Who is responsible for What; Cloud security and Organisations Responsibility

Sharing is caring!

Computing environments move from customer-controlled datacenters to the cloud, the responsibility of security also shifts. Security of the operational environment is now a concern shared by both cloud providers and customers. There are 3 major cloud deployment approaches; IaaS, PaaS & SaaS.  For all cloud deployment types, you own your data and identities. You are responsible for helping secure your data and identities, your on-premises resources, and the cloud components you control (which vary by service type). According to Gartner, over the next three years, “at least 95% of cloud security failures will be the customer’s fault.” 

Security is not a provider but a Shared responsibility

With Infrastructure as Service (IaaS), you are leveraging the lowest-level service and asking cloud provider to create virtual machines (VMs) and virtual networks. At this level, it’s still your responsibility to patch and secure your operating systems and software, as well as configure your network to be secure. 

With Platform as Service (PaaS), Organisations can outsource several security concerns. At this level, the cloud provideris taking care of the operating system and of most foundational software like database management systems. Everything is updated with the latest security patches and can be integrated with Active Directory (Azure AD) for access controls. PaaS also comes with many operational advantages. Rather than building whole infrastructures and subnets for your environments by hand, you can “point and click” within the portal or run automated scripts to bring complex, secured systems up and down, and scale them as needed.

With software as a service (SaaS), you outsource almost everything. SaaS is software that runs with an internet infrastructure. The code is controlled by the vendor but configured to be used by the customer. i.e Microsoft 365 (formerly Office 365), which is a great example of SaaS!

What is a Critical to protect
  • Identities and Access Management
  • Data classifications and accountability
  • Intelligent and Persistent Data and Information protection
  • Application-level controls and security
  • Network-level security and restrictions
  • Endpoint management and protection
  • Double key Encryption and Key Managements