December 8, 2016 - The Importance of Defining Cloud Security Responsibilities

As migration into the Cloud accelerates, the criticality of identifying who owns security responsibilities becomes imperative. What are the responsibilities of the Cloud infrastructure provider, the managed service provider, and the end customer? Delineation of these lines of responsibilities are key to a clear set of mutual expectations, an unambiguous Master Services Agreement (MSA), and, perhaps most importantly, a well-coordinated security incident response. Understanding who holds what information and how to tap into it can save valuable time in evaluating the extent of a suspected security event

In the Microsoft Azure environment, Microsoft is responsible for the physical aspects of the Cloud infrastructure. The Amazon Cloud Hosting (AWS) model draws strict lines of demarcation between their security responsibilities, which lie “of” the cloud (AWS Global Infrastructure, Storage, Compute capabilities) and the customer’s responsibility, which lies “in” the cloud (platform, applications, access). In both cases, customers are responsible for their own data. The challenge for managed services providers and their customers is to define where each of their lines of responsibility begin and end.

The responsibility matrix employed by Microsoft and Amazon is a natural outgrowth of the Statement on Standards for Attestation Engagements (SSAE16) SOC1 (Service Organization Controls) reporting approach, which includes a section on the breakout of service provider responsibilities from those of the end customer, commonly known as “user control considerations.” This approach is echoed in the Payment Card Industry Data Security Standard, Self-Assessment Questionnaire for Service Providers (PCI-DSS SAQ-D). Question 12.9 of that self-assessment document requires Service Providers to respond (read “attest”) to the following question, “Do service providers acknowledge in writing to customers that they are responsible for the security of cardholder data the service provider possesses or otherwise stores, processes, or transmits on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment?” Similarly, the Health Insurance Portability and Accountability Act Privacy, Security, and Breach Notification Rules (HIPAA Rules) require that a Business Associates Agreement (BAA) be executed between covered entities and business associates, as well as business associates and their subcontractors, enumerating the details regarding the creation, receipt, maintenance, and/or transmission of protected health information.

One way to determine responsibilities is to map the environment, taking into consideration the de facto boundaries defined by the likes of Microsoft or AWS, and then overlay the service delivery framework, addressing key items such as account management, password controls, patch management, and vulnerability testing. The overall picture can be enhanced by mapping data flow, paying particular attention to the path(s) of sensitive data, such as electronic Protected Health Information (ePHI) and payment card information. With these assessments complete, the identification of owners and their responsibilities should be reflected in the Master Services Agreement. A Responsibility Assignment Matrix (also known as a RACI matrix) works well for this purpose.

Whatever the lines of delineation may be, infrastructure and managed service providers, subcontractors, and customers must work collaboratively to maintain a secure environment.

Cyndee Milley

Cyndee is the Director of Compliance and Internal Controls in Apps Associates Cloud Services Practice and a Certified Information Systems Auditor (CISA). In addition to possessing a background in audit and compliance, Cyndee’s experience extends into IT security, user interface design, process improvement and information architecture. Prior to joining Apps Associates, Cyndee held positions at Charter Communications and Data Intensity.