One Thing is Clear in the Cloud – Security is the Customer’s Responsibility

This was cross-posted on the Symantec Partner Community blog

Cloud has amazing appeal.  Who can argue with benefits like incredible scale, elasticity, and just-in-time access to IT resources?  And that whole Operating Expense (OpEx) model with payments based on actual utilization is darn compelling to the financial types.  In fact, I’ve often heard these sorts of comments from my customers who are leveraging public Infrastructure as a Service (IaaS) cloud services like Amazon Web Services (AWS).

What these customers also understand is that public cloud platforms aren’t just co-located or hosted virtual machines.  Public IaaS providers offer robust IT platforms that provide a suite of IT services ranging from data center primitives like virtual servers, storage, and networking to more complex connective services like notification, email, workflow, provisioning, orchestration, and load balancing.  These are complex environments, and there is a learning curve to best leverage these platforms.

One common misconception is that by moving applications – or IT Services – to the cloud, one somehow absolves oneself from properly managing that platform and application.  Cloud platforms do not make 40+ years of institutional IT knowledge and learnings suddenly obsolete.  In Symantec’s recent State of Cloud Survey, many traditional core IT disciplines were highlighted as being problem areas for cloud adopters.  Ironically, many of the issues cited, like rogue IT and backup complexity, are commonly encountered with on-premise IT, so it’s no surprise to see these issues replicated on cloud platforms.

There is somewhat of a new model that has emerged with public IaaS, though, called the Shared Security Model.  I say somewhat, as we’ve been using shared security models on-premise for many years, especially in the public sector where DLT focuses its efforts.  Many of our customers leverage third party data centers and labor, and nearly all of our customers leverage third party telecommunications and networks.  In essence, public sector has been leveraging shared models for years.

In discussions with my customers, I’ve seen how important it is for them to identify what they are still responsible for when using the cloud.  The more mature IaaS providers can clearly articulate the security mechanisms and control objectives for which they are responsible within the shared security model.  It’s important for partners and customers to keep in mind that there are a large number of control objectives and security requirements that remain the customers’ responsibility. It’s also good to keep in mind that at the end of the day, the customer – often the Chief Information Security Officer (CISO) – is ultimately responsible. Understanding how the various responsibility areas are allocated and who is responsible for each is a key component of a robust security posture.

IaaS providers are typically responsible for everything from the physical data center up through the abstraction layer.  This includes physical security, operation of the platform, and platform security.  Everything atop the abstraction layer – like the virtual machine atop the hypervisor or the data in an object store or virtual disk – is the customer’s responsibility.  This responsibility includes management, operations, and security of the operating systems (OS), applications, and data.  A sampling of some of the core IT disciplines that remain within the customer’s (not the cloud provider’s) purview include:

  • Backup and recovery
  • Governance, risk and compliance
  • Archiving
  • Data loss prevention
  • Encryption
  • OS and application security

Leveraging a public cloud platform (or even a private cloud) does not decrease the relevance of these core disciplines. In fact, in the shared security model, they are as relevant as they have always been in traditional on-premise IT architecture. Fortunately, many of the Symantec tools that our customers have been leveraging for on-premise security can also be utilized on cloud platforms.

So, what does all of this mean? As partners, we all need to recognize and address the new issues that can arise while we are working to meet our customers’ current needs. One of the best ways to do that is to find the right vendors who provide best-of-breed products that help our customers satisfy their need for safe, secure cloud strategy.  DLT has been a long-standing Symantec partner, and we look forward to continuing our successful relationship based on a mutual goal of delivering everything our customers need to transition to the cloud effectively.

Image courtesy of