Cloud is a new approach to managing system infrastructure and applications and introduces new security and compliance risks. While most cloud providers do a pretty good job securing their services, one should never assume that the cloud providers are responsible for all aspects of security. Cloud security is a shared responsibility, so many responsibilities still belong to the customer. Different types of cloud services introduce different security and compliance risks.
IaaS providers are only responsible for the physical security of data centers and the security of the infrastructure management software. Customers have the responsibility for creating virtual networks and servers, establishing access rules, managing server patches and vulnerabilities, encrypting data, and all other security above the physical layer. Additionally, customers are also responsible for ensuring secure access to their cloud management system.
PaaS providers reduce the share of customers’ responsibility by managing the infrastructure. However, customers are responsible for the security of applications deployed on the platform. Just like with IaaS, they set the rules for the security of access to their management platform.
SaaS solutions require little user input. As long as the customer appropriately manages access to a SaaS application and keeps access credentials confidential, the provider takes care of all other security checks. However, the customer must make sure that the level of security and compliance provided by the SaaS vendor is sufficient for the type of data that the customer intends to use with the service.
For any type of cloud service, the customer must ensure that its applications and services are managed and deployed in compliance with applicable laws and regulations. The cloud vendor must have processes, people, and checks in place to conform to all necessary agreements, such as the Business Associate Agreement (BAA) required by HIPAA or the Data Processing Agreement (DPA) required by GDPR must be signed. Additionally, businesses need to have a process in place to conduct periodic reviews of the cloud provider’s security and compliance status. This can be achieved by conducting periodic reviews of the vendor’s audit reports, such as SOC 2 Type II and certifications (e.g. ISO 27001, HITRUST, etc.)