Security and District Responsibilities

“The category of cloud service offered by the provider (IaaS, PaaS or SaaS) has a significant impact on the split of responsibilities between the customer and the provider to manage security and associated risks. For IaaS, the provider is supplying (and responsible for securing) basic IT resources such as machines, disks and networks. The customer is typically responsible for the operating system and the entire software stack necessary to run applications, and is also responsible for the customer data placed into the cloud-computing environment. As a result, most of the responsibility for securing the applications and the customer data falls onto the customer. In contrast, for software-as-a-service, the infrastructure, software and data are primarily the responsibility of the provider, since the customer has little control over any of these features. These aspects need appropriate handling in the contract and the SLA.”

—Cloud Standards Customer Council

How secure is my data?

Security in the cloud is a shared responsibility between districts and their Cloud Service Providers (CSPs).

With respect to the responsibilities of the CSP, the district should ensure these are addressed in their contract or SLA, as well ase that these functions are audited. Some of these considerations may include:

  • Event logging and notification
  • Unwanted traffic (e.g. DDOS) protection
  • Availability requirements
  • Intrusion detection and prevention
  • Data ownership
  • Data security
  • Compliance with legal and policy requirements of the district

It is a common misunderstanding that cloud computing is less secure than data center hosting, but the higher level of security available through cloud computing can only be achieved if both the CSP and the district fulfill their responsibilities and there are no gaps. Districts should ensure that their Service Level Agreements (SLAs) include a clear and complete delineation of responsibilities.

Another misunderstanding is that government cloud is more secure than public cloud. In fact, the security provisions developed for government cloud and Fortune 100 companies are available in the public cloud at no additional cost. Today, districts are able to leverage the leading innovations developed for industry and government.

With IT-as-a-Service, the district doesn’t give up control of their infrastructure and accounts.

The CSP will generally secure from the hypervisor down, while the district is responsible for the hypervisor up, and together they are more secure.

Cloud computing does create new risks due to vulnerabilities through sharing resources, potential access to data by non-district personnel, access via the Internet not requiring access to physical resources, and possible lack of compliance to district legal requirements by CSP and their subcontractors and vendors. These vulnerabilities are addressed by the district in fulfilling their responsibilities such as internal network security, authorization and identity management, and professional development of staff on social engineering, passwords, and implications of use concerning third-party apps.