“We’ll order now, what they ordered then, ’cause everything old is new again.”
It’s those famous words sung by Peter Allen that have become part of the reliable repertoire at just about any karaoke bar worth its salt. Similarly, in the areas of security and compliance — where I spend my time here at ShareFile — the older Complementary User Entity Controls (CUECs) model has materialized into the Shared Responsibility Model to achieve a desired state of security and compliance in a cloudified world.
The American Institute of Certified Public Accountants (AICPA) defines a CUEC as: Controls that management of the service organization assumes, in the design of its service, will be implemented by user entities and which, if necessary to achieve the control objectives stated in management’s description of the service organization’s system, are identified as such in that description.
What the heck does that mean?
Let’s start with the simple version. For ShareFile — the service organization in this example — it means that we must create a wide variety of customizable security tools and features in the design of our product and selection of our partners, but it’s up to our user entities, which are our customers, to actually use and implement those tools and features in a way that meets the needs of their company. We have to work together to get the most out of ShareFile’s security.
But that’s just the basics. Let’s get a little more technical.
ShareFile subscribers, our customers, are user entities of ShareFile. ShareFile is a service provider to its customers and a user entity of the Infrastructure-as-a-Service (IaaS) providers we leverage to store customer content and the collocation datacenters, where we host the main application. The IaaS providers and the collocation centers are appropriately categorized service providers.
ShareFile relies on the collocation datacenters and IaaS providers to provide for physical and environmental controls as well as relevant technical controls such as securing the network over which ShareFile customer data traverses and rests. Among other controls, ShareFile remains responsible to protecting data in transit and at rest using industry accepted encryption protocols and algorithms, planning for and delivering high availability, developing a secure application and providing our customers with the capability to configure their instance of the ShareFile application.
Being able to customize ShareFile provides our customers the flexibility to configure their instance in a secure and compliant manner. As a result, they have the option to configure business logic and ShareFile security controls according to their security policy and appetite for risk. These controls include, but are not limited to, password policy, session timeout, account lockout, and account and folder permissions.
Within the context of the shared responsibility model in a hybrid cloud environment customers and cloud providers retain responsibility for securing their layer(s) and complying with relevant aspects of law, regulation or industry standards. As a result, customers and providers should understand and acknowledge their role in providing for the physical, technical and administrative controls necessary to achieve the desired state of security and compliance.
In other words, it’s like I said before. We have to work together. ShareFile and its customers both have part to play in keeping data safe and meeting any industry regulations.
So whether you are an attorney negotiating a contract, an auditor auditing a user entity, or an information security professional securing a SaaS application or infrastructure, the shared responsibility model is a reality that isn’t quite as complicated or implausible as it seems.
Have any questions about this part of our security and compliance conversation? Please feel free to put them in the comments, and I’ll be happy to send over an answer.