Security responsibilities that change with each service model

New Zealand’s National Cyber Security Centre (NCSC) lists and explains how each service model operates and their different levels of responsibility for managing security.

Cloud computing: shared responsibility security models — NCSC

Common service models

Government organisations often use:

• Software as a Service (SaaS)
• Platform as a Service (PaaS)
• Infrastructure as a Service (IaaS).

Public cloud services often combine aspects of multiple service models. This service-specific design highlights why government organisations need to:

• find out which level of assurance they need for the information they’re looking to use in a public cloud service
• assess the risks of using the public cloud service.

Other types of service models

The Cloud Security Alliance (CSA) explains how the shared responsibility model has grown to include changing service models.

The evolution of cloud computing and the updated shared responsibility — CSA

Other types of service models help government organisation with, for example:

• desktop infrastructure
• outsourcing business processes
• container-based virtualisation
• serverless computing using functions.

Other types of service models

Grey areas and setting configurations

In reality, these areas of responsibility are not always clear-cut in their separation.

For example, configurations that government organisations need to properly set up can cover areas that are otherwise described as being service providers’ responsibilities.

Ownership of the information’s risk

Government organisations always own the risk of the information they’re using in a public cloud service, even though managing security is shared.

How to manage security ownership

Find out how government organisations handle their security ownership by:

• assessing and managing their information’s risk
• setting up proper security configurations.

Security ownership in all service models