Shared Responsibility Model
“Cloud Service Provider” as used hereunder means Ningxia Western Cloud Data Technology Co., Ltd. (“NWCD”), the service operator and provider for Amazon Web Services China (Ningxia) Region, and/or Beijing Sinnet Technology Co., Ltd. (“Sinnet”), the service operator and provider for Amazon Web Services China (Beijing) Region, as applicable. “Amazon Web Services China Region” as used hereunder means Amazon Web Services China (Ningxia) Region and/or Amazon Web Services China (Beijing) Region, as applicable.
Security and Compliance is a shared responsibility between Cloud Service Provider and the customer. This shared model can help relieve the customer’s operational burden as Cloud Service Provider operates, manages and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the service operates. The customer assumes responsibility and management of the guest operating system (including updates and security patches), other associated application software as well as the configuration of the security group firewall provided by Cloud Service Provider. Customers should carefully consider the services they choose as their responsibilities vary depending on the services used, the integration of those services into their IT environment, and applicable laws and regulations. The nature of this shared responsibility also provides the flexibility and customer control that permits the deployment. As shown in the chart below, this differentiation of responsibility is commonly referred to as Security “of” the Cloud versus Security “in” the Cloud.
Cloud Service Provider responsibility “Security of the Cloud” - Cloud Service Provider is responsible for protecting the infrastructure that runs all of the services offered in Amazon Web Services China Region Cloud. This infrastructure is composed of the hardware, software, networking, and facilities that run Amazon Web Services China Region Cloud services.
Customer responsibility “Security in the Cloud” – Customer responsibility will be determined by the Amazon Web Services China Region Cloud services that a customer selects. This determines the amount of configuration work the customer must perform as part of their security responsibilities. For example, a service such as Amazon Elastic Compute Cloud (Amazon EC2) is categorized as Infrastructure as a Service (IaaS) and, as such, requires the customer to perform all of the necessary security configuration and management tasks. Customers that deploy an Amazon EC2 instance are responsible for management of the guest operating system (including updates and security patches), any application software or utilities installed by the customer on the instances, and the configuration of the Cloud-Service-Provider-provided firewall (called a security group) on each instance. For abstracted services, such as Amazon S3 and Amazon DynamoDB, Cloud Service Provider operates the infrastructure layer, the operating system, and platforms, and customers access the endpoints to store and retrieve data. Customers are responsible for managing their data (including encryption options), classifying their assets, and using IAM tools to apply the appropriate permissions.
This customer/Cloud Service Provider shared responsibility model also extends to IT controls. Just as the responsibility to operate the IT environment is shared between Cloud Service Provider and its customers, so is the management, operation and verification of IT controls shared. Cloud Service Provider can help relieve customer burden of operating controls by managing those controls associated with the physical infrastructure deployed in the Amazon Web Service China Region environment that may previously have been managed by the customer. As every customer is deployed differently in Amazon Web Service China Region, customers can take advantage of shifting management of certain IT controls to Cloud Service Provider which results in a (new) distributed control environment. Customers can then use the Cloud Service Provider control and compliance documentation available to them to perform their control evaluation and verification procedures as required. Below are examples of controls that are managed by Cloud Service Provider, Cloud Service Provider’s Customers and/or both.
Inherited Controls – Controls which a customer fully inherits from Cloud Service Provider.
- Physical and Environmental controls
Shared Controls – Controls which apply to both the infrastructure layer and customer layers, but in completely separate contexts or perspectives. In a shared control, Cloud Service Provider provides the requirements for the infrastructure and the customer must provide their own control implementation within their use of Amazon Web Services China Region services. Examples include:
- Patch Management – Cloud Service Provider is responsible for patching and fixing flaws within the infrastructure, but customers are responsible for patching their guest OS and applications.
- Configuration Management – Cloud Service Provider maintains the configuration of its infrastructure devices, but a customer is responsible for configuring their own guest operating systems, databases, and applications.
- Awareness & Training - Cloud Service Provider trains Cloud Service Provider’s employees, but a customer must train their own employees.
Customer Specific – Controls which are solely the responsibility of the customer based on the application they are deploying within Amazon Web Services China Region services. Examples include:
- Service and Communications Protection or Zone Security which may require a customer to route or zone data within specific security environments.
Amazon EC2
Try Amazon EC2 for free for up to 12 months, with 750 hours of two instances per month and 750 hours of free public IPv4 address
