Amazon Web Services (AWS) has pioneered the Shared Responsibility Model in the cloud. Basically, this model outlines how cloud service providers and consumers of these cloud-based services should share responsibilities when it comes to ensuring security in the cloud. AWS and other cloud service providers (CSPs) are responsible for ensuring that cloud infrastructure is secure. Meanwhile, companies (those using the cloud services) are responsible for their data, networks, applications, and operating systems — anything they own that lives in the cloud.
As AWS states: “vendors are responsible for security of the cloud; companies are responsible for security in the cloud.”
We’ve talked before about why security and compliance are tightly related but not the same. As you would expect, the Shared Responsibility Model applies to compliance just as it does to security. So, when it comes to compliance in the cloud, the Shared Responsibility Model means:
- Your CSPs are responsible for the compliance of their cloud-based infrastructure.
- You are responsible for the compliance of your own data, networks, applications, and operating systems that live in the cloud.
Let’s take a deeper look at what this means.
Why the Cloud Is Different
When it comes to both security and compliance in the cloud, the approach to meeting requirements is much different than on-premise. What makes it different all comes down to ownership and control. To reap the benefits of the cloud — flexibility, scalability, and cost-efficiency — companies inherently give up some ownership and control. In order to take advantage of these benefits in a way that also keeps data and systems secure and compliant, both sides of the equation need to take on some responsibility.
Here are two major considerations you should take into account when determining how the Shared Responsibility Model applies specifically to compliance for your company:
1. HIPAA Requires Business Associates to Sign Compliance Contracts
As we have mentioned before, any company that wants to do business with another company that is subject to HIPAA compliance needs to be willing to sign a business associate contract. This is essentially a formal way of saying that they commit to holding up their end of the shared responsibility model as it applies to compliance. If a company won’t sign a business associate agreement, HIPAA guidelines advise you to avoid doing business with them. All major cloud service providers provide BAA’s for their customers who require HIPAA compliance using their services. It’s important to note that, frequently, these agreements only cover specific services. Consider the following:
While not all compliance frameworks require this type of formal agreement, the basic concept can be applied to other types of compliance. For example, if you ask your CSP whether their infrastructure is PCI DSS compliant and they won’t give you a straight answer or can’t explain why they aren’t or don’t have to be compliant, you should probably move on, as they may not be prepared to hold up their end of the compliance requirement.
Ultimately, if you work with a cloud services provider that is not compliant, and something happens, you won’t have a ton of recourse. Better to do your diligence up front.
2. Make Sure You Understand Exactly What You’re Responsible For
All of that said, the only way to make sure you are upholding your end of the bargain is to understand exactly what parts of the model you are responsible for. So, to be absolutely clear, if you use AWS for cloud infrastructure (for example), they are responsible for meeting compliance on:
They are also responsible for the compliance of their global infrastructure, which includes servers and other hardware located in all regions, availability zones, and edge locations around the world.
Meanwhile, you are responsible for ensuring the compliance of your:
- Identity and access management tools and processes
- Operating systems
- Firewall configurations
A lot of companies believe that, if they host an application on AWS, it is Amazon that is ultimately responsible for ensuring compliance. But, as we have seen above, that is NOT the case. Be sure to study these distinctions and know like the back of your hand how they map to your own unique environment.
With Great Responsibility Comes Great Relief
The good news is that you’re not in it alone anymore, like in the days of all-on-prem, all-the-time. Sharing the responsibility can be nerve-wracking in some ways, but if you work with a trusted provider like AWS, it can also take quite a bit of burden off your shoulders. Just make sure that you are deeply familiar with the details of who-does-what, and you’ll be well prepared to ensure top-to-bottom compliance.
To learn more about how to meet compliance requirements today, follow along with our weekly compliance series by subscribing here: http://get.threatstack.com/compliance-blog-series. As a bonus, we’ll make sure you’re the first to receive the Compliance eBook we’re releasing in September.
If you have questions, tweet us @ThreatStack, or send an email to firstname.lastname@example.org.