Shared Responsibility Model

Servers Australia’s shared responsibility model.

A Shared Responsibility Model is a framework that clearly defines which aspects of security are managed by Servers Australia (as the service provider) and which are the responsibility of the customer. In the context of cloud services or infrastructure hosting, this model helps both parties understand their obligations for maintaining a secure environment.

Breakdown of the Shared Responsibility Model:

Servers Australia's Responsibilities:

These generally cover the security “of” the infrastructure. Servers Australia manages the underlying infrastructure, hardware, and core services to ensure a secure foundation for their customers to use.

1. Infrastructure Security: Servers Australia is responsible for securing the physical data centres, servers, and networking equipment. This includes protections such as physical access control, power redundancy, and environmental controls (e.g., cooling, fire prevention).

2. Hardware Maintenance: Ensuring that the physical components of the servers, storage, and networking firmware are updated, patched, and maintained to mitigate vulnerabilities. 

3. Network Security: Protecting the underlying network from threats, including Distributed Denial of Service (DDoS) attacks, man-in-the-middle attacks, and other types of cyberattacks.

4. Virtualisation Layer Security: Servers Australia is responsible for securing our virtualisation technology platforms, such as hypervisors, which manage virtual machines (VMs) or cloud services. This responsibility includes patching and maintaining the software running these virtual layers. However, this does not apply to customers managing their own virtualisation layers, as they are responsible for securing and maintaining their own environments.

5. Operating Systems: Where a maintenance agreement is in place, Servers Australia is responsible for ensuring that the operating systems are patched, up-to-date, and free from vulnerabilities. This includes applying necessary updates and security patches to maintain system integrity.

6. Control Panels (e.g., cPanel): Under a maintenance agreement, Servers Australia is responsible for keeping control panels like cPanel patched and secure, including applying necessary updates for the current major version, to the extent the underlying operating system will allow. However, this excludes third-party plugins, applications (e.g., WordPress), and themes, which are the customer's responsibility to maintain and secure.

7. Backup and DR: Servers Australia provides the infrastructure and tools necessary for backup services. We ensure the backup platform is operational, perform maintenance on the underlying systems, and address any issues affecting the service itself.

Customer's Responsibilities:

Customers are typically responsible for what they control or place on top of Servers Australia's infrastructure. This includes securing their data, applications, and user access.

1. Data Security: Customers must protect their data by encrypting sensitive information, regularly backing up data, and controlling access to it. This includes securing data at rest (stored data) and data in transit (moving data).

2. Application Security: Any applications or software running on the infrastructure are the customer's responsibility. This means ensuring that their applications are patched, up-to-date, and free from vulnerabilities. Limited support may be available from Servers Australia by request and as best effort.

3. Virtualisation Layer Security: For customers managing their own virtualisation layers, the responsibility for securing and maintaining these environments rests entirely with them. This includes patching, monitoring, and ensuring the security of their virtualisation platforms, such as hypervisors, along with any software or applications running on them. Customers must ensure that these layers are up-to-date, secure, and compliant with relevant security standards, as Servers Australia's responsibility does not extend to virtualisation layers under the customer's control.

4. Operating System Security: If customers are running their own virtual machines or instances with custom or operating systems not under a maintenance agreement, are responsible for updates, patching, and configuration to prevent security issues.

5. User Access and Identity Management: Managing who has access to their systems and data is the customer's responsibility. This includes implementing strong password policies, multifactor authentication (MFA), and restricting user permissions to what’s necessary (following the principle of least privilege).

6. Compliance: Where required, Customers are responsible for ensuring their use of the infrastructure complies with industry regulations, especially in terms of how they handle, store, and transmit data.

7. Backup and DR: Customers are responsible for setting up, managing, and monitoring their backups, including scheduling and data selection. Restorations must be initiated by the customer, and they are responsible for ensuring their data is backed up correctly.

Shared Responsibility Matrix

• Servers Australia secures the data centre where your server is hosted, ensures the network is protected, and provides tools or features that help secure the environment.

• The customer configures the firewall, manages user access, and secures the applications they deploy on Servers Australia's infrastructure.

Why It's Important:

The Shared Responsibility Model is crucial because it clarifies the boundaries of responsibility, helping prevent security gaps. If either Servers Australia or the customer fails to uphold their responsibilities, security could be compromised. Therefore, both parties need to understand and fulfil their roles to maintain a secure and compliant infrastructure.

In summary, Servers Australia manages the security of the infrastructure, while customers handle the security on the infrastructure, such as data, applications, and user access.

Professional services

Ad-hoc and Services provided under our Professional service Agreement (PSA).

When Servers Australia is engaged under a Professional Services Agreement (PSA) to assist with issues beyond our standard demarcation points, we provide support to the best of our ability based on the customer's specific instructions. These services are performed as a labour-based charge and are limited to the scope of work requested. It is important to note that while we offer assistance, Servers Australia does not assume liability or ongoing responsibility for any issues that arise following our involvement. The customer remains fully responsible for the management, monitoring, and ongoing operation of their systems, and any resolution we provide is based on the customer’s guidance.

Disclaimer

This document is intended as a general guide only and should not be considered comprehensive or conclusive for all security or service management needs. The information provided here outlines typical responsibilities as part of Servers Australia's Shared Responsibility Model, designed to help clarify the division of security and management roles. However, it may not cover every possible scenario or unique customer requirement.

Servers Australia assumes responsibility for specific infrastructure security elements, but it remains the customer's duty to secure and manage their data, applications, and user access. Customers should thoroughly review their own responsibilities and seek clarification from Servers Australia if they are uncertain about any obligations under this model. Any reliance on the content of this document without consultation is solely at the customer's risk.

For services performed under a Professional Services Agreement (PSA), Servers Australia's support is limited to the scope outlined by the customer, and we do not assume liability or ongoing responsibility post-engagement. Customers are responsible for all aspects of system management, monitoring, and operation beyond the professional service engagement.