Cloud Security: Who’s Responsible for What?

The typical journey to the cloud is based on a partnership between the cloud vendor and an enterprise or business, so the next logical question becomes: who is responsible for what, when it comes to cloud security and protecting the very important data within cloud applications?

Solely relying on the cloud provider for security is not a viable approach. Rather, cloud security is a shared responsibility between the provider and the tenant that should be meticulously defined and understood by both parties. Only then can they work together to prevent successful cyberbreaches.

Responsibility Breakdown

There are two ways to think about this responsibility divide. The cloud provider is typically responsible for security “of” the cloud, meaning the cloud infrastructure, typically including security at the storage, compute and network service layers. The enterprise assumes responsibility for security “in” the cloud. This includes applications, data, and services that operate within their managed cloud environment.  However, depending on the cloud infrastructure – private, public or SaaS – responsibility varies between the cloud vendor and organization:

Private – In private clouds, enterprises are responsible for all aspects of security for the cloud because it is hosted within their own data centers. This includes the physical network, infrastructure, hypervisor, virtual network, operating systems, firewalls, service configuration, identity and access management, etc. The enterprise also owns the data and the security of the data.

Public – In public clouds, like AWS or Microsoft Azure, the cloud vendor owns the infrastructure, physical network and hypervisor. The enterprise owns the workloads, apps, virtual network, access to their tenant environment/account, and the data.

SaaS – SaaS vendors are primarily responsible for the security of their platform, which includes physical security, infrastructure and application security. These vendors do not own the customer data nor assume responsibility for how customers use the applications. As such, the enterprise is responsible for security that would prevent and minimize the risk of malicious data exfiltration, accidental exposure or malware insertion.

While responsibility for securing data, apps and infrastructure falls more into the hands of the cloud vendor as businesses transition from private cloud to public cloud or SaaS, it’s important to note that ensuring the security of its own data is always the responsibility of the enterprise.

Security Measures – Vendor & Enterprise

Because of security and privacy concerns with moving data to the cloud, many cloud and SaaS vendors have focused on ensuring the security of the organization’s infrastructure and data. SaaS vendors invest significantly in building a strong defense for their own infrastructure, and they sometimes extend this security to the customer data with basic policy controls. However, these are typically not sufficient and organizations are forced to look for a more complete SaaS security solution.

The security gaps not addressed by SaaS vendors include: preventing data exposure through improper sharing and preventing threat insertion and distribution. It is here that the SaaS vendors’ responsibility ends and the IT team’s responsibility begins: to employ effective security measures to fill these security gaps and protect the organization’s data.

To compensate for what cloud vendors do not secure, an organization must have the right tools in place to effectively manage and secure risks to keep data secure. These tools must provide visibility into activity within the SaaS application, detailed analytics on usage to prevent data risk and compliance violations, context-aware policy controls to drive enforcement and quarantine if a violation occurs, real-time threat intelligence on known threats, and the ability to detect unknown threats to prevent new malware insertion points. For additional information, learn more about Aperture or check out the “Safely Enable Your SaaS Applications” tech brief.