Shared responsibility model reference

3 minute read

Security and operational responsibilities for CloudBees Unify are divided between CloudBees and customers according to a shared responsibility model. Use this reference when evaluating security compliance requirements, incident response procedures, or operational responsibilities.

Shared responsibility model definition

A shared responsibility model in a cloud environment is a formal framework that clearly defines and divides security and compliance duties among the different parties involved in a cloud service relationship. When a Software as a Service (SaaS) provider builds its application on a public cloud (such as AWS), the model becomes a three-party agreement that allocates responsibility based on who has operational control over each component of the service stack:

  • AWS (cloud infrastructure provider): Responsible for security of the cloud, including:

    • Physical hardware.

    • Host operating systems and virtualization layers.

    • Global network resilience including disaster recovery for core infrastructure.

  • CloudBees (SaaS provider): Responsible for security in the cloud, including:

    • CloudBees Unify and CloudBees Smart Tests product code.

    • Security, updates, support, and patch management for CloudBees Unify and CloudBees Smart Tests.

    • Cloud environment provisioning and configuration, including VPCs, firewalls, and network controls.

    • Service continuity planning, including maintenance of status pages.

    • Data recovery at the CloudBees Unify and CloudBees Smart Tests level.

    • Incident response for software vulnerabilities.

    • Documentation and knowledge bases for CloudBees Unify and CloudBees Smart Tests, including security best practices.

  • Customer (you): Responsible for security of your usage, including:

    • Data ownership.

    • User access management including enforcing MFA and role-based access controls.

    • Configuring application security settings.

    • Implementing additional backup strategies if required for specific data retention or recovery needs.

Responsibility matrix

Table 1. Detailed responsibilities
Responsibility area Cloud service provider (AWS) SaaS provider (CloudBees Unify) Customer (you)

Physical security

Global infrastructure, data centers, hardware, networking, and physical facilities.

Not applicable. Inherited from AWS.

Not applicable.

Core infrastructure

Security of the cloud, including the virtualization layer, host operating system, and base network security.

Configuration of the AWS-provided infrastructure (for example, VPCs, security groups, IAM for the AWS account).

Not applicable.

Application & code

Not applicable.

The core SaaS application, its code, deployment, maintenance, updates, and web application firewalls (WAF). Guidance on secure usage of the product.

Configuration of the application.

Patch management

Patching the underlying hardware and host operating system.

Patching the guest operating systems (if using IaaS), middleware, runtime environments, and the SaaS application itself.

Not applicable.

Identity & access management (IAM)

Availability of AWS IAM and core service endpoints.

Application’s user access service, including user roles and permissions, and access to infrastructure by CloudBees employees.

Managing user accounts, secrets, passwords, enabling/enforcing MFA, single sign-on (SSO), integrations, and user behavior.

Data & encryption

Providing encryption tools (for example, KMS, EBS/S3 encryption features).

Implementing data classification policies, configuring encryption settings (at rest/in transit).

Data ownership, data quality, legal/regulatory compliance (for example, GDPR, HIPAA), and controlling data-sharing permissions within the application.

Monitoring & logging

Provides the raw infrastructure logging capabilities/tooling (for example, CloudTrail and CloudWatch logs).

Collecting, analyzing, and acting on logs, tool configuration, establishing threat detection, and providing security incident response for the SaaS application.

Monitoring your own user activity, usage, and reporting suspicious behavior to CloudBees Unify.

Incident management

Detecting and resolving incidents affecting the underlying AWS infrastructure.

Detecting, containing, and remediating incidents within the application or its managed cloud environment. CloudBees must notify customers of security incidents impacting their data.

Incident response actions related to your employees, endpoints, or credentials (for example, disabling compromised user accounts and initiating local device forensic analysis).

Disaster recovery

Resilience and recoverability of the AWS Region/service itself (for example, availability zones and region failover for core services).

Maintaining business continuity through application-level disaster recovery (DR) planning, multi-region failover, and ensuring RTO/RPO for the application’s overall function.

Responsible for your own data backup and recovery plan for individual data loss events (for example, accidental or malicious deletion). You may need a third-party backup solution for granular recovery.

This shared responsibility model is provided for informational purposes only and is not intended to be exhaustive. This document provides an overview of general principles and does not supersede the specific terms, conditions, and security obligations outlined in the CloudBees Subscription and Services Agreement and CloudBees Terms of Service (TOS).