Moving into the cloud has many benefits if is done correctly – from increased agility and flexibility to scalability and moving to an Opex, rather than Capex model. Two aspects organisations will, however, always need to take into account when in the cloud is dealing with data protection and managing its security. While public Cloud Service Providers (CSPs) need to ensure they have the highest levels of security in place, the onus is never solely on them to protect data.
There is a shared responsibility model applied within each CSP, and the division of accountability depends on the way that the workload is hosted. One thing is always certain though – migrating to the cloud does not mean abdicating responsibility for data protection and security, so these roles need to be understood and defined up front to avoid any potential issues.
Blurred lines
When data centres are hosted at physical premises, the entire stack is owned by the organisation at the premises. While migrating to the cloud does effectively change this and means that certain responsibilities will transfer to the CSP, not everything becomes the CSP’s responsibility. For example, securing the infrastructure and physical hosts, the network and data centre needs to be handled by the CSP. However, information and data security are always the responsibility of the business, as are endpoint devices, accounts, and identities.
Accountability for security around the operating system, network controls, applications, and the identity and directory infrastructures, however, becomes slightly more complex. This depends on the service type that has been deployed. For example, with an Infrastructure as a Service (IaaS) only model, these aspects remain the responsibility of the business. In a Platform as a Service (PaaS) model, responsibility for operating systems security lies with the CSP, while the other areas are shared between the business and the CSP. When businesses adopt a Software as a Service (SaaS) model, responsibility for identity and directory infrastructure is shared, with the other elements becoming the CSP’s responsibility.
Compliance is always a business problem
Regardless of the service delivery model, an organisation is always responsible and accountable for ensuring that both their solution and data are secure and compliant. This requires data to be effectively managed, identified, labelled, and classified to meet compliance obligations, such as those defined by the Protection of Personal Information Act (POPIA).
The reality is that only the organisation concerned can know which data is sensitive customer information. They cannot expect a CSP that has no knowledge of the organisation and its customers, to take on this task. While there are solutions and service providers available that can assist organisations to manage, classify and protect their data, this always remains the organisation’s responsibility and cannot be passed on to any service provider more effectively.
Practice safe computing
When it comes to cloud migrations, it is essential for organisations to carefully consider and evaluate the offerings from various CSPs and become aware of how the different shared responsibilities will affect costs, ease of use, privacy, security and compliance. The organisation must ensure that it adopts the solution and service that will offer the highest levels of security and compliance to maintain safe computing solutions.
Moving to the cloud does not mean shifting all responsibility for security to the CSP, and organisations need to be aware of their own responsibilities. Cloud providers do need to provide for certain data protection and security elements, but ultimately organisations themselves remain responsible and accountable for their data. A well-designed and implemented cloud solution can help to enhance and improve security overall, but only if this shared responsibility model is understood and effectively put into place in the first place.
To find out more about how you can prevent data loss and solve non-compliance problems due to insufficient data protection and gaps in data retention policies with cloud application services, contact
Data Management Professionals South Africa
Tel +27 (0)11 655 7130
email: sales@dm-p.co.za
website: www.dm-p.co.za
Other useful links:
Backup as a Service
Backup for a Hybrid World