in the Cloud”. Just as they are responsible for the security of their on-premises data-centers, applications & tools, similarly in Cloud they have the equal or rather higher liberty and controls over the security of their systems running in the Cloud. Customers continue to retain the ownership of their intellectual property running in the Cloud.
Security ownership lies with the Customer
The customer has the flexibility to choose the geographical region to host their data and applications.These data & applications can be easily configured to be replicated by the customers with their choice of regions across the globe. In addition to this, the customer can and must choose the type of data-encryption they want to apply to their applications in the Cloud.Cloud providers like AWS provide their customers the encryption options so that they can configure the content to either use Data-in-transit-encryption or Data-at-rest-encryption or both.The ownership of the encryption keys completely lies with the customers and it can be used to implement additional security controls to protect their content.
Just as in the case of on-premises, customers continue to perform all the necessary security configuration and management tasks on their Cloud Infrastructure Services (IaaS) too.This includes applying any updates on the security patches or configuring all the security firewall settings.As the responsibility of operating the IT environment in Cloud is shared between the Cloud provider and its customers, similarly the management, operation, and verification of the Cloud IT environment are also shared between both the stakeholders.
- Configuration Management-Cloud provider maintains the configuration of the infrastructure devices while the customer is responsible for configuring the operating systems, databases, and applications
- Patch Management- Cloud provider is responsible to maintain and fix flaws within the infrastructure devices, while customers are responsible for patching their OS and applications
Security using any Third Party Products
In addition to the security provided by the Cloud provider, customers can access hundreds of industry-leading products, which can integrate with existing controls in the customer’s on-premises environments, for example, Symantec, Splunk, Alert Logic & many more. These products complement the existing Cloud services to enable the customers to deploy a comprehensive security architecture and a more seamless experience across cloud and on-premises data-centers.
Security with Regulation & Compliance
Lastly, the compliance and regulations are one of the critical parameters to maintain the “Security in/of the Cloud”. There are many compliance programs available globally and the whole purpose of their existence is to ensure the customer data privacy and protection. They help the Customers and Cloud service providers to diligently implement the industry best-practices, security frameworks, data privacy laws & regulations. Some of these compliance programs are industry and vertical-specific while others operate in certain geographies. For example : CSA(Cloud Security Alliance),ISO 27017(Cloud specific controls),ISO 27018(Personal Data Protection),PCI DSS level1(Payment Card Standards), HIPAA(Protected health, Information), FISMA(Federal Information Security Management) and SOC1, SOC2, SOC3 ( System and Organization Control ) are few of them.