A shared responsibility model of cloud compliance and security: part II

In a previous blog post, I described how Software-as-a-Service (SaaS) and Infrastructure-as-a-Service (IaaS) customers and cloud service providers share the responsibility to employ physical, technical and administrative controls in a manner that contributes to the desired state of security and compliance. Now, I’m here to give you the rest of that shared-responsibility story — compliance.

The idea is that control activities performed by each entity supplement activities performed by all other stakeholders so that all activities, evaluated as a whole, satisfy relevant legal, regulatory and industry standards — as well as our customers’ internal security policy and risk appetite.

“Are you compliant with ?”

I constantly field this question from our sales and support teams, and even our security and compliance conscious customers. But my “well, that’s not the right question” answer usually catches them off guard.

Why is it not correct? The highly customizable nature of cloud-provider infrastructure and services, including SaaS applications, means that responsibility to comply with all aspects of a law, regulation or standards doesn’t lie squarely with one entity. So asking if a service is compliant assumes that it’s just that service that holds responsibility for that compliance.

In reality, all stakeholders, including customers and even their end users, share some responsibility to secure and comply with relevant laws, regulations and industry standards.

So the more accurate question might be, “Can we use your infrastructure, services or application and remain compliant with ?” In other words, we don’t make you compliant automatically, but we do support compliance.

How ShareFile supports compliance

Citrix ShareFile is highly customizable. As a result, customers can customize a number of business logic and application security controls and remain compliant with most laws, regulations or standards as long as you recognize that there is more to security and compliance than configuring the application to enforce the appropriate thresholds around password policy, account lockout and session timeout, among other controls.

ShareFile, of course, remains responsible to secure the infrastructure and securely develop an application that directly or indirectly supports the relevant security or compliance requirements promulgated by a governing body. Our customers remain responsible to implement control measures, most of which are technical or administrative in nature, to fulfill requirements that cannot be addressed or which have been delegated to the customer as customer configurable controls within the administrative user interface.

Learn more about our security and compliance and check out our security data sheet for all of the ways ShareFile enables you to safeguard your data.