Shared responsibilities for security in each service model
Government organisations and service providers have different responsibilities for each service model.
Security responsibilities that change with each service model
New Zealand’s National Cyber Security Centre (NCSC) lists and explains how each service model operates and their different levels of responsibility for managing security.
Common service models
Government organisations often use:
Public cloud services often combine aspects of multiple service models. This service-specific design highlights why government organisations need to:
- find out which level of assurance they need for the information they’re looking to use in a public cloud service
- assess the risks of using the public cloud service.
Other types of service models
The Cloud Security Alliance (CSA) explains how the shared responsibility model has grown to include changing service models.
Other types of service models help government organisation with, for example:
- desktop infrastructure
- outsourcing business processes
- container-based virtualisation
- serverless computing using functions.
Grey areas and setting configurations
In reality, these areas of responsibility are not always clear-cut in their separation.
For example, configurations that government organisations need to properly set up can cover areas that are otherwise described as being service providers’ responsibilities.
Ownership of the information’s risk
Government organisations always own the risk of the information they’re using in a public cloud service, even though managing security is shared.
How to manage security ownership
Find out how government organisations handle their security ownership by:
- assessing and managing their information’s risk
- setting up proper security configurations.