When it comes to securing data in a cloud environment, the responsibility for security can be a bit cloudy. While cloud providers do clearly state who is responsible depending on the level of service, ultimately the responsibility should be shared by all parties involved. Albeit in storage, transfer, or process, data security should be managed with a holistic approach with the understanding that safeguarding of sensitive data is a primary function, not a secondary afterthought.
Recently in a conversation with AWS certified Bruce Elgort, the thought process for using auditing tools provided by Amazon as being sufficient was revealed. This train of thought puts the responsibility on the team configuring the S3 buckets, shifting responsibility of risk away from the vendor. A point was raised in response, indicating that it may be the governing bodies responsibility to safeguard data of its citizens.
When looking at the bigger picture it is revealed that many different parties share different parts of the responsibilities being discussed here. In cybersecurity it is well known that compliance drives spending for regulatory controls, however; compliance and security are not necessarily a tandem achieved when either one is carried out. Ultimately, the sector of business dictates what compliance standards are applied. Is it possible that more regulation is needed for cloud vendors?