Who Shares Responsibility for Data Security in a Health Crisis?

April 23, 2020
Jeff Ahlerich

Back in the day, companies housed and managed their IT infrastructure in-house, making its data security the sole responsibility of the company. In our current state, multi-tenant architectures like Amazon and Azure have done a good job of reassuring users that cloud environments are just as secure as on-premise data centers. However, the conditions have changed and the proliferation of security threats is placing an unexpected strain on the backs of cloud service providers (CSPs). So, who shares responsibility for data security in a health crisis?


The COVID-19 pandemic is presenting CSPs with new challenges. And, with Gartner reporting that more than a quarter of key IT segment spending will still shift to the cloud within the next 2 years, companies need to understand and be clear about all aspects of their shared environment. Despite initial reticence to embrace cloud computing based on security concerns, polls show that many companies might actually put too much trust in CSPs. The problem isn’t the security posture of the CSPs; it’s that over-trusting companies often don’t recognize that their organization is still responsible for certain aspects of security, even for data in the cloud—hence the cybersecurity shared responsibility model.

Even major CSPs like Google and Amazon want customers to be very clear about who is responsible for what in terms of data security. It is the job of each company to know who will control and manage security not only for data in the cloud but data in transit and data passing between cloud services. The cost of failing to make distinct delineations are high—data is left at risk to a breach, theft, or other attack, and companies can fall short of meeting compliance requirements. In a health or economic crisis, the shared responsibilities of each party do not change. Therefore, private businesses could be more vulnerable and liable than they would be in a “normal” environment. Everyone is assuming a greater level of risk.


Part of what makes it so tricky to determine security roles within a shared model is that there isn’t a standard shared setup. CSP and user responsibilities vary depending on the setup and the CSP. Corporations that use CSPs need to very carefully evaluate and regularly reference their service level agreements to be sure all security gaps are filled and vulnerabilities have been addressed by each responsible party. Companies lacking the security expertise to do so are well-advised to seek a third-party security expert to ensure they reap all the benefits of a cloud setup without introducing risks and vulnerabilities.

join our email list