Ensuring that your organization is compliant with a plethora of regulations that seem to change and grow on a daily basis is enough of a challenge when all your data is stored and processing is done in your on-premises data center, but when (mostly likely not “if”) you move some or all of your resources into the cloud, it becomes a lot like a Facebook relationship status: it’s complicated.
Back when I was an instructor at the police academy, one of the most important concepts that we taught new law enforcement recruits was that when you and a partner go into a situation – especially a dangerous one – it’s essential that each of you cover a specific area of responsibility. When conducting a building search for a burglary suspect, for instance, one officer will focus on one part of each room while the other focuses on the other half. In a domestic disturbance call, one officer will deal with one of the parties while the other talks to the other.
This does not mean that you become oblivious to what’s going on in your partner’s area and fail to respond if you see that he/she has dropped the ball and is at risk. It just means that each of you has a specific and different job for which you assume the primary role. This division of responsibility strategy applies to any tactical operation, whether in law enforcement, military maneuvers – or IT.
When your org operates its own datacenter, your IT department is a little like the small-town sheriff who has to handle everything on his/her own. When you team up with a cloud provider, you have a partner who will take some – but not all – of the burden of security and compliance off your shoulders. But just like when you and your fellow cop are dispatched to a bar fight, you need to know exactly where your responsibility lies or you can get into serious trouble.
Compliance and security, while not the same, go hand-in-hand. Security in a cloud-based environment relies on a number of different elements, some of which are handled by the cloud provider and some of which are handled by the customer. You’ll see references to this shared responsibility model in the contracts and documentation for Microsoft Azure, Amazon Web Services, Google Cloud Platform, and other cloud providers.
Each of the top three providers supplies detailed documentation outlining the division of responsibility for their services. Following are links to some of those documents:
Why is it necessary to create entire papers on this subject? It might, at first glance, seem to be a simple question: what security measures are the responsibility of the cloud provider and what security measures are your responsibility? However, as with so many other questions in the IT world, the answer is: it depends.
The cloud vendor, after all, defines its responsibilities in its contractual agreement, along with other terms of service. That means different vendors may accept different levels of responsibility. In addition, the type of cloud services to which you subscribe impacts the division of responsibilities. Thus the extent of your responsibility depends on whether you are using platform as a service (PaaS), infrastructure as a service (IaaS), or software as a service (SaaS).
Before we can examine who is responsible for what, we must think about the many aspects involved in securing data to keep it compliant with the various governmental and industry regulations and requirements. You already know that securing data in an on-premises data center is a multi-layered process. Some of those layers include:
- Physical security refers to measures to protect the hardware – the servers, network devices, cables, etc. which relies on physically securing the datacenter facilities to prevent unauthorized persons from gaining direct access to the systems. These measures include fences, locks, key/card/biometric access controls, human guards, surveillance cameras, and so forth.
- Security of the server operating systems includes patching vulnerabilities in the OS software, virus and malware protection, firewalls, local account management, secure configuration of OS settings, etc.
- Network perimeter security and access controls consist of network access controls, gateways and edge firewalls and threat management devices, secure network configuration and design through segmentation and isolation, etc.
- Application level security refers to authentication and authorization, encryption of data in memory, sandboxing, application access controls, application security updates, vulnerability scanning, containerization, rights management, etc.
- Identity and access management is at the core of your security strategy and provides the framework for verifying the identity of users and computers and applying policies to grant or deny access to resources based on identities or roles.
- Security of client computers and endpoints that connect to the network involves all the foregoing layers from physical to application layer security in regard to client computers, including mobile devices and Internet of Things (IoT) devices.
- Classification of and protection of data stored on the network and in transit across or through the network is a necessary first step in determining which data needs to be protected ad what the level of protection needs to be.
As mentioned above, different vendors’ contracts may have different terms and nuances regarding the shared responsibility model. We’ll look here at Microsoft’s division of responsibility for its Azure services, which is typical.
For IaaS services, Microsoft is responsible for all of the physical security of the servers and the Azure network devices and shares the responsibility with customers for the security of the host operating systems on which Azure virtual machines run, and for the network controls. Microsoft’s datacenters provide extensive multi-layered protections both outside the buildings (perimeter security) and inside. Strict access controls to minimize administrative privileges, along with multiple levels of monitoring, protect the privacy of data on the Azure network. Penetration testing is conducted regularly. You can read more about Azure security, privacy, and compliance features and the division of responsibility in the Azure cloud in my Trusted Cloud white paper.
In the IaaS model, customers share the responsibility for securing the host infrastructure (virtual machines) and network controls, and are solely responsible for application level controls, identity and access management, client and endpoint protection, and data classification. However, this doesn’t mean you’re on your own when it comes to these security components.
In addition to all the protective measures that they implement, cloud vendors also provide customers will many optional security features and controls that the customer can choose to deploy, some of which are free and others that come at extra cost. Such tools include multifactor authentication, advanced monitoring and logging, many different types of encryption, VPN connections, advanced threat detection, identity management services, information protection/rights management, antimalware protection, and more. These help you to secure those areas that are your responsibility under the shared model.
Today’s computing environments are complex, often combining on-premises and cloud resources into a hybrid model that makes security a challenge. However, by working together with your cloud provider, your organization can achieve compliance in the cloud.