As organizations shape the contours of a secure edge-to-cloud strategy, it\u2019s important to align with partners that prioritize both cybersecurity and risk management, with clear boundaries of shared responsibility.\n\nThe security-shared-responsibility model is essential when choosing as-a-service offerings, which make a third-party partner responsible for some element of the enterprise operational model. Outsourcing IT operations has become a smart business strategy. But outsourcing operational risk is untenable, given the criticality of data-first modernization to overall enterprise success.\n\n\u201cIntellectual property is key to a company\u2019s success,\u201d notes Simon Leech, operational security lead for HPE GreenLake Cloud Services. \u201cTherefore, it\u2019s up to CIOs to do due diligence about what sort of security controls are in place and to ensure data is well protected in an [as-a-service] operating model. The security-shared-responsibility model provides a clear definition of the roles and responsibilities for security.\u201d\n\nHaving a well-articulated and seamlessly integrated security-shared-responsibility model is table stakes. Organizations are spending far more time grappling with the costs and consequences of highly complex cyberattacks, to the tune of a 72% spike in costs over the last five years, according to the Accenture\/Ponemon Institute\u2019s \u201cNinth Annual Cost of Cybercrime\u201d study. Specifically, the study attributed an average $4 million loss to business disruption, with another $5.9 million associated with information losses. In total, the global cost of cybercrime is skyrocketing, expected to grow 15% annually to hit the $10.5 trillion mark by 2025, noted the \u201c2020 Cybersecurity Ventures\u201d report. \n\nHPE GreenLake: Security by Design\n\nAgainst this backdrop of heightened cybercrime activity, organizations are more vulnerable as the proliferation of platforms, internet-of-things (IoT) devices, and cloud applications has created an expanded attack surface and widened security gaps. A new security-by-design approach infuses security practices and capabilities directly into new systems as they are built \u2014 versus addressing security requirements later as an afterthought. \n\nAn organization\u2019s approach to security must also scale at the speed of digital transformation. This means that security must be automated and integrated directly into continuous-integration\/continuous-delivery (CI\/CD) pipelines, ensuring that safeguards are applied consistently across workloads, no matter where data resides. This also makes it easier for developers to create secure code. As organizations grapple with additional complexity challenges, they need access to third-party security experts to close any internal security gaps.\n\nThe HPE GreenLake security-shared-responsibility model differs from that of the typical cloud provider, because the as-a-service platform delivers a public cloud experience everywhere, including in a company\u2019s private data center and\/or in a shared colocation facility. The company or colocation provider maintains responsibility for securing the connectivity and physical data center, and HPE\u2019s responsibilities vary, depending on the chosen HPE GreenLake consumption model. For example:\n\n\u201cIn all three scenarios, security of customer data is always the responsibility of the customer,\u201d Leech says. \u201cIt\u2019s ultimately their responsibility to decide what data they put in the cloud, what data they keep out of the cloud, and how they keep that data protected.\u201d\n\nBest Practices for Security Success\n\nDrill down into the details. Leech cautions that the No. 1 rule for security success is understanding the boundaries of responsibility and not making any premature assumptions. Organizations should confer with their cloud service provider to clearly understand and delineate who has responsibility for what. Most cloud providers, including HPE, offer collateral that drills down into the details of their security-shared-responsibility model, and customers should take full advantage.\n\n\u201cThe risk is really one of blissful ignorance,\u201d he says. \u201cThe assumption can be made that security is there, but unless you actually go into the contract and look at the details, you might be making a wrong assumption.\u201d\n\nInclude the enterprise risk management team. Invite the enterprise risk management team into the discussion early on, so it has a clear understanding of the potential risks. With that knowledge, it can help determine what is acceptable, based on a variety of factors, including the industry, specific regulatory climate, and customer demands. \n\nFollow security-by-design principles. Use the security-shared-responsibility model as an opportunity to address security early on and identify potential gaps. In addition to automation and ensuring that security is code-driven, embrace zero trust and identity and privilege as foundational principles. \u201cBy understanding what those gaps are early enough, you can build compensating controls into your environment and make sure it is protected in a way you\u2019d expect it to be,\u201d Leech explains.\n\nKnow that visibility is essential. Security monitoring should be a part of the routine to gain a full understanding of what\u2019s happening in the environment. Organizations can opt to do security monitoring on their own or enlist additional services as part of an HPE GreenLake contract. \u201cIt goes back to that idea of blissful ignorance,\u201d Leech says. \u201cIf I\u2019m not doing any security monitoring, then I never have any security incidents, because I don\u2019t know about them.\u201d\n\nThe HPE GreenLake edge-to-cloud platform was designed with zero-trust principles and scalable security as cornerstones of its architecture and development \u2014 leveraging common security building blocks, from silicon to cloud, that continuously protect your infrastructure, workloads, and data so you can adapt to increasingly complex threats. For more information, visit https:\/\/www.hpe.com\/us\/en\/solutions\/security.html