Seen a lot of discussions lately regarding who is responsible for security when you outsource infrastructure components to a public cloud provider. Some feel responsibility still falls with the tenant, while others feel outsourcing infrastructure means outsourcing security responsibility as well. As with most things in life, the truth lies somewhere in the middle. 😉
In general terms, who is responsible for which aspects of security is going to vary depending on which cloud implementation model you subscribe to. Public IaaS leaves more layers under the control of the tenant, and thus more of the security responsibility. SaaS however places control, and thus security, squarely within the provider’s realm. Figure 1 is a rough drawing that shows the point of delineation under different deployment models.
So what does the above graphic teach us? The red line is the demarcation point between tenant and provider responsibility, based on deployment model. Above the red line is the tenant’s responsibility, while below the red line is the provider’s responsibility.
For example, in an IaaS deployment the operating system is under the control of the tenant, so they are free to implement any host based security controls they require. In a SaaS deployment however, the tenant is isolated from the underlying OS, and thus it is up to the provider to fully secure this layer.
With all that said, at the end of the day “responsibility” is typically defined within the provider’s Service Level Agreement (SLA). Look for clauses such as “this SLA does not apply to actions or inactions of third parties” or similar verbiage. This is effectively a get out of jail free card for the provider if your data is compromised by a non-employee. So while responsibility for applying security may rest under the provider’s control, your recourse for security failures may be severely limited.
So what’s the take away? Leverage the provider’s security controls as much as possible, but ensure you’ve implemented your own to both look over the provider’s shoulder and validate you data’s integrity.