Onboard
Introduction
Users
Teams
Introduction
IntroductionPromote an image in Amazon ECRRetrieve an object from Amazon S3Store an object on Amazon S3Copy Docker images with CraneDownload a file from JFrog ArtifactoryMove or copy an image from JFrog ArtifactoryUpload a file to JFrog ArtifactoryGet artifact detailsManage artifact labelsRegister a build artifactRegister a deployed environment artifact
IntroductionCreate or update a functionInvoke a function
IntroductionRun an AWS CodePipelineRun a Bamboo projectRun a Bitbucket pipelineRun a CloudBees CI jobRun a CircleCI workflowRun a GitHub Actions workflowRun a GitLab pipelineRun a Harness pipelineRun a Jenkins® jobRun a JFrog pipelineBuild and publish Docker images with KanikoRun a TeamCity project
IntroductionMigrate from v1 to v2
IntroductionAWS credentialsECR credentialsEKS credentialsGit global credentialsOCI credentials
IntroductionRun Ansible PlaybookDeploy with Argo WorkflowsDeploy with AWS CodeDeployDeploy a binary with Amazon EC2Deploy to ECSRender an Amazon ECS task definitionDeploy with AWS Elastic BeanstalkDeploy with HerokuDeploy with OctopusDeploy with OpenShiftDeploy with SpinnakerDeploy with Tosca
Publish evidence items
Fetch secrets from CyberArk Conjur
IntroductionHelm chart installHelm chart packageHelm chart publishHelm chart uninstall
IntroductionCreate a Kubernetes namespaceCreate/update a Kubernetes resourceDeploy to a Kubernetes cluster
IntroductionVerify with NewRelic
Execute remote commands via SSH
IntroductionAnchoreAquasecJFrog XraySnyk ContainerSonatype (Nexus) ContainerTrivy
IntroductionStackhawkZAP
IntroductionCheckmarxCheckovCoverity on PolarisFind Security BugsGitHub Security ScannerGosecGrypeMendNexus IQnjsscanSnykSonarQube bundledSonarQube
IntroductionBlack DuckMendSnyk
IntroductionGitleaksTruffleHog ContainerTruffleHog CodeTruffleHog S3
IntroductionCreate a change requestUpdate or close a change requestGet a change request current stateQuery a change request approval
Publish test results
Multi-workflows dispatch
Introduction
Get started with feature flags
Create flags in code
Manage multiple SDK keys in your application
Create and manage flags in the UI
Namespaces and labels
Configure feature flags
Feature management custom roles
Flag approval requests and reviews
Audit history
Get started with configuration as code
Set up configuration as code
Configuration as code reference
Configuration-as-Code examples
Flag impressions and activity status
Flag health
Code references
Properties and custom properties
Target groups
Enabling secret mode
IntroductionAndroid / Android TV / Fire TVC/C++ (client-side)C/C++ (server-side)GoJavaJavaScript (browser) / Chromecast / TizenJavaScript SSR.NET/C#Node.jsiOS / tvOSPHPPythonReact NativeRuby
IntroductionClient-side AndroidClient-side C ClientClient-side C++ ClientClient-side JavaClient-side JavaScript (browser)Client-side .NET/C# clientClient-side Objective-CClient-side React NativeClient-side SwiftServer-side CServer-side C++Server-side GoServer-side JavaServer-side .NET/C#Server-side NodeJSServer-side PythonServer-side PHPServer-side RubyBoth client-side and server-side JavaScript SSR
IntroductionAndroid appAngular appDjango appGin appJava Spring Boot app.NET Core appReact appSwift iOS app

Shared responsibility model

3 minute read

What is a shared responsibility model?

A shared responsibility model in a cloud environment is a formal framework that clearly defines and divides security and compliance duties among the different parties involved in a cloud service relationship. When a Software as a Service (SaaS) provider builds its application on a public cloud (such as AWS), the model becomes a three-party agreement that allocates responsibility based on who has operational control over each component of the service stack:

  • The cloud infrastructure provider (AWS) is responsible for security of the cloud. It maintains physical hardware, hosts operating systems and virtualization layers, and guaranteeing the security and availability of services and network (computer, storage, network resources etc), including disaster recovery for core infrastructure.

