Customer Data Security Part 4: Consumer Privacy and You! The Shared Responsibility Model
[Estimated read time: 6 minutes]
Cloud services have increasingly become a critical part of many organizations today — and cloud customer service is no exception. The ability to solve business problems without having to deal with the headaches of owning the technology is extremely compelling. Many companies are reaping the benefits of the cloud, cutting costs and focusing on their core business. However, there are a few things to think about when you purchase these services, especially when it comes to compliance and privacy issues.
Whom is responsible for what?
While the cloud may offer nearly turnkey software solutions, there is often confusion between the subscriber and the cloud provider about whom is responsible for what when it comes to keeping your sensitive data safe and meeting your compliance obligations. For example…
• Who is responsible for security?
• Who is able to see your data?
• How is the cloud provider fulfilling their part of compliance?
These might seem like simple questions, but once you get into the details, they become more complex. Let’s talk about the basic things you need to think about when engaging a cloud service provider or SaaS (Software as a Service) vendor.
What is shared responsibility?
First and foremost, there is the concept of “shared responsibility.” This essentially means that when you subscribe to a cloud software service, the vendor is responsible for some things and you are responsible for others. The key is defining where those lines of responsibility are drawn and ensuring that both parties clearly understand what is expected of them to remain in compliance and secure.
As a real life example, think of owning a home vs. renting an apartment. Home owners reap the benefits of full control and ownership, but it comes with the costs of maintenance and protecting your asset. On the other hand, if you live in an apartment, you may not have complete control over the property, but your investment risk is lowered and maintenance is managed by the building owners. Cloud solutions are very similar in terms of these benefits and trade-offs.
• You own your possessions and the real estate
• You are responsible for maintenance
• It’s up to you to protect the house and everything in it
• You own your possessions but not the real estate
• The owners are responsible for maintenance
• Building management partly protects your possessions
How does shared responsibility work?
When it comes to shared responsibility between you and your cloud service provider, there are many elements that are similar to the analogy of owning vs. renting. For example, your cloud software or SaaS vendor will take care of the software and its supporting infrastructure, just like an apartment complex. They should also be doing the right things to properly secure the platform from a technical standpoint. On the other hand, you are still responsible for what you do with the system and how you use it.
This graphic represents a typical shared responsibility arrangement for a company and a SaaS vendor.
- The elements in orange show what you (the client) are generally responsible for: how you use this software, what you put in it, and who you allow to access the data.
- The elements in gray show what your cloud service provider is generally responsible for: the technology supporting the software you are using.
So, what exactly are you responsible for in this partnership? Let’s break it down by Who, What, When, Where and How.
- Who do you allow to access to the cloud software?
- Who is responsible for protecting usernames & passwords?
- What types of information must be protected to be compliant?
- What are you permitted to do with protected data in the system?
- When can you share sensitive data from the system?
- When does the data need to be removed for compliance reasons?
- Where can you safely save sensitive information in the system?
- Where is all this data being stored and where can it be accessed?
- How do we demonstrate to an auditor that we are compliant?
- How do we demonstrate to an auditor that our partner is compliant?
- How can we collect information or interact with customers safely?
An example of shared responsibility in the real world
As you can see, there are a lot of angles to take into account. But by following the owning vs. renting concept, you can start to make things a bit easier to understand. For example of shared responsibility in practice, let’s use credit card data. When it comes to remaining compliant with PCI regulations, how would this work?
Shared Responsibility Example for PCI Compliance – Credit Card Data
Responsibilities for Your Business
- Ensuring you have trained your associates on the proper handling of sensitive information
- Avoiding saving credit card information in places that aren’t specifically approved for this use
- Protecting your usernames and passwords and properly administrating them
Responsibilities for Cloud or SaaS Provider
- Training their systems administrators on how to properly secure systems and applications
- Ensuring that systems designated for storing sensitive information are properly secured
- Providing tools to allow you to require complex passwords and secure password resets
- Providing the ability for you to track your customer information and its compliance
Understanding the shared responsibility model gives you the ability to make good decisions when working with your cloud partner, and also helps you to better prepare your team for their part in the process. Again, your major points of responsibility are following the compliance rules as they relate to how you manage your people, the tool you are using, and the processes you have to put into place to remain compliant.
Summary: top 10 things to remember about shared responsibility
Remember these 10 key points to help you to remain compliant and to protect your customers’ privacy:
- Ensure that you have trained your staff on the proper handling of sensitive data
- Ask your cloud software provider if they can encrypt and tokenize sensitive data
- Enforce strong password policies to protect your team’s accounts
- Make sure you follow good user account management practices
- Review your partner agreements for a commitment protect the privacy of your customers
- Think about how you will meet certain requirements, such as data retention rules
- Consider how you will handle sensitive data “on the desk” as well as in the software
- If customers access the cloud platform, can the software secure their use as well
- Where is the data being stored and does that impact regional privacy requirements
- How will you demonstrate to you auditors that you and your partner are compliant
Want to learn more about customer data security? Check out the other parts of our Customer Data Security series (below).
- Customer Data Security Part 1: Common Privacy Regulations for Consumers
- Customer Data Security Part 2: What You Need to Know about PCI Compliance
- Customer Data Security Part 3: Privacy Shield and Engaging Consumers in the EU