The concept of shared security responsibilities is a familiar one in everyday life. If I go on a plane journey, for example, I have the responsibility to make sure that there’s nothing dangerous in my carry-on, and airport security personnel have the responsibility to screen passengers and baggage.
In the IT realm too, shared security responsibility is a familiar notion for anyone who has used the public cloud. The cloud services providers are usually pretty vocal about where the responsibilities lie and what steps customers need to take to help protect their data. A common formula is that the provider is responsible for the security of the cloud – i.e. the hardware, software, network and facilities running the workloads – and customers are responsible for security in the cloud – including platforms, applications, and identity and access management.
In today’s hybrid cloud environments, where solutions can be customized to your needs across a variety of locations – including on-premises, at the edge and in colocations – shared responsibilities can seem a little less intuitive. For example, with the HPE GreenLake edge-to-cloud platform, when we build a solution for a customer, we build in the security controls for a pay-as-you-go solution that brings the cloud experience to wherever the data is located. We offer a huge range of cloud services in the HPE GreenLake portfolio, and there is always a large element of customization involved. In fact that’s one of the great benefits of working with HPE – we not only give you that cloud experience, but we customize it to fit your business drivers. When we go to the next customer, we might design something different. It’s not the same as a public cloud provider, where if you want a firewall you might choose, say, one of a number of firewall vendors from a service catalog.
A simple model for security shared responsibilities
To help businesses understand the roles and responsibilities for security with HPE GreenLake cloud services, HPE has created the HPE GreenLake Security Shared Responsibility Model. You can read a white paper on the model here: Sharing Responsibility for Security with HPE GreenLake.
Here’s how it looks. The blue-shaded areas above the dotted line represent the customer’s zones of responsibility, and the unshaded areas below the line are HPE’s areas.
The HPE GreenLake Security Shared Responsibility Model
I’ll unpack just a couple of points here. The first thing to notice is that the model follows the general principle, used widely by other cloud providers, which I mentioned above: HPE is responsible for the security of the hybrid cloud platform and experience; customers are responsible for the security of their data in the hybrid cloud. HPE is primarily responsible for the security of the HPE GreenLake infrastructure. The customer or colocation provider is responsible for physical security as well as user access and permissions.
Second, responsibility for the OS and applications, as well as some other systems, varies depending on the solution. The model covers bare metal as a service; containers or virtual machines as a service; and workloads as a service. In the case of bare metal, the customer’s responsibilities include whatever they choose to run on top of the hardware. In the case of containers/VMs, HPE takes the responsibility for the orchestration layer, software-defined networking, the bare metal OS and hypervisors. And in the case of workloads, HPE’s responsibilities extend further to include the applications and guest OS image. In all of these use cases, the customer always retains responsibility for the security of the data that they choose to place within the environment.
Secure from the ground up
It’s important to bear in mind that the HPE GreenLake platform is secure by design, from the silicon up. Our infrastructure and cloud services are protected by our Silicon Root of Trust technologies, zero-trust-enabled architectures, and trusted supply chain.
Another great advantage of working with HPE, and a big differentiator from the hyperscalers, is the sheer breadth of the services we can provide around your hybrid cloud initiatives. Through the HPE Advisory and Professional Services cybersecurity practice, we can work with you to build a comprehensive security architecture including all the security controls necessary to meet your specific business needs as you move to become a hybrid organization.
And if you’re interested in a managed services approach to your IT estate, including security, risk, and compliance, you should definitely check out HPE GreenLake Management Services. You can read here about managed security from HPE GreenLake Management Services and how we mitigate risk with proactive identification and resolution of security threats: Mitigating Risk with managed security from HPE GreenLake Management Services.
The importance of being a cyber resilient organization continues to grow, and it’s important to understand what your responsibilities are and how you can handle them in a hybrid world when working with service providers. Being prepared is half the hard work when it comes to information security, and we hope that the HPE GreenLake Security Shared Responsibility Model helps our customers to understand how we can partner together to build a secure hybrid cloud experience – whatever your use case.
Contact me on Twitter: @DigitalHeMan
And on LinkedIn: Simon Leech CISSP-ISSAP CCSK CISM CRISC
SimonLeech
Simon is Deputy Director in the HPE Global Security Center of Excellence. He is responsible for bringing together cyber experts from across HPE to support the vision of an open and secure edge to cloud platform, and works with HPE's enterprise customers worldwide, evangelising the strategy of HPE Global Security and articulating our ‘Secure by Design’ and ‘Operationally Secure’ principles. Simon has worked in the IT security industry for over 25 years and is well versed in many areas of IT security, including network security, operational security, malware, cyber threats, vulnerability management, hybrid cloud security, container security, zero trust security, and cyber resilience. Simon is active on Twitter as @DigitalHeMan
