When It Comes to Your Data Security, Who’s Responsible?

National Cyber Security Awareness Month: In the age of cloud computing, who takes responsibility for data security?

As we continue with our focus on cyber security, it’s important to acknowledge that there is some confusion when it comes to who is responsible for the security of a company’s data, especially when that data is stored in the cloud. If your data is being stored in an off-site, cloud-based solution, are you ultimately responsible for its security? Is the cloud provider responsible? Who will be called to account if there is a data breach? The answers to those questions are not as simple as most executives would like, but they’re vital to consider when handling sensitive data.

A survey released in September by Barracuda Networks Inc., a firm specializing in data security, reported that 44 percent of companies polled run their infrastructure in the public cloud with that percentage expected to double over the next five years.

But the survey also revealed significant confusion over who was responsible for the security of data stored in the cloud, with 77% of respondents saying the cloud providers were responsible for securing their data while 68% of IT executives believed cloud providers were also responsible for application security.

Data security “remains a key concern for organizations evaluating public cloud, and there’s confusion over where their part of the shared responsibility model begins and ends,” said Tim Jefferson, vice president of public cloud at Barracuda.

Before you agree to work with any cloud provider it’s important to express your expectations and address a few key issues related to cloud security. For example, where is your data being stored? What are likely threats to the security of your data, and how are these threats mitigated? Who is responsible for the major aspects of security, including access management, data encryption, security and vulnerability testing and secure deployment? The answers to these questions should be addressed in a legal contract prior to deploying any data to a cloud service provider.

Of course, if you’re storing data in the cloud, we all know by now that it’s important to ensure that data is encrypted. (If you’re not familiar with encryption and you missed our previous newsletter detailing its importance, you can read it here.) But the level of access you and your cloud provider have to your encrypted data largely affects the burden of responsibility. Do you maintain your encryption keys? Does your provider? Do you both have access to and maintain your encryption keys? If both parties are in control of the encryption keys, both parties are responsible for the encrypted data they control. 

Also, much of the responsibility for the issues relating to cloud security can be determined by which of the three main application architectures you are using for your hosting solution: infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS)  or software-as-a-service (SaaS).

With the IaaS model, the cloud vendor only provides the infrastructure to host data while the user functions as the network administrator. Thus the cloud user accepts the responsibility for all persons with access to the server and applications and maintains encryption keys for all data stored within. They are also responsible for any necessary security patches or audits required on their applications. 

Similarly, with the PaaS solution, the cloud provider secures and monitors the provided database, but the cloud user is responsible for access management and the data itself.

With SaaS solutions, the security responsibility is shared between the vendor and the cloud user, and the vendor assumes significantly more responsibility than in the other two models. The user is still responsible for access management, but as the cloud vendor is providing the application, they assume responsibility for the program interface and security within their system. This includes security and vulnerability testing, secure deployment practices and application code scanning.

If your company is currently operating in a cloud-based environment, or you’re considering moving to a cloud-based application and you’re unsure of who is responsible for the security of your data, Spud Software is here to help. Contact us and a member of our experienced staff can help you determine if your data is secure, and what solutions are best suited to your company’s IT security needs.