By Connor Payne

Inherited controls from a cloud service provider such as Amazon Web Services (AWS) or Microsoft Azure include physical and environmental controls that a customer fully inherits from the provider. In general terms, shared responsibility means that the cloud service provider is responsible for the security of the cloud while the customer is responsible for security in the cloud. Inherited controls are unique for each customer implementation and have varying degrees of shared responsibility, depending on whether a Software as a Service (SaaS), Platform as a Service (PaaS), or Infrastructure as a Service (IaaS) model is chosen.


The benefits of using inherited controls could include shifting the majority of responsibility for physical and environmental controls to the cloud service provider. Traditionally, on-premises data center security was the responsibility of in-house IT professionals. Using the shared responsibility model, businesses are gaining a double advantage as they can deploy IT resources to other areas while their web services provider delivers enhanced overall security. With a distributed control environment, customers can rely on control and compliance documentation provided by their cloud service provider for the inherited controls.



Depending on the cloud service selected by a customer, security responsibilities will vary. With an IaaS model, customers must perform all necessary security configuration and management, including updating the operating system, applying security patches, managing software, and configuring hardened systems. With PaaS or SaaS models, the cloud service provider operates the infrastructure, operating system, and platform that the customer uses to store and retrieve data. In these models, customer responsibilities could include client-side data encryption, data integrity monitoring, and identity & access management (IAM) permissions.


While shared responsibility offers many benefits, customers need to have a clear understanding of which security responsibilities they own, and which are managed by their provider. Businesses need to assign ownership of controls respectively and track compliance activities, so that nothing falls through the cracks.


Understanding what you need and selecting a cloud services provider can be challenging. One method for ensuring you select the best cloud service provider to support your needs is by partnering with a security and compliance expert like SecureIT. Our professionals are experienced in helping businesses decide if leveraging 3rd party services and inheriting controls is right for them. If it is, we can help you evaluate options and choose those that are best for your environment and strategic goals. After selection, we will help you understand remaining responsibilities and develop compliance documentation that properly reflects the use of inherited controls in your environment.


As a leader in security, audit and compliance with decades of advisory experience, SecureIT helps businesses understand inherited controls and shared responsibility and how to best leverage technology to achieve your security and compliance objectives. We offer complete compliance program management platform that streamlines compliance activities.  Contact us today to learn more.