Migrating to the Cloud: What Shared Responsibility Means For Your Organization
For organizations on the journey of digital transformation, migrating to the cloud is often high on the list of priorities. This is because legacy tech stacks and systems are often incompatible with newer technologies, or even completely unstable and considered a single point of failure due to the inability to scale and lack of security support for things as critical as patching vulnerabilities. The elasticity that public/private cloud provides, along with the numerous secure technologies available, can increase the benefits of a cloud migration.
Yet, for many, the move is often fraught with questions about the security of your (and your customers’, users’, citizens’) data in the cloud. You may have heard something along the lines of “the customer is responsible for security and compliance in the cloud, while the cloud service provider (CSP) is responsible for the security and compliance of the cloud.” This is called a shared responsibility model. But let’s take a quick peek into some basics of what this means and how it may apply to your cloud environment.
What is Your Responsibility?
As the customer, your responsibilities in the cloud will be based upon the services/products that your organization will use (this is critical because responsibilities will vary between different services and products).
For example, a hospital that has specific regulatory/compliance requirements might also require the ability to scale while remaining secure, and to take on bulk updates while doing so. Not only would they have to select services that are certified to use based on their internal requirements, but they would also have to consider services that would allow them to scale securely, storage for their bulk updates, access control lists for their network traffic, etc. This is a high-level example of how responsibility can potentially shift more to the customer, given the nature of their specific requirements. The overall cloud deployment strategy will vary amongst customers, allowing some customers to shift more security controls to the CSP side to manage. This will depend on the cloud service model in use by your organization, e.g., Software-as-a-Service, Platform-as-a-Service, or Infrastructure-as-a-Service.
Organizations should also understand what’s inherited from the CSP and what could potentially be a shared control and/or responsibility. For example, if using Amazon Web Services as the CSP, the customer would not be responsible for things such as Edge Locations, creating Availability Zones (you’re not responsible for physically creating this isolated location or any hardware that’ll run within it), or API servers if using the EKS Control plane, the Network, etc.
Ultimately, the customer is responsible for their own data. This includes encryption — yes, the customer is responsible for this configuration, along with the integrity, and authentication and authorization mechanisms that will be used for data access, security, and management.
While not an inclusive list of responsibilities, below are some considerations that organizations must understand when assessing their overall migration and security capabilities.
What’s Our Responsibility?
Software-as-a-Service providers are responsible for things such as APIs and Middleware, Virtualizations, Network Security, and much more. It’s important to understand that most of the applications that we provide will run via the Internet, and so a huge part of how we meet our goal of ensuring security and compliance for the customer is by securing our platform and making sure that all maintenance and management of applications in use by customers are secure, resilient, and highly available for the end user. The point is, we’re ALL responsible for cloud security.
Will Salesforce help with identifying the customer’s responsibility?
It’s important to note that programmatic approaches, security, compliance, and governance tips will slightly vary, depending on your particular Salesforce security model. However, what will remain the same across all security models is Salesforce's commitment to assisting your organization with best practices for secure architectural design, negotiating and architecting solutions for complex problems and explicit business requirements, and providing guidance on application and integration development best practices, to name a few.
It’s all part of our commitment to customer success. We’re here to help you address the basic requirements for conducting an internal migration readiness assessment, analyze business and security requirements, and advise on migration strategy, timeline, security roadblocks, and more.
Once we’ve done that (and then some) and are in agreement that a successful migration is possible, then we would take a deeper dive into identifying the customer’s responsibilities right upfront. We offer customizable native security controls such as authentication mechanisms, user permissions, IP allow lists, to name a few. We also offer many out-of-the-box products and core features that can be useful for running your business. Again, as the customer, your responsibility is to ensure your organization is fully prepared and capable of executing its requirements of shared responsibility for each product that your organization selects.
We’re all for building solid partnerships and relationships with our customers, their stakeholders, and other cloud service providers, which is why every approach to your cloud migration needs will be tailored in a manner that works for YOU! If you’d like to learn a little more about Trust and Security here at Salesforce, check out the Learn About the Shared Responsibility Model module on Salesforce’s free learning & training platform, Trailhead!