Security and also Compliance is a common responsibility between and also the customer. This shared model can assist relieve the customer’s to work burden together operates, manages and also controls the components from the host operating system and virtualization layer down to the physical security of the infrastructure in i beg your pardon the organization operates. The client assumes responsibility and management the the guest operating device (including updates and security patches), other associated application software as well as the configuration of the noted security team firewall. Customers should very closely consider the solutions they choose as their duties vary depending on the services used, the integration of those services into their that environment, and applicable and regulations. The nature the this shared responsibility likewise provides the flexibility and also customer manage that patent the deployment. As presented in the chart below, this differentiation of obligation is typically referred to as defense “of” the Cloud versus security “in” the Cloud.

You are watching: Which of the following statements regarding is false? obligation “Security of the Cloud” - is responsible for protecting the facilities that runs all of the services available in the Cloud. This infrastructure is composed of the hardware, software, networking, and also facilities that run Cloud services.

Customer responsibility “Security in the Cloud” – Customer duty will be established by the Cloud solutions that a customer selects. This determines the lot of configuration occupational the customer should perform as component of their protection responsibilities. For example, a business such as Elastic Compute Cloud ( EC2) is categorized as framework as a organization (IaaS) and, together such, calls for the customer to perform every one of the important security configuration and also management tasks. Customers that deploy one EC2 circumstances are responsible for monitoring of the guest operating device (including updates and security patches), any application software program or utilities mounted by the client on the instances, and the construction of the firewall (called a defense group) on each instance.For abstracted services, such as S3 and also DynamoDB, operates the framework layer, the operating system, and also platforms, and customers access the endpoints to store and also retrieve data. Customers are responsible for managing their data (including encryption options), classifying their assets, and using IAM devices to apply the suitable permissions.


This customer/ shared responsibility model likewise extends come IT controls. Simply as the obligation to operate the IT atmosphere is shared in between and its customers, for this reason is the management, operation and also verification of the controls shared. can aid relieve customer burden of operating controls by regulating those controls connected with the physical infrastructure deployed in the environment that may previously have been managed by the customer. Together every client is deployed in different way in, customers deserve to take benefit of shifting management of specific IT controls come which outcomes in a (new) distributed regulate environment. Customers can then use the control and also compliance documentation accessible to castle to execute their manage evaluation and verification actions as required. Below are instances of controls that are regulated by, customers and/or both.

Inherited Controls – Controls which a customer totally inherits from

Physical and also Environmental controls

Shared Controls – Controls which use to both the facilities layer and customer layers, however in completely separate contexts or perspectives. In a mutual control, gives the needs for the infrastructure and the client must provide their own regulate implementation within their use of services. Examples include:

Patch administration – is responsible for patching and also fixing within the infrastructure, yet customers space responsible because that patching your guest OS and applications. Configuration management – maintains the configuration of its framework devices, however a customer is responsible because that configuring their very own guest operation systems, databases, and applications. Awareness & cultivate - trains employees, but a customer should train their very own employees.

Customer Specific – Controls i m sorry are solely the duty of the customer based on the applications they are deploying in ~ services. Examples include:

Service and also Communications defense or Zone defense which may require a client to route or zone data within details security environments.

Once a client understands the common Responsibility Model and also how that generally uses to operation in the cloud, they need to determine how it uses to their usage case. Customer duty varies based on many factors, consisting of the services and also Regions lock choose, the integration of those services into their it environment, and the and regulations applicable to your organization and also workload.

The following exercises can help customers in identify the distribution of duty based on details use case:


Determine external and internal security and related compliance requirements and objectives, and also consider industry frameworks choose the NIST Cybersecurity structure (CSF) and ISO.


Consider employing the Cloud adoption Framework (CAF) and Well-Architected best practices come plan and also execute her digital change at scale.


Review the protection functionality and configuration choices of separation, personal, instance services within the security chapters the service documentation.


Evaluate the Security, Identity, and also Compliance services come understand just how they have the right to be offered to help meet your security and compliance objectives.

Review third-party audit attestation documents to identify inherited controls and what compelled controls may be remaining for you to implement in your environment.

Provide your internal and also external audit teams with cloud-specific learning methods by leveraging the Cloud Audit Academy maintain programs.

Perform a Well-Architected Review of your workloads to evaluate the implementation of best practices because that security, reliability, and performance.

See more: Which Of The Following Best Describes Horizontal Analysis, A)Horizontal Analysis Is Accomplished By

Explore solutions obtainable in the Marketplace digital magazine with thousands of software application listings native independent software vendors that allow you to find, test, buy, and also deploy software that runs on

Explore defense Competency Partners offering expertise and proven customer success securing every stage of cloud adoption, native initial migration through continuous day-to-day management.