Page 37 - EngineerIt April 2021
P. 37
INDUSTRY AND INNOVATION
Going the cloud route does not mean
abdicating responsibility for security
By Hemant Harie, managing director at Gabsten Technologies
oving into the cloud has many benefits if done correctly, from increased agility and flexibility to
Mscalability and moving to an Opex rather than a Capex model. However, one thing businesses
need to always take into account is data protection and security. While public cloud service providers
(CSPs) need to ensure they have the highest levels of security in place, the onus is never solely on them
to protect data. There is a shared responsibility model applied within each CSP, and the division of
accountability depends on the way the workload is hosted. One thing is certain, however, migrating to
the cloud does not mean abdicating responsibility for data protection and security, so these roles need
to be understood and defined up front to avoid issues.
Hemant Harie
Blurred lines
When data centres are hosted on premises, the entire stack is owned by the business. While migrating Practice safe computing
to the cloud does change this and means that certain responsibilities will transfer to the CSP, not When it comes to cloud migrations, it
everything becomes their responsibility. For example, securing the infrastructure and physical hosts, is essential for businesses to carefully
the network and the data centre needs to be handled by the CSP. However, information and data consider and evaluate the offerings from
security are always the responsibility of the business, as are endpoint devices, accounts and identities. various CSPs and how the different shared
Accountability for security around the operating system, network controls, application, identity responsibilities will affect cost, ease of use,
and directory infrastructure, however, becomes slightly more complex. This depends on the service privacy, security and compliance. Businesses
type that has been deployed. For example, with an Infrastructure as a Service (IaaS) only model, these must ensure they adopt the solution and
aspects remain the responsibility of the business. In a Platform as a Service (PaaS) model, responsibility service that will offer the highest levels of
for operating system security lies with the CSP, while the other areas are shared between the business security and compliance to maintain safe
and the CSP. When businesses adopt a Software as a Service (SaaS) model, responsibility for identity computing solutions.
and directory infrastructure is shared, with the other elements becoming the CSP’s responsibility. Moving to the cloud does not mean
shifting all responsibility for security to the
Compliance is always a business problem CSP, and businesses need to be aware of their
Regardless of the service delivery model, the business is always responsible and accountable for own responsibilities. Cloud providers need to
ensuring that both their solution and their data is secure and compliant. This requires data to be provide for certain data protection and security
effectively managed, identified, labelled and classified to meet compliance obligations, such as those elements, but ultimately businesses remain
defined by the Protection of Personal Information Act (PoPIA). responsible and accountable for their data. A
The reality is that only the business can know which data is sensitive customer information. They well designed and implemented cloud solution
cannot expect a CSP, that has no knowledge of the business and its customers, to take on this task. can help to enhance and improve security
While there are solutions and service providers available that can assist businesses to more effectively overall, but only if this shared responsibility
manage, classify and protect their data, this always remains the business’ responsibility and cannot be model is understood and effectively put into
passed on to any service provider. place first. n
EngineerIT | April 2021 | 35
