Shared Cloud Platform Risks and Responsibilities
- cloud customer and provider both share responsibilities and risks associated with cloud data
- responsibilities and risks are codified in service contract
- ultimate legal liability for disclosures is with the cloud customer as the data owner
- even if it is entirely the providers failure
- cloud provider may be financially responsible depending on terms of the contract
- but not legally responsible
- data disclosure carries risk of negative publicity, loss of faith among clientele, decrease in market share or company value, increase in insurance premiums
Typical Responsibilities by Service Model
IaaS PaaS SaaS Security GRC 👤 👤 👤 Data Security 👤 👤 👤 Application Security 👤 👤 👤/☁️ Platform Security 👤 👤/☁️ ☁️ Infrastructure Security 👤/☁️ ☁️ ☁️ Physical Security ☁️ ☁️ ☁️ ☁️ = Cloud provider 👤 = Cloud customer
- Cloud customer and provider are concerned with two different things
- customer is concerned about the data
- production environment hosted on the cloud data center is the customers life blood
- breaches, failures, and lack of availability most affect the customer
- provider is concerned with security and operations of its data center
- to maintain profitability
- customer is concerned about the data
- customer seeks maximal control over its data
- wants policy control, logging data, and audit abilities
- provider seeks to limit access to data as much as possible
- wants to refrain from disclosing information that could be used for malicious purposes
- creates adversarial dynamic in negotiation
- both parties must have clear goals
- provider has advantage because it understands the function and operations of data center better
- may be advisable for customers to seek external consultants to help with negotiations