The responsibility matrix employed by Microsoft and Amazon is a natural outgrowth of the Statement on Standards for Attestation Engagements (SSAE16) SOC1 (Service Organization Controls) reporting approach, which includes a section on the breakout of service provider responsibilities from those of the end customer, commonly known as “user control considerations.” This approach is echoed in the Payment Card Industry Data Security Standard, Self-Assessment Questionnaire for Service Providers (PCI-DSS SAQ-D). Question 12.9 of that self-assessment document requires Service Providers to respond (read “attest”) to the following question, “Do service providers acknowledge in writing to customers that they are responsible for the security of cardholder data the service provider possesses or otherwise stores, processes, or transmits on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment?” Similarly, the Health Insurance Portability and Accountability Act Privacy, Security, and Breach Notification Rules (HIPAA Rules) require that a Business Associates Agreement (BAA) be executed between covered entities and business associates, as well as business associates and their subcontractors, enumerating the details regarding the creation, receipt, maintenance, and/or transmission of protected health information.
One way to determine responsibilities is to map the environment, taking into consideration the de facto boundaries defined by the likes of Microsoft or AWS, and then overlay the service delivery framework, addressing key items such as account management, password controls, patch management, and vulnerability testing. The overall picture can be enhanced by mapping data flow, paying particular attention to the path(s) of sensitive data, such as electronic Protected Health Information (ePHI) and payment card information. With these assessments complete, the identification of owners and their responsibilities should be reflected in the Master Services Agreement. A Responsibility Assignment Matrix (also known as a RACI matrix) works well for this purpose.
Whatever the lines of delineation may be, infrastructure and managed service providers, subcontractors, and customers must work collaboratively to maintain a secure environment.