Shared responsibility in the cloud September 8, 2016 by Chris Collins AWS, cloud, cloud storage, security, shared responsibility Companies are racing to capture data about their customers. As I’m writing this, there are 120 companies monitoring and collecting data about my online interactions (you can check how many companies are tracking you here). It’s unsettling to think that if any of those companies get breached, your data is at risk. It is the responsibility of companies to make sure they are keeping customer data as secure as possible. When storing data in the cloud, there are several ways to tighten security and privacy. The shared responsibility model is just what it sounds like; sharing the responsibility of security at every level and on each platform. This means as a company you take all possible security measures, you choose a service provider that takes security just as seriously, and you choose a secure cloud manager. Physical security in the cloud Cloud storage is becoming increasingly popular, with some estimating that over 50 percent of all computer information is now housed within the cloud. But, choosing the right, secure cloud provider is imperative. When deciding on a cloud service provider, consider its regional availability, backup procedures, key management procedures, physical security practices and the high availability deployment models offered. At Janrain, we partner with Amazon Web Services (AWS) and they manage the security of the cloud in the shared responsibility model. AWS provides secure infrastructure and services, while we are responsible for secure operating systems, platforms and data. Our clients are responsible for the security of their passwords and the administrative access assignments they make. Some of AWS’s certifications include DoD SRG, FIPS, SOC1/2/3 and ISO. For a full listing of AWS Assurance Programs, visit https://aws.amazon.com/compliance/. Company best practices It is the responsibility of every company to make sure it develops and implements proper security policies. While it’s important to choose service providers that are secure, it’s just as important to make sure your company has its own security practices. The key is having reliable and repeatable practices and controls. For example: Get audited We want to make sure our security measures are working and up-to-date. That’s why we test ourselves. We bring in outside auditors to perform testing so we can prove to ourselves and to our clients that any data we have is secure. Getting audited regularly helps us stay relevant and as secure as possible. We are all human and can make mistakes, so best not to leave something as important as security to chance. The controls required to become and to stay compliant will only guide you and your business toward best practices. An open mind to the continuous improvement of policies and procedures will prepare your organization for the quickly evolving audit control landscape that you will be required to maintain in order to remain compliant. Scope access It’s company responsibility to ensure that only necessary persons have access to data. The more people who need or use data, the more exposure to the possibility of unintentional data leaks. By scoping access, you can ensure that only the minimum level of data is available to each individual. Industry standard policy of ‘least privilege’ is employed to ensure those who require sensitive access have it while guarding against granting sensitive access to users who do not require that access to perform their job function. Choosing a secure service provider When working with different vendors and service providers, you must have a system in place to ensure their security is up to par. Ask questions before handing over any data to them. Do they have the right tools to implement controls? Do they scope employee access? Do they encrypt data? Do they have security certificates? Are they compliant with all of your data policies? In order to guarantee your vendors take security as seriously as you do, put them to the test. Require all new vendors submit a security questionnaire that you can maintain on file, and can have refreshed on an annual basis. Depending on the vendor relationship, requesting the right to audit the vendor periodically might also make sense. As a service provider, we take security seriously and show our customers this by implementing best practices and maintain privacy and security certificates. Embracing security is a strategic advantage, whether you are a cloud provider, brand or service provider. In an era where identity and data are more important than ever, make sure you are taking all appropriate measures to keep your data secure. Read more about our security and privacy practices here. This article originally posted in SecureID News. SecureID News.