Shared Responsibility Model

Protecting Data with the Shared Responsibility Model

In order to be successful using cloud services, a trusted relationship between the customer and the cloud service provider (CSP) is required. DigitalOcean believes being a transparent security partner is the most essential component of building customer trust. We’re here to help you along the journey of how to secure your product and protect your customers’ data.

You’re probably saying to yourself, “My product is hosted on DigitalOcean, I’m good to deploy, right?” Almost. DigitalOcean is not the sole protector of what you store on our services. Protecting your customers’ data is a shared responsibility among you, your customers, and DigitalOcean.

The Shared Responsibility Model (SRM) is a framework that delineates the responsibilities between a cloud service provider (DigitalOcean, in this case) and the customer (you) for securing the cloud environment. DigitalOcean protects the assets OF your cloud instance. For example, we provide physical security and secure the virtualization services we provide. You secure assets IN your cloud instance. For example, you secure the operating system (OS) you install on your droplet and maintain who has access to your instance.

There are three types of cloud products in the shared responsibility model:

1. Infrastructure as a Service (IaaS)

2. Platform as a Service (PaaS)

3. Software as a Service (SaaS)

Each product type has a different separation of responsibilities. The following graphic displays the separation of duties:

Separation of Responsibilities

For more information on how we secure the infrastructure of our products, please refer to our Infrastructure Security Overview.

The SRM also includes IT controls. IT controls are policies and procedures used to adhere to standards, comply with regulations, and manage risks. DigitalOcean manages physical and environmental controls. You inherit those control protections from us. There are shared controls for which we are both responsible, depending on the context. For example, DigitalOcean conducts annual security training internally, however, your company is responsible for training your employees. Finally, there are controls for which you are solely responsible. For example, you are responsible for identity and access management (IAM). We recommend using the NIST Cybersecurity Framework for researching specific controls.

Data protection has many moving parts. Depending on your business needs and criticality of the data you store, you may need to implement safeguards other companies do not.

We’ve created these SRM guides because we want to help you leverage those safeguards within our product line to help you protect your business.

Shared Responsibility Model by Product

• Droplets

• Kubernetes

• App Platform

• Functions

• Spaces

• Volumes

• Networking

• Managed Databases