A few years ago, most companies used to host their own hardware components. The companies hosted them in their local office or they bought data center spaces. Over the past 10 years as cloud computing began to rise, a lot of organizations started opting for Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS), from various Cloud Providers such as Microsoft Azure, Amazon Web Services, Google Cloud Platform,, etc.
As companies moved from their traditional architecture into the cloud, the companies had to trust the Cloud Providers since most of their infrastructure depending on what service you choose, would be hosted completely by a third party environment, and the companies will not have local or physical access to components hosted by the cloud.
So how can we ensure that everything that resides in the cloud is secure? And if there is any security breach, who is to be responsible? To understand cloud security, let us look at the below diagram from Microsoft:
When an organization has everything hosted on-premises (own their own hardware and data center), the organization is responsible for every component, from physical hardware, network, OS, applications, and data governance.
When an organization opts for IaaS, the hardware components are hosted by the cloud provider and the cloud provider will be responsible for installing, updating, and securing the underlying hardware components. The organization will be responsible for everything else such as OS, applications and data governance
When an organization opts for PaaS, the cloud provider will be responsible for the underlying hardware components and the OS. Network controls, application, and Identity and Directory infrastructure will be a shared responsibility between the organization and the cloud provider. And all the data governance will be the responsibility of the organization
When an organization opts for SaaS, the cloud provider will be responsible for the underlying physical hardware components, OS, network controls, and the software/application. Identity and directory infrastructure will be a shared responsibility between the organization and the cloud provider. Data governance will be the responsibility of the organization.
Based on the service an organization chooses such as IaaS, PaaS, or SaaS, an organization hands over a part of the entire infrastructure responsibility to the cloud provider and manages the rest on their own. In IaaS, the majority of the responsibility is taken by the organization, and in SaaS, majority of the responsibility is taken by the cloud provider.
In such scenarios, an organization will not have any idea on where the data is residing, who has access to it, what if it gets deleted, etc. but the cloud provider ensures the data is safe by providing data center backup, applying policy controls, and also provides various types of clouds for the organization such as public cloud, private cloud, and hybrid cloud for organizations that want to either shift to the cloud completely, or want to have their own data center hosted in the cloud which is not shared by another customer, or by having a private cloud for managing certain applications and data and public cloud for other activities respectively.
Therefore, as companies and the cloud provider both take part in managing security controls and by following the guidelines of shared responsibility model, we can be ensured that moving to the cloud is efficient in the matters of Capital Expenditure, maintenance, pay as you go model, and an overall secure environment.