The cloud is a tremendous convenience for enterprises. Running a data center is expensive – doing so not only requires buying a lot of servers, cable and networking appliances but also electricity, labor costs, cooling and physical space.

Services like Amazon’s AWS, Microsoft’s Azure, Oracle’s Cloud and Google’s Cloud Platform give businesses the benefits of having a data center without the expensive overhead and related hassles. Imagine how much more expensive it would be to launch a Software as a Service (SaaS) product if establishing the backend had to be done without the help of third-party cloud services?

Cloud services and the internet offer tremendous cost savings, efficiency and functionality. Unfortunately, putting your data on the internet exposes it to greater cybersecurity risks. It’s certainly possible to security-harden cloud services to make them a lot less vulnerable to cyber attack.

But when Amazon or Google owns the infrastructure and your enterprise owns the data, who is responsible for keeping your cloud security?

What are we protecting in the cloud?

The Information Systems Audit and Control Association’s (ISACA) Control Objectives for Information and Related Technologies (COBIT) framework defines the following as essential IT resources:

  • People
  • Information
  • Applications
  • Infrastructure

A cloud prover, such as Azure or AWS, typically provides infrastructure as a service (IaaS) and platform as a service (PaaS). The infrastructure is the physical components of computers, networks and networking appliances. The platform is all of that plus middleware components, such as databases. If the application you’re running is yours, the SaaS aspect is your responsibility.

The shared cloud security model

Amazon’s AWS is a leader in cloud services. AWS’ initiatives help to set trends in the cloud services industry. AWS features what Amazon calls a Shared Responsibility Model.

Here’s what they say on the official AWS policy site:

(Read more...)