Data is, to a degree, vulnerable. This goes for everything, be it a major retailer losing data due to POS tampering, an ATM running Windows XP left open to vulnerabilities, a PC gaming network that used a flawed security system to protect 77 Million accounts, or even cloud applications. Cloud haters are quick to find flaws with certain points of the application, but 3 of the 4 statements mentioned previously were in the direct control of the IT departments responsible for protecting the systems.
But what does this mean for you, individual considering the cloud? It means that you need to know who is responsible, what this responsibility entails, and how the individual or team responsible will protect the data.
Responsibilities and Control in Cloud Security
Thanks to CloudTweaks, we would like to share the separation of roles in security; whether managing on-premise, Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), and Software-as-a-Service (SaaS) offerings.
According to Takabi et al. (2010), cloud service providers and customers are responsible for security and privacy in cloud computing environments but their level of responsibility will differ for different delivery models.
- Infrastructure as a Service (IaaS) serves as the foundation layer for the other delivery models, and a lack of security in this layer affects the other delivery models. In IaaS, although customers are responsible for protecting operating systems, applications, and content, the security of customer data is a significant responsibility for cloud providers.
- In Platform as a service (PaaS), users are responsible for protecting the applications that developers build and run on the platforms, while providers are responsible for taking care of the users’ applications and workspaces from one another.
- In Software as a Service (SaaS), cloud providers, particularly public cloud providers, have more responsibility than clients for enhancing the security of applications and achieving a successful data migration. In the SaaS model, data breaches, application vulnerabilities and availability are important issues that can lead to financial and legal liabilities.
What does this mean? First of all, it means that control equals responsibility, but control does not mean security. Remember the Target and Sony breaches, alluded to at the beginning of this article? Guess who was in control.
People who say they will not move to the public cloud due to the lack of control, which they argue means lack of security, are not living in the real world.
Security—cloud or not—is measured by the amount of planning and technology that goes into ensuring the data is effectively protected. It’s not about where the data resides.
In fact, we’re seeing data that’s actually more secure on public clouds than it was on internal systems. Indeed, the breaches continue to focus on unsecured local systems, with public clouds largely spared thus far.
Control does not equal security, and it never did. Those who continue to push back on cloud computing using security as an excuse, without understanding the real issues, are doing their businesses a disservice.
What Does This All Mean?
Well, as said multiple times, it is your responsibility to know who is in control, who takes responsibility, and what they are doing to protect it. Understand that without the right protections, any system is vulnerable.
This is all part of the guarantees offered by SaaS companies Intacct and SugarCRM. When companies work to protect the data and uptime of a service, and consistently work to meet or exceed these goals, the applications can be trusted.
InCloud360 is a leading provider of cloud applications Intacct and SugarCRM to growing businesses throughout the Southeastern United States. Learn more about the solutions and insight provided by InCloud360, and contact us for more information.