Infrastructure as a Service (Iaas) public cloud services are all governed by what is commonly referred to as the Shared Responsibility Model.

The shared security model defines the relationship, and roles and responsibilities between cloud providers and customers. If you're unfamiliar with the shared responsibility model for cloud computing, Dominique West provides an excellent introduction on LinkedIn Learning in under 5 minutes.

Broadly:

• The cloud vendor (GCP, AWS or Azure) has responsibility for the "Security of the Cloud"
• The customer (individual account holder) has responsibility for "Security in the Cloud"

(Original image courtesy of CloudCheckr)

The UW has implemented some tools & best practices to help faculty and staff meet their responsibilities, but the account owner still maintains the responsibility to achieve & maintain the appropriate security controls per campus policy. The cloud team can advise and consult on best practices (Contact the Public Cloud Team).   

This approach enables faculty and staff the flexibility to leverage the many different services and the flexibility of the public cloud providers, while working with valuable institutional or research data, without imposing limitations or restrictive guidelines for use. Campus has other services that are eligible for use with Restricted and Sensitive data, so if you and / or your local IT department have concerns or questions regarding these responsibilities, please reach out to us. We are happy to help you make an informed decision on what meets your needs.

•  Google Cloud Platform (GCP) for Sensitive and Restricted Data - UW's preferred provider for sensitive and restricted data
•  Amazon Web Services (AWS) for Sensitive and Restricted Data 
•  Microsoft Azure for Sensitive and Restricted Data 

Some resources for better understanding the Shared Responsibility Model

• Amazon Shared Responsibility Model article - a good overview of the differences between responsibilities and customer responsibilities
• Azure Shared responsibility in the cloud - Microsoft's overview of the shared responsibility model
• Understanding the shared security responsibility model (LinkedIn Training) - this course is GCP focused, but the principles are applicable, and services are comparable in all platforms
• Contact the Public Cloud Team - we are happy to help you with "wayfinding" on how to best meet your needs for sensitive or restricted data, using public cloud or other campus services