cloud complianceIaaS

Shared Responsibilities for Cloud Computing: Who Does What in the Cloud? Part One

ByAugust 10, 2017
Cloud SecurityThere have been several articles published recently around the internet media discussing the shared responsibilities of cloud service providers (CSPs) and customers when it comes to cloud computing.

The lure and mystique of cloud computing sometimes gives customers a false sense of security (no pun intended) that the cloud will auto-magically provide new levels of security for their applications, without them even having to think about it. However, the cynics out there will also remind us that the cloud is just ‘someone else’s computer’ and to a certain extent, that is true.

With cloud computing having been prevalent for several years now, many will be familiar with the ‘Pizza as a Service’ comparisons that have been bandied around on LinkedIn, Facebook and Twitter. People are trying to use a pizza analogy of ‘make it yourself’ versus buying it from a take-away or restaurant.

Pizza as a Service

As seen in the example above, this analogy has been used to explain the differences between on-premises IT, and cloud computing offerings from IaaS, PaaS and SaaS.

Breaking this down further, and more relevant to IT, we see a clear division of responsibilities when it comes to IaaS when compared to on-premises IT.

On-Prenises vs IaaS In the diagram above, all the main elements are detailed from an on-premises and IaaS perspective. Arguably, there could be another box for ‘cloud management platform’, and you will find differing versions of the diagram out there.

Virtualisation is a key technology that has enabled cloud computing, and cloud management platforms have enabled the self-service capabilities that we now know as cloud, from the virtual machine (CPU and RAM) and storage to the complex virtual networking provision.

Data center Physical Security

Starting at the bottom of the stack, it is worthwhile to spend a moment discussing the physical aspects of cloud computing. With on-premises implementations, the customer would be responsible for everything, including the physical data centre or computer room and the security of that, as well as power, cooling and networking.

When thinking about cloud, in most cases the cloud service provider will be leasing space from a data centre provider, so customers should be asking:

  • Where is the data centre? Whose data centre is it? Are there several locations?
  • How secure is it? What about perimeter security, CCTV, entry systems?
  • What industry accreditations does the data centre provider have?
  • Can I visit?
  • What provisions are there for power, cooling, networking?
  • How resilient are all of these things?
Equally, for the cloud service provider:

  • What industry accreditations do you have for your processes and compliance?
    • ISO 27001, ISO 27000, ISO 9001, CSA STAR, HIPAA, GCLOUD, etc
  • What SLAs do you provide around availability, performance and support?
  • Who has access to my cloud environment?
  • Will the data stay in the locations I have selected? Could it be moved or copied elsewhere, perhaps out of country?
Over the recent years, iland has partnered with world-class data centre providers who are not only able to provide excellent facilities, but also have great relationships with telecom providers enabling, easy connection for iland customers if needed. Compliance

Security and Compliance

Here at iland, we take security and compliance very seriously. As we’ll discuss later, most enterprise organisations have built up compliance teams over recent years, especially in the heavily regulated industries, and had to attain certifications or attestations. So, when consuming cloud services, these organisations will need the same levels of compliance and security, but it is often difficult to achieve when working with public cloud providers who are trying to be all things to all people.

Through our cloud console, iland is able to share all our compliance documentation which includes:

  • ISO 27001 for Information Security Management Systems (ISMS)
  • ISO 20000 for IT Service Management
  • ISO 9000 for Quality Management Systems (QMS)
  • SSAE 16/18, SOC 2
  • PCI-DSS (for iland as a business, and the cloud infrastructure)
  • NIST 800-53 Security controls for US Federal Systems following FISMA
  • HIPAA/HITECH regarding data privacy and security provisions for safeguarding healthcare data
  • CSA STAR Certification – Gold
  • UK ICO / G-Cloud 9
We are also able to offer on-demand Compliance as a Service for customers and audit control alignment, in order to tailor compliance reporting for individual customers.

In the second part of this blog series, we’ll drill down into the upper section of the stack, the aspects that will be managed by the customer.
Richard Stinton

Richard Stinton

Richard is an Enterprise Solutions Architect for the iland EMEA business and has over 30 years’ experience in the IT industry, most recently in the Cloud space with iland, Microsoft Azure and VMware. Starting out in Engineering CAD/CAM and GIS systems with McDonnell Douglas and EDS, he moved to mainstream IT and Systems/Service Management with HP, BMC Software and Mercury Interactive, before joining VMware in its early days. Richard has a breadth of experience having worked in customer support, sales, partner management and product marketing. In his current role as EMEA solutions architect, Richard works with customers to implement and optimise cloud technologies.