Who is responsible for data security in the cloud?

This is more to do with the approach to the security responsibility issue. Because many standard security controls are applied at the application layer or in the data store, both of which are typically owned by whoever controls the software application, often the customers retain control of and responsibility for many specific security functions. In the IaaS and PaaS models, many standard security controls, such as backups, encryption, access management, logging attributes and IDS, must be provisioned and executed by the customer. If you see the responsibility for cloud security is generally allocated with the preferred cloud service providers, and you. The manner in which this responsibility is delegated will depend on the specific solution designed provide the cloud service.

Specific categories of requirements correlate to which party controls which portion of the computing infrastructure customer or the cloud service provider. For instance, the preferred cloud service providers will be responsible for physical security in all cases, and for securing access to hardware in all cases other than co-location deployments. Whoever controls the application will, necessarily, be the party who must deploy application level security measures. This could be a SaaS cloud service provider, a system integrator, or the customer’s IT team, depending on the extent the customer manages the application. The specific service model selected and the specific regulatory regimes applicable to your data will determine the allocation of security responsibilities. Whether the cloud service provider has logical access to data and under what circumstances is a significant driver for the specific requirements that need to be flowed down to the cloud service provider. For instance, in some cloud scenarios, the cloud service provider has super-user access rights that enable it to override all other users to get logical access to the data on its systems. In other scenarios, the customer may have “dominant” super-user rights and may provision cloud service provider personnel with access in the same way it would provision its own administrators’ access. In these scenarios, the cloud service provider doesn’t have any logical access to data that the customer doesn’t expressly grant to it. Under this model, the customer also has the ability to establish the logging attributes and audit procedures and to monitor the cloud service provider personnel activity on the system, and can shut down the cloud service provider’s access at any time.