Shared Responsibility Model
Overview
Security and Compliance is a shared responsibility between Addigy and the customer. Addigy helps relieve the customer’s operational burden of managing Cloud Infrastructure and associated components in which the service operations. The customer assumes responsibility and management of the devices, data, and authentication access. Customers should carefully consider the services they choose as their responsibilities vary depending on the service used, the integration used, and applicable laws & regulations.
Summary
Addigy’s Shared Responsibility Model is designed to help Organizations, especially DIB Organizations leverage Addigy Solutions to meet Compliance challenges and control requirements, like Cybersecurity Maturity Model Certification (CMMC). Using Addigy Solutions, you can solve challenges of baseline configuration, configuration drift, reporting, and compliance using native solutions or even API Calls to complex systems for additional tracking, management, and oversight.
Definitions
Customer Definitions
Terms used to describe Customer Management Responsibilities
- Customer Data (Data Controller)
- Includes any information or files uploaded by the customer
- Platform, Applications, Identity, and Access Management
- Management of credentials for authentication to the platform or to endpoint devices
- Management of applications on endpoint devices other than Addigy created ones
- Device Encryption
- Ensuring FileVault is enabled
- Device Security
- Management of Firewalls, IDS, IPS, or antivirus solutions on the customer network and endpoint devices
- Device Management
- The customer uses the Addigy platform for the management of devices
Addigy Definitions
Terms used to describe Addigy Solutions as the Data Processor.
- Platform and Application Security
- Addigy is responsible for the security of the platform itself, which includes the web application and the binaries
- Server-side Operating Systems, Network, and Firewall Configurations
- Addigy is responsible for the security of the infrastructure that hosts Addigy’s services which includes keeping the OS and software up to date and properly configuring networks and firewalls
- Network Traffic Protection (Encryption, Integrity)
- Addigy is responsible for the security of data and traffic in transit between endpoint devices and Addigy services
- Server-side Encryption
- Addigy is responsible for the security of data at rest that is stored in Addigy managed infrastructure such as our database.
- Application Availability
- Addigy is responsible for the availability of the application as defined in our Service Level Agreement.
Addigy Cloud Infrastructure
Addigy uses Cloud-hosted Infrastructure primarily from Amazon Web Services and Google Cloud Platform. These vendors include their own shared responsibility models which cover the following resources:
- Compute
- Amazon and Google’s terminology for serverless computational options
- Storage/Database
- Amazon and Google’s terminology for data storage and database management system functionality
- Networking
- Amazon and Google’s terminology for the network infrastructure provided within their Infrastructure
- Hardware and Availability
- Amazon and Google’s terminology for the Data Center hardware and its ability to be available consistently.
More information on their program, definitions, and responsibilities are available below:
Diagram
References
- AWS Responsibility Model
- Google Cloud Responsibility Model (PDF)
- Addigy Service Level Agreement
- Data In Transit Policy
- Data At Rest Policy