7 PART 4 IT governance Questions of ownership Identifying ownership can be challenging, particularly in new environments. For example, with Infrastructure as a Service (IaaS) and Platform as a Service (PaaS), internal IT is typically responsible for applications and data, but with Application as a Service (AaaS) that responsibility lies with the service provider. As a rule, service providers are responsible for operating systems, virtualization, servers, storage, and networking — regardless of the type of service. Data is the responsibility of internal IT. Recent research shows that many organizations have misconceptions when it comes to management responsibilities. A 2017 report by research firm Vanson Bourne and data management provider Veritas showed that: ͓ ͓69% of 1,200 global business and IT decision makers wrongfully think their organization’s cloud service provider handles all data privacy, regulatory compliance, and data protection responsibilities. ͓ ͓A large majority of the survey respondents that use or plan to use IaaS offerings (83%) think their organization’s cloud providers will protect their workloads and data against outages. ͓ ͓54% think it’s the responsibility of the service provider to securely transfer data between on-premises systems and the cloud. And, about half think cloud service providers are responsible for backing up workloads in the cloud. Cloud service type Administration Applications Data Runtime Middleware O/S Virtualization Servers Storage Networking Application as a Service Infrastructure as a Service Platform as a Service Internal IT responsible Service provider responsible More on security Many IT decision makers are unclear about cloud security ownership and how this might change with different service types.Unfounded assumptions can lead to unintentional outcomes like data breaches and vulnerabilities.Check out this whitepaper to learn more.