Date: August 10, 2017
Author: 11:11 Systems
Editor’s Note: As of January 2022, iland is now 11:11 Systems, a managed infrastructure solutions provider at the forefront of cloud, connectivity, and security. As a legacy iland.com blog post, this article likely contains information that is no longer relevant. For the most up-to-date product information and resources, or if you have further questions, please refer to the 11:11 Systems Success Center or contact us directly.
There have been several articles published recently discussing the shared responsibilities of cloud service providers (CSPs) and customers when it comes to cloud computing.
The lure and mystique of cloud computing sometimes gives customers a false sense of security (no pun intended) that the cloud will auto-magically provide new levels of security for their applications, without them even having to think about it. However, the cynics out there will also remind us that the cloud is just ‘someone else’s computer’ and to a certain extent, that is true.
With cloud computing prevalent for several years now, many will be familiar with the “Pizza as a Service” comparisons that have been bandied around on LinkedIn, Facebook, and Twitter. People are trying to use a pizza analogy of “make it yourself” versus buying it from a take-away or restaurant.
As seen in the example above, this analogy has been used to explain the differences between on-premises IT, and cloud computing offerings from IaaS, PaaS, and SaaS.
Breaking this down further, and more relevant to IT,we see a clear division of responsibilities when it comes to IaaS when compared to on-premises IT.
In the diagram above, all the main elements are detailed from an on-premises and IaaS perspective. Arguably, there could be another box for “cloud management platform”, and you will find differing versions of the diagram out there.
Virtualization is a key technology that has enabled cloud computing, and cloud management platforms have enabled the self-service capabilities that we now know as cloud from the virtual machine (CPU and RAM) and storage to the complex virtual networking provision.
Physical Security
Starting at the bottom of the stack, it is worthwhile to spend a moment discussing the physical aspects of cloud computing. With on-premises implementations, the customer would be responsible for everything, including the physical data center or computer room and its security, power, cooling, and networking.
When thinking about cloud, in most cases the cloud service provider will be leasing space from a data center provider, so customers should be asking:
- Where is the data center? Whose data center is it? Are there several locations?
- How secure is it? What about perimeter security, CCTV, and entry systems?
- What industry accreditations does the data center provider have?
- Can I visit?
- What provisions are there for power, cooling, and networking?
- How resilient are all of these things?
Equally, for the cloud service provider:
- What industry accreditations do you have for your processes and compliance?
- ISO 27001, ISO 27000, ISO 9001, CSA STAR, HIPAA, GCLOUD, etc
- What SLAs do you provide around availability, performance and support?
- Who has access to my cloud environment?
- Will the data stay in the locations I have selected? Could it be moved or copied elsewhere, perhaps out of the country?
Over the recent years, 11:11 Systems has partnered with world-class data center providers who are not only able to provide excellent facilities, but also have great relationships with telecom providers enabling, easy connection for 11:11 customers if needed.
Security and Compliance
Here at 11:11, we take security and compliance very seriously. As we’ll discuss later, most enterprise organizations have built up compliance teams over recent years, especially in the heavily regulated industries, and had to attain certifications or attestations. So, when consuming cloud services, these organizations will need the same levels of compliance and security, but that is often difficult to achieve when working with public cloud providers who are trying to be all things to all people.
Through our cloud console, 11:11 is able to share all our compliance documentation which includes:
- ISO 27001 for Information Security Management Systems (ISMS)
- ISO 20000 for IT Service Management
- ISO 9000 for Quality Management Systems (QMS)
- SSAE 16/18, SOC 2
- PCI-DSS (for 11:11 as a business and the cloud infrastructure)
- NIST 800-53 Security controls for US Federal Systems following FISMA
- HIPAA/HITECH regarding data privacy and security provisions for safeguarding healthcare data
- CSA STAR Certification – Gold
- UK ICO / G-Cloud 9
We are also able to offer on-demand Compliance as a Service and audit control alignment, in order to tailor compliance reporting for individual customers.
In the second part of this blog series, we’ll drill down into the upper section of the stack, the aspects that will be managed by the customer.