But when you start thinking about specific controls and managing access, most of that stuff happens within the auspices of the SaaS provider. So there isn't a lot of flexibility. Salesforce is one company that allows customers to use adjunct technology to encrypt some of the data you store in their environment down at the field level. They acquired a company called Navajo maybe two or three years ago to provide that capability.
But in terms of the continuum of who's responsible for what, when it comes to infrastructure as a service and even platform as a service, the customer is really responsible for pretty much everything that happens on the security side, whereas with SaaS the service provider or the cloud provider actually assumes all responsibility for control sets and auditing and all of those things.
SUTHERLAND: Even in the case of infrastructure providers, the cloud supplier's controls provide the base for any compliance solution, and the shared responsibility model involves selecting appropriate controls above the cloud service or management layer to combine with appropriate user-level controls, whether it's privileged identity management or just host-based and endpoint controls. So this can involve integrating vendor components to address any of your compliance objectives from security or privacy or operational risk, regulatory and legal requirements.
NW: Does the cloud service provider, whether it's SaaS or an IaaS supplier or whatever, want the buyer to assume as much control of the security environment as possible?
SUTHERLAND: It's ultimately the consumer's responsibility. But if you step down from SaaS to a platform to infrastructure as a service, the consumer is assigned more of the responsibility. As you have more flexibility, you also take on more responsibility for the security that's implemented. However, to develop a fully compliant or low-risk solution, you need to implement the user-entity controls, as some cloud providers call them. If implemented appropriately, along with your own controls above the service layer, you can really develop a secure solution.
KINGSBERRY: We recently interviewed roughly 30 leaders across industry and the federal government about cloud computing security and built our cloud hub addressing every one of the security issues. We migrated our mail and collaboration into Microsoft 365 as their first GovCloud customer, and in parallel migrated other key infrastructure components over to Amazon. All NetFlow flows through our Recovery Accountability and Transparency Board (RATB) Cloud Hub on-premises, even Microsoft 365 Web mail, meaning if you use Microsoft 365 to send an email it comes back through our cloud hub stack from a compliance perspective. And we have capabilities within our stack like Xceedium that help us manage access control between Microsoft 365 and Amazon.
Sign up for CIO Asia eNewsletters.