Generally speaking, the Microsoft Azure and Clarity offering falls into a PaaS solution model, such that the Client team will be responsible for Identity & Access management, Client & endpoint protection, and Data classification & accountability. Microsoft Azure will be responsible for the Physical Security, Host infrastructure, Network controls, and Application-level controls. Clarity will generally be responsible for the Application-level controls and Identity and Access management functionality.
ΒΆ Shared Responsibilities
The widely understood cloud service models as defined in the NIST Definition of Cloud Computing Special Publication 800-145 are infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS). The service model that is chosen by customers also dictates the responsibilities of managing their cloud environment. The diagram on the next page shows the split in responsibilities by key areas and is critical for all customers to understand, but especially those in regulated industries as they assess and mitigate risks.
NOTE: The customer is completely responsible for all aspects of operations when solutions are deployed on-premises.
- With IaaS, the lower levels of the stack, physical hosts or servers, and host security are managed by the platform vendor. The customer is still responsible for securing and managing the operating system, network configuration, applications, identity, clients, and data. For the developer, an obvious benefit of IaaS is that it reduces the developer requirement in configuring physical computers.
- With PaaS, everything from network connectivity through the runtime or identity service may be provided and managed by the platform vendor. PaaS offerings further reduce the developer burden by additional supporting the platform runtime and related application services. With PaaS, the developer can almost immediately begin creating the business logic for an application.
- With SaaS, a vendor provides the application and abstracts customers from all of the underlying components. Nonetheless, the customer continues to be responsible to ensure that data is classified correctly and that user devices are secured and protected when connected to the service.