  • The SaaS provider (CloudBees) is responsible for security in the cloud. This includes:

    • CloudBees Unify product code.

    • Unify security, updates, support and patch management.

    • Cloud environment provisioning and configuration, including VPCs, firewalls, and network controls.

    • Service continuity planning including the maintenance of suitable status page(s) or similar.

    • Unify-level data recovery, and incident response for software vulnerabilities.

    • Establishing suitable communication and collaboration channels, to coordinate matters with customers and AWS alike.

    • Providing necessary documentation and knowledge bases on CloudBees Unify, including security best practices.

    • Maintaining the security and compliance stance of CloudBees Unify.

  • The customer is responsible for security of their usage. This includes:

    • Data ownership and management.

    • User access management, including enforcing MFA, and role-based access controls.

    • Configuring CloudBees Unify based on best practices as advised by CloudBees and AWS, and determined by their requirements.

    • Prompt reporting issues and incidents to CloudBees.

    • Implementing additional backup strategies if required for specific data retention or recovery needs.

Table 1. Detailed responsibilities
Responsibility area Cloud service provider (AWS) SaaS provider (CloudBees Unify) Customer (you)

Physical security

Global infrastructure, data centers, hardware, networking, and physical facilities.

Not applicable. Inherited from AWS.

Not applicable.

Core infrastructure

Security of the cloud, including the virtualization layer, host operating system, and base network security.

Configuration of the AWS-provided infrastructure (for example, VPCs, security groups, IAM for the AWS account).

Not applicable.

Application & code

Not applicable.

The core SaaS application, its code, deployment, maintenance, updates, and web application firewalls (WAF). Guidance on secure usage of the product.

Configuration of the application.

Patch management

Patching the underlying hardware and host operating system.

Patching the guest operating systems (if using IaaS), middleware, runtime environments, and the SaaS application itself.

Not applicable.

Identity & access management (IAM)

Availability of AWS IAM and core service endpoints.

Application’s user access service, including user roles and permissions, and access to infrastructure by CloudBees employees.

Managing user accounts, secrets, passwords, enabling/enforcing MFA, single sign-on (SSO), integrations, and user behavior.

Data & encryption

Providing encryption tools (for example, KMS, EBS/S3 encryption features).

Implementing data classification policies, configuring encryption settings (at rest/in transit).

Data ownership, data quality, legal/regulatory compliance (for example, GDPR, HIPAA), and controlling data-sharing permissions within the application.

Monitoring & logging

Provides the raw infrastructure logging capabilities/tooling (for example, CloudTrail and CloudWatch logs).

Collecting, analyzing, and acting on logs, tool configuration, establishing threat detection, and providing security incident response for the SaaS application.

Monitoring your own user activity, usage, and reporting suspicious behavior to CloudBees Unify.

Incident management

Detecting and resolving incidents affecting the underlying AWS infrastructure.

Defining incident priority levels involving Unify, including customer-reported incidents. Detecting, containing, and remediating incidents within the application or its managed cloud environment. Establishing the communication protocols which includes customers notification where necessary (e.g. security incidents impacting their data). Responsible for facilitating any joint post-incident reviews where needed.

Incident response actions related to your employees, endpoints, or credentials (for example, disabling compromised user accounts and initiating local device forensic analysis).

Availability, Performance, and Disaster recovery

Defining uptime for AWS infrastructure and response for infrastructural issues. Resilience and recoverability of the AWS Region/service itself (for example, availability zones and region failover for core services).

Defining uptime for Unify and response times for Unify service issues. Maintaining business continuity through application-level disaster recovery (DR) planning, multi-region failover, and ensuring RTO/RPO for the application’s overall function.

Responsible for your own data backup and recovery plan for individual data loss events (for example, accidental or malicious deletion). You may need a third-party backup solution for granular recovery.
This shared responsibility model is provided for informational purposes only and is not intended to be exhaustive. This document provides an overview of general principles and does not supersede the specific terms, conditions, and security obligations outlined in the CloudBees Subscription and Services Agreement and CloudBees Terms of Service (TOS).
Support policies
Supported browsers and external tools