Shared Responsibility Model
Security and Compliance is a shared responsibility between NetActuate and the customer. This shared model can help relieve the customer’s operational burden as NetActuate operates, manages and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the service operates. In many cases, NetActuate provides custom infrastructure or hosts customer infrastructure in its facilities. In this way, the customer can benefit from the physical security of the facilities and services that NetActuate provides, while maintaining their own controls.
The customer assumes responsibility and management of the guest operating system (including updates and security patches), and other associated application software as well as the configuration. Customers should carefully consider the services they choose as their responsibilities vary depending on the services used, the integration of those services into their IT environment, and applicable laws and regulations.
The nature of this shared responsibility also provides the flexibility and customer control that permits the deployment. As shown in the chart below, this differentiation of responsibility is commonly referred to as Security “of” the Cloud/Virtual Environments versus Security “in” the Cloud/Virtual Environments & Equipment.
“Security of the Cloud/Virtual Environments & Equipment”
NetActuate is responsible for protecting the infrastructure that runs all of the services offered by NetActuate. This infrastructure is composed of the hardware, software, networking, and facilities.
“Security of the Cloud/Virtual Environments”
Customer responsibility will be determined by the NetActuate services that a customer selects. This determines the amount of configuration work the customer must perform as part of their security responsibilities. For example, virtual servers are categorized as Infrastructure as a Service (IaaS) and, as such, requires the customer to perform all of the necessary security configuration and management tasks. Customers that deploy a virtual server are responsible for the management of the guest operating system (including updates and security patches), any application software or utilities installed by the customer on the instances, and the configuration of the NetActuate-provided firewall on each instance.
For abstracted services, NetActuate operates the infrastructure layer, the operating system, and platforms, and customers access the endpoints to store and retrieve data. Customers are responsible for managing their data (including encryption options), classifying their assets, and using IAM tools to apply the appropriate permissions.
This customer/NetActuate shared responsibility model also extends to IT controls. Just as the responsibility to operate the IT environment is shared between NetActuate and its customers, so is the management, operation and verification of IT controls shared.
NetActuate can help relieve customer burden of operating controls by managing those controls associated with the physical infrastructure deployed in the NetActuate environment that may previously have been managed by the customer. As every customer is deployed differently in NetActuate, customers can take advantage of shifting management of certain IT controls to NetActuate which results in a (new) distributed control environment. Below are examples of controls that are managed by NetActuate, NetActuate Customers and/or both.
Controls which a customer fully inherits from NetActuate.
- Physical and environmental controls
Shared Controls – Controls which apply to both the infrastructure layer and customer layers, but in completely separate contexts or perspectives. In a shared control, NetActuate provides the requirements for the infrastructure and the customer must provide their own control implementation within their use of NetActuate services. Examples include:
- Patch Management – NetActuate is responsible for patching and fixing flaws within the infrastructure, but customers are responsible for patching their guest OS and applications.
- Configuration Management – NetActuate maintains the configuration of its infrastructure devices, but the customer is responsible for configuring their own guest operating systems, databases, and applications.
- Awareness & Training – NetActuate trains NetActuate employees, but the customer must train their own employees.
Customer Specific – Controls which are solely the responsibility of the customer based on the application they are deploying within NetActuate services. Examples include:
- Custom hardware or equipment, including network equipment or specialized routing policies which the customer may need to implement.