{"id":22696,"date":"2016-12-19T13:00:37","date_gmt":"2016-12-19T21:00:37","guid":{"rendered":"https:\/\/www.paloaltonetworks.com\/blog\/?p=22696"},"modified":"2022-04-13T00:34:09","modified_gmt":"2022-04-13T07:34:09","slug":"cloud-security-whos-responsible","status":"publish","type":"post","link":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/2016\/12\/cloud-security-whos-responsible\/","title":{"rendered":"Cloud Security: Who\u2019s Responsible for What?"},"content":{"rendered":"<p>The typical journey to the cloud is based on a partnership between the cloud vendor and an enterprise or business, so the next logical question becomes: <em>who is responsible for what, when it comes to cloud security and protecting the very important data within cloud applications?<\/em><\/p>\n<p>Solely relying on the cloud provider for security is not a viable approach. Rather, cloud security is a shared responsibility between the provider and the tenant that should be meticulously defined and understood by both parties. Only then can they work together to prevent successful cyberbreaches.<\/p>\n<h3>Responsibility Breakdown<\/h3>\n<p>There are two ways to think about this responsibility divide. The cloud provider is typically responsible for <em>security \u201cof\u201d the cloud<\/em>, meaning the cloud infrastructure, typically including security at the storage, compute and network service layers. The enterprise assumes responsibility for <em>security \u201cin\u201d the cloud<\/em>. This includes applications, data, and services that operate within their managed cloud environment.\u00a0 However, depending on the cloud infrastructure \u2013 private, public or SaaS \u2013 responsibility varies between the cloud vendor and organization:<\/p>\n<p style=\"padding-left: 30px;\"><strong>Private \u2013 <\/strong>In private clouds, enterprises are responsible for all aspects of security for the cloud because it is hosted within their own data centers. This includes the physical network, infrastructure, hypervisor, virtual network, operating systems, firewalls, service configuration, identity and access management, etc. The enterprise also owns the data and the security of the data.<\/p>\n<p style=\"padding-left: 30px;\"><strong>Public \u2013 <\/strong>In public clouds, like AWS or Microsoft Azure, the cloud vendor owns the infrastructure, physical network and hypervisor. The enterprise owns the workloads, apps, virtual network, access to their tenant environment\/account, and the data.<\/p>\n<p style=\"padding-left: 30px;\"><strong>SaaS \u2013 <\/strong>SaaS vendors are primarily responsible for the security of their platform, which includes physical security, infrastructure and application security. These vendors do not own the customer data nor assume responsibility for how customers use the applications. As such, the enterprise is responsible for security that would prevent and minimize the risk of malicious data exfiltration, accidental exposure or malware insertion.<\/p>\n<p>While responsibility for securing data, apps and infrastructure falls more into the hands of the cloud vendor as businesses transition from private cloud to public cloud or SaaS, it\u2019s important to note that ensuring the security of its own data is <u>always<\/u> the responsibility of the enterprise.<\/p>\n<h3>Security Measures \u2013 Vendor &amp; Enterprise<\/h3>\n<p>Because of security and privacy concerns with moving data to the cloud, many cloud and SaaS vendors have focused on ensuring the security of the organization\u2019s infrastructure and data. SaaS vendors invest significantly in building a strong defense for their own infrastructure, and they sometimes extend this security to the customer data with basic policy controls. However, these are typically not sufficient and organizations are forced to look for a more complete SaaS security solution.<\/p>\n<p><a href=\"https:\/\/www.paloaltonetworks.com\/blog\/wp-content\/uploads\/2016\/12\/SaaS_responsibility_1.png\"><img loading=\"lazy\" decoding=\"async\"  class=\"size-full wp-image-22699 alignright lozad\"  data-src=\"https:\/\/www.paloaltonetworks.com\/blog\/wp-content\/uploads\/2016\/12\/SaaS_responsibility_1.png\" alt=\"saas_responsibility_1\" width=\"501\" height=\"253\" \/><\/a>The security gaps not addressed by SaaS vendors include: preventing data exposure through improper sharing and preventing threat insertion and distribution. It is here that the SaaS vendors\u2019 responsibility ends and the IT team\u2019s responsibility begins: to employ effective security measures to fill these security gaps and protect the organization\u2019s data.<\/p>\n<p>To compensate for what cloud vendors do not secure, an organization must have the right tools in place to effectively manage and secure risks to keep data secure. These tools must provide visibility into activity within the SaaS application, detailed analytics on usage to prevent data risk and compliance violations, context-aware policy controls to drive enforcement and quarantine if a violation occurs, real-time threat intelligence on known threats, and the ability to detect unknown threats to prevent new malware insertion points. For additional information, <a href=\"https:\/\/www.paloaltonetworks.com\/sase\/saas-security\">learn more about Aperture<\/a> or check out the \u201c<a href=\"https:\/\/www.paloaltonetworks.com\/resources\/videos\/aperture-secure-saas\">Safely Enable Your SaaS Applications<\/a>\u201d tech brief.<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The typical journey to the cloud is based on a partnership between the cloud vendor and an enterprise or business, so the next logical question becomes: who is responsible for what, when &hellip;<\/p>\n","protected":false},"author":249,"featured_media":21531,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[113],"tags":[1440,1166,149],"coauthors":[2745],"class_list":["post-22696","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cloud-computing-2","tag-aperture","tag-cloud-security","tag-saas"],"jetpack_featured_media_url":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-content\/uploads\/2016\/11\/blog-generic-banner-1.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/22696","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/users\/249"}],"replies":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/comments?post=22696"}],"version-history":[{"count":5,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/22696\/revisions"}],"predecessor-version":[{"id":35458,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/22696\/revisions\/35458"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media\/21531"}],"wp:attachment":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media?parent=22696"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/categories?post=22696"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/tags?post=22696"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/coauthors?post=22696"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}