Going the cloud route does not mean abdicating responsibility for security
02 Jul 2021
Moving into the cloud has many benefits if done correctly, from increased agility and flexibility to scalability and moving to an Opex rather than Capex model. However, one thing businesses need to always take into account is data protection and security. While public Cloud Service Providers (CSPs) need to ensure they have the highest levels of security in place, the onus is never solely on them to protect data. There is a shared responsibility model applied within each CSP, and the division of accountability depends on the way the workload is hosted. One thing is certain, however, migrating to the cloud does not mean abdicating responsibility for data protection and security, so these roles need to be understood and defined up front to avoid issues.
When data centres are hosted on premises, the entire stack is owned by the business. While migrating to the cloud does change this and means that certain responsibilities will transfer to the CSP, not everything becomes their responsibility. For example, securing the infrastructure and physical hosts, the network and the data centre needs to be handled by the CSP. However, information and data security are always the responsibility of the business, as are endpoint devices, accounts and identities.
Accountability for security around the operating system, network controls, application, and identity and directory infrastructure, however, becomes slightly more complex. This depends on the service type that has been deployed. For example, with an Infrastructure as a Service (IaaS) only model, these aspects remain the responsibility of the business. In a Platform as a Service (PaaS) model, responsibility for operating system security lies with the CSP, while the other areas are shared between the business and the CSP. When businesses adopt a Software as a Service (SaaS) model, responsibility for identity and directory infrastructure is shared, with the other elements becoming the CSP’s responsibility.
Compliance is always a business problem
Regardless of the service delivery model, the business is always responsible and accountable for ensuring that both their solution and their data is secure and compliant. This requires data to be effectively managed, identified, labelled and classified to meet compliance obligations, such as those defined by the Protection of Personal Information Act (PoPIA).
The reality is that only the business can know which data is sensitive customer information. They cannot expect a CSP, that has no knowledge of the business and its customers, to take on this task. While there are solutions and service providers available that can assist businesses to more effectively manage, classify and protect their data, this always remains the business’ responsibility and cannot be passed on to any service provider.
Practice safe computing
When it comes to cloud migrations, it is essential for businesses to carefully consider and evaluate the offerings from various CSPs and how the different shared responsibilities will affect cost, ease of use, privacy, security and compliance. Businesses must ensure they adopt the solution and service that will offer the highest levels of security and compliance to maintain safe computing solutions.
Moving to the cloud does not mean shifting all responsibility for security to the CSP, and businesses need to be aware of their own responsibilities. Cloud providers need to provide for certain data protection and security elements, but ultimately businesses remain responsible and accountable for their data. A well designed and implemented cloud solution can help to enhance and improve security overall, but only if this shared responsibility model is understood and effectively put into place first.