Division of responsibility for security

The security of systems dependent on cloud services involves a division of responsibility between the customer (end system owner) and the provider (cloud infrastructure owner). The division of this responsibility depends on the model of cloud services: IaaS (Infrastructure as a Service), PaaS (Platform as a Service), or SaaS (Software as a Service).

It can be visualized in a table, where:

• Client
• Yandex Cloud

In any of the four situations, only the client is responsible for controlling access and managing permissions. Other areas of responsibility depend on the model.

Private infrastructurePrivate infrastructure

The client is solely responsible for ensuring security at all levels.

IaaSIaaS

The provider is responsible for the physical security and fault tolerance of the platform itself, network security, the collection and analysis of security events from hypervisors and other infrastructure components.

The client is to back up VMs, protect the virtual network, ensure the security of guest OS, control access, and secure cloud user accounts.

PaaSPaaS

The provider is responsible for the security of the higher-level layers of the infrastructure. This includes VM protection and DB backups.

The client handles data classification, controls access to data, configures processes to protect data, and takes responsibility for controlling user access and interaction with third-party services.

SaaSSaaS

The provider is responsible for most security aspects: data accessibility and integrity, monitoring and logging, physical security, and security for the network, service components, and the application itself.

The client is responsible for managing user access to data.