By Goran Novkovic, MESA Member, CQA, CSQE, ITIL, APM, PMP, PEng
This blog is part of a series called Manufacturing in the Cloud. This series aims to assist manufacturing organizations to evaluate how they can overcome challenges and maximize cloud computing benefits. As cloud computing services mature both commercially and technologically, this is likely to become relatively easier to achieve.
Security in the cloud is always a hot topic. The rapid adoption of cloud computing services globally has been impacted by concerns over data and software security and regulatory compliance. The maturity of a cloud computing environment provides adopting manufacturing organizations with an understanding of the suitability of the cloud services and the level of investments required by the manufacturing organization in order to address any security and regulatory compliance challenges.
To identify, analyse, and manage the responsibilities associated with software and data security and regulatory compliance in the cloud, the manufacturing organization can use the Cloud Responsibility Matrix. This matrix can also be used to define ownership and shared responsibilities between the manufacturing organization as Cloud Service Customer (CSC) and the Cloud Service Provider (CSP), and ensure both parties have a clear understanding of the implications of security and regulatory compliance.
Consider the situation in which a manufacturing organization (as Cloud Security Customer - CSC) decides to build its own virtual network using a public cloud that includes data and software applications that leverage the CSP’s infrastructure (an IaaS configuration). The Cloud Responsibility Matrix shows that data security and governance, risk, and compliance (GRC) are the complete responsibility of the CSC. The CSC is also responsible for application security, with the exception of the SaaS service model, where it may be a shared responsibility between the CSC and CSP.
In the case of SaaS, one reason is that the CSP is responsible for software applications, but data used or generated by software applications can fall under the responsibility of the CSC. CSCs are still expected to manage data assets in terms of data storage, backup, data encryption, and so on.
As for platform security:
a) the CSC is responsible in the case of the IaaS service model
b) there is a shared responsibility in the case of the PaaS model
c) and, the CSP is responsible for platform security in the case of the SaaS model.
In terms of infrastructure security, the CSP has full responsibility in the cases of PaaS and SaaS service models, with the exception of the IaaS model, which can be a shared responsibility with the CSC. The CSP has ultimate responsibility for physical security for all cloud service models.
Does it look simple and clear to you? Please read it as many times as you need to remember! It is critically important to keep the Cloud Responsibility Matrix in mind.
An effective, trusted cloud environment requires a robust security governance that has to be established within every manufacturing organization. This is the platform to successfully manage security of data and software applications in the cloud.