It’s a ubiquitous question posed to every Cloud Solution Provider – and so are the corollaries that follow:
- Will you guarantee that my data won’t be hacked?
- If it’s safe, then why won’t you accept liability for it?
To those considering a seismic shift from on-premise servers to Cloud hosting, these questions are simple, logical and not at all inconsistent which one another. Daily news stories, including the recent DNC Wikileaks hack, heighten awareness and concern.
At the heart of these questions, however, is a fundamental misunderstanding – Customers remain responsible for the security of their own data in the Cloud.
Cloud hosting subscribers typically believe that once data is uploaded to the Cloud, their responsibility for security is absolved and shifted to the provider. Amazon Web Services prepared the graphic above to illustrate that this is not the case. It details the distinction between security “in” the Cloud and security “of” the Cloud.
Security “In” vs “Of” the Cloud
While the specifics between Cloud providers may vary slightly, the concept remains the same:
- “In” the Cloud – Customer Responsibilities
- Access control to all components, applications and data
- Configurations of operating systems, networks, firewalls and remote access
- Encryption at rest, in transit, at the client and on the server
In most cases, the Cloud solution provider does not have direct access to the internal applications or operating systems on hosted instances. So these items fall to the customer.
- “Of” the Cloud – Cloud Provider Responsibilities
- Access control to physical facilities, components and connections within their network
- Configurations of locations, clustered facilities and website edge resources
- Certification audits including SOC, FedRamp, HIPAA, and others
- Certified destruction of abandoned storage disks
Security in the Cloud is a partnership. The advice I give customers? Treat your hosted Cloud servers with the same or greater attention to security details as you would for an on-premise server.