The clue is in the ‘shared’ part of shared responsibility: customers and providers have to work together to secure cloud data, yet new research shows two thirds of organisations polled export full responsibility for data protection, privacy and compliance on their cloud service providers.
The study, from Veritas, found that more than eight in 10 (83%) of the 1,200 global business and IT decision makers polled who plan to use infrastructure as a service (IaaS) believe their cloud service provider takes care of protecting their data in the cloud.
69% said they can place all responsibility for their data security in the provider’s hands, while more than half believe it is the cloud provider’s responsibility to securely transfer data between on-premises and cloud (54%) and back up workloads in the cloud (51%).
56% of those polled said they operate with a ‘cloud first’ mentality, compared to 43% who say they consider on-premises first before considering cloud. More than two thirds (67%) say they either already use or plan to use two or more cloud providers, with 42% at least aiming for three or more and 16% looking for five.
When it came to barriers against cloud implementation, lack of in house skills – cited by 38% of respondents – was most frequently cited, ahead of complexity with migration (37%) and limitations of legacy technology (36%). For factors which impacted cloud provider selection, data privacy, security and compliance, workload performance and uptime were key.
Yet the issues around what shared responsibility means have raised their head again. Let’s take Amazon Web Services (AWS) and Microsoft, the two largest vendors, as an example.
“Security and compliance is a shared responsibility between AWS and the customer,” Amazon notes. “This shared model can help relieve customer’s operational burden as AWS operates, manages and controls the components from the host operating system and virtualisation layer down to the physical security of the facilities in which the service operates.
“The customer assumes responsibility and management of the guest operating system (including updates and security patches), other associated application software as well as the configuration of the AWS provided security group firewall.”
A post on Microsoft’s Azure security and compliance blog puts it this way. “Shared responsibility in public cloud is related to the fact that you have a partner when you host resources on a public cloud service provider’s infrastructure. Who is responsible for what (in terms of security) depends on the cloud service model you use.
“With IaaS, the cloud service provider is responsible for the core infrastructure security, which includes storage, networking and compute (at least at the fabric level – the physical level). As you move from IaaS, to PaaS and then to SaaS, you’ll find that you’re responsible for less and the cloud service provider is responsible for more.”
With GDPR on the horizon as well, businesses need to make sure they get this right. “Although cloud providers have a duty to ensure they help keep data secure and readily available, the ultimate responsibility of maintaining a compliance position with regulations such as GDPR lies with the organisation that owns the information,” said Jason Tooley, Veritas Northern Europe vice president.