The shared responsibility model is one that may surprise companies who subscribe to cloud services, thinking all responsibility for data security is off their plate. Even if companies outsource their data services, they still carry some responsibility. Before we discuss shared responsibility and those aspects of data security companies need to understand, let’s look at the background which led to this situation.
Years ago, all companies operated and managed their entire IT infrastructure on-site. They owned all of the servers and equipment and operated under their sole control. Even today, many companies still try to manage their entire stack of technology on their own, but limited resources can become a roadblock. When there is not enough money or personnel to address all necessary processes and security measures, essential responsibilities may fall by the wayside. These inefficiencies can cause problems both with productivity and ROI, not to mention leaving potential security gaps.
The good news is that times have changed, and remote and outsourced processing has become an accepted norm for many businesses – at least in part. Virtualized servers and cloud technologies are just two of the services that allow companies of all sizes to consider shared resources and economies of scale through outsourcing.
Transferring data to a public cloud may be an excellent solution for your business, eradicating the overhead of maintaining servers and other technology infrastructure on-premise. Public clouds can also assume maintenance and security responsibilities, which is a key motivator for companies that increasingly outsource to cloud management.
While cloud providers provide various levels of service that protect a company’s data environment, they do not cover the customer and company data entirely. They operate on a “Shared Responsibility Model.” The managed services or cloud services provider shares responsibility for safeguarding the environment, beginning with the physical infrastructure. However, the remainder of the responsibility rests with the subscribing company.
Depending on the plan the company enrolls in, the provider (typically Microsoft Azure, Amazon Web Services, or Google) is responsible for specific aspects of the cloud service.
The customer manages any aspect that is not covered by the selected plan, an arrangement that should result in total coverage. For all types of cloud deployment, the company owns data and identities, making them responsible for protecting the security of data and identities, on-premises resources, and the cloud components not covered under your contract. Regardless of the service level, the following responsibilities are always retained by the company:
- Data
- Endpoints
- Account
- Access management
Even with the most comprehensive service plan packages from cloud providers, each company is still responsible for securing its own data. These responsibilities generally include account and access management – protocols dictating who can access your data and which access method is utilized.
Ways to Purchase Cloud Services
Companies opting to transfer their data to the public cloud can buy directly from the cloud provider. However, they can also purchase from a reputable cloud service provider (CSP), which can assist in managing the remaining responsibilities not covered by the cloud provider service.
If you are interested in more information on cloud services and what benefits a CSP can provide to your organization, call Alliance IT today.
