• Shared Responsibility

This document highlights the roles and responsibilities of each party when organizations use the Azion Edge Platform. Security and compliance are a shared responsibility between customers and Azion. Azion is responsible for the security and compliance of its Edge Platform, and customers are responsible for the content, their application, and the correct operation of the provided controls.

Customers are advised to carefully select Azion’s Products and Services and operate them according to the applicable compliance requirements, laws, and regulations.

NIST Special Publication 500-292 defines five essential characteristics of cloud services:

• On demand self-service
• Broad network access
• Resource pooling
• Rapid elasticity
• Measured service

The publication also provides a simple and unambiguous categorization of cloud services models:

• Cloud software as a service (SaaS)
• Cloud platform as a service (PaaS)
• Cloud infrastructure as a service (IaaS)

Azion’s Edge Platform does not accurately fit into any of the three delivery models and can be described as a blend of PaaS and SaaS models.

The Shared Responsibility Model is central to understanding the roles of the customers and Azion in the context of application security and the use of Azion Edge Platform.

Customers are responsible for the correct configuration and usage of the controls and for the application and content they put on or through Azion Edge Platform.

The diagram below illustrates this concept.

This shared model can help relieve the customer’s operational burden as Azion operates, manages, and controls the components from the application runtime to the host operating system, down to the physical security of the facilities in which the Products and Services operate.

“Security of the Edge Platform” - Azion develops, operates, protects, and controls the infrastructure that runs its Products and Services when offered as-a-service, and is responsible for the following aspects of its security:

• Physical security.
• Secure software development.
• Vulnerability and patch management of the systems hosting the platforms.
• Business continuity and disaster recovery of the platforms and the operations.
• Protection and management of secrets on the platform, such as private keys.
• Configuration management of the platform.
• Operational security.
• Training and personnel security.

Azion Control Assurance

Azion evaluates the design and effectiveness of its controls under a number of compliance and reporting regimes, such as PCI DSS and SOC 2 Type 2.

Customers can use Azion compliance documents to perform any required Azion control evaluations.

“Security in the Edge Platform” – Customer responsibility will be determined by the Azion Product and Service that a customer selects. This determines the amount of configuration work the customer must perform as part of their security responsibilities.

For abstracted Products and Services on a as-a-service or serverless model, which uses Azion Global Network, Azion develops, operates, protects, and controls the infrastructure, while customers access the Products and Service interfaces to store, manage, and retrieve data. Customers are responsible for items such as:

• Correct configuration of Azion Products and Services.
• Configuration change control.
• Managing their data, such as content and application and source code (including encryption options).
• Identity and access management, including user provisioning and their roles.
• Monitoring quotas and limits.
• Monitoring consumption and billing.
• Correct usage of Azion’s platform.

Customers are also responsible for:

• Adhering to Azion’s Acceptable Use Policy and all applicable laws and regulations.
• Information classification.
• Customer regulatory compliance.
• Training and personnel security.

Customers that deploy Products and Services on their own premises, remote devices, or third-party infrastructure are also responsible for managing the guest operating system and any Azion software running on that infrastructure (including software updates and security patches), as well as the application software or utilities installed by the customer on that infrastructure, as well as the configuration of the Azion-provided Product and Service.

Shared Controls – Azion and customer work collaboratively to enhance the overall security and compliance of resources, which apply to both Azion and customers, but in completely separate contexts or perspectives:

• Log Management – While Azion requires you to have its Real-Time Events product to provide access to short-term logs for debugging purposes, it’s the customer’s responsibility to set up log drains with Azion Data Stream for long-term log retention, data auditing, or additional visibility into their application’s performance and security.
• Patch Management – Azion is responsible for patching and fixing flaws within its Edge Platform, but customers are responsible for patching their own code and applications.
• Authentication – Customers must guarantee their authentication information — password, tokens, credentials, etc. — meets general security criteria and are kept safe. Azion must guarantee the platform’s security and protection regarding authentication.

Note that this Shared Responsibility Model is a generalized framework, and the specific responsibilities and offerings may vary based on the exact services and solutions you contracted. It’s advisable to consult directly with Azion’s team for more specific details, when needed. Also, Azion provides responsibility matrices to help customers comply with PCI DSS and other specific regulations while using Azion Products and Services. Please refer to our Support Team in oder to access such information.