Shared Responsibility
MobileTrack Nexus is a Software-as-a-Service (Saas); the shared responsibility model that spawns from it
delineates the security and compliance obligations between the cloud provider (e.g., Azure), the application developers (e.g., MobileTrack),
and the end customers. This division of responsibilities is critical for ensuring adherence to regulatory frameworks
such as the General Data Protection Regulation (GDPR), the NIS2 Directive, and ISO 27001 standards.
Azure's Responsibilities: Azure, as the PaaS provider, is responsible for the infrastructure, including the physical data centers,
networking, servers, storage, and the core platform security. This includes ensuring the security of the physical infrastructure,
managing the hypervisor, and providing security for the foundational software layers.
MobileTrack's Responsibilities: MobileTrack, using Azure's PaaS, is responsible for the security of the applications it builds
and the integration and configuration of various Azure services. This includes securing application code, managing the application environment,
implementing necessary security measures like encryption, and ensuring compliance with relevant regulatory requirements.
Customer Responsibilities: Customers using MobileTrack's application can either manage their own data or rely on MobileTrack
for data management. Customers are responsible for the data they input, user access management, and ensuring data usage complies with
applicable regulations. If customers rely on MobileTrack for data management, they must ensure that the services provided meet
their security and compliance needs.
It isn't up to MobileTrack to determine what data is sensitive or how it should be protected. Customers must classify their data themselves;
what information they place in the application and how they use. The contents of the customer's data is none of MobileTrack's business,
only that its processing is done in a secure and compliant manner.
The GDPR imposes obligations on data controllers (typically the end customers) and data processors (which is done by both MobileTrack and Azure).
- Data Controllers (Customers): Customers who are data controllers under GDPR must ensure that the data processing
is lawful, data subjects' rights are respected, and appropriate data protection measures are in place. This includes securing consent,
conducting DPIAs where required, and managing data breaches.
- Data Processors (MobileTrack and Azure): Both MobileTrack and Azure act as data processors. They must process personal data only
on documented instructions from the customer and implement appropriate technical and organizational measures to protect the data.
Azure, as the underlying platform, provides tools and features to secure data at rest and in transit, while MobileTrack ensures
their application leverages these capabilities properly.
The NIS2 Directive focuses on improving cybersecurity across critical sectors and digital services.
- Azure's Responsibilities: As a cloud provider, Azure must implement security measures to protect its infrastructure and services,
including risk management practices, incident response protocols, and reporting mechanisms for significant incidents.
- MobileTrack's Responsibilities: MobileTrack is responsible for securing the application layer, ensuring that its services are
resilient and that any incidents that might affect the continuity of services are promptly addressed and reported.
- Customer Responsibilities: Customers need to ensure that their use of the PaaS service and the custom application does not
introduce vulnerabilities into their operations. This involves securing access to the application, managing credentials,
and ensuring compliance with NIS2 reporting requirements in the event of a cybersecurity incident.
ISO 27001 provides a framework for establishing, implementing, maintaining, and continually improving an
information security management system (ISMS).
- Azure's Responsibilities: Azure maintains ISO 27001 certification for its cloud services, demonstrating a commitment to robust
security practices. This includes conducting regular audits, maintaining an ISMS, and ensuring compliance with the standard's requirements.
- MobileTrack's Responsibilities: MobileTrack must ensure that their application development and management processes align
with ISO 27001 standards, particularly now that the company seeks to obtain/retain a certification. This includes securing the
development lifecycle, protecting customer data, and maintaining comprehensive security documentation.
- Customer Responsibilities: Customers should verify that both Azure and MobileTrack meet the necessary ISO 27001 standards,
ensuring that their data and business operations are secure. This might involve reviewing audit reports, certifications, and conducting
their own risk assessments.
In MobileTrack Nexus, the shared responsibility model ensures clear delineation of security and compliance duties between Azure, MobileTrack,
and the end customers. This model is particularly crucial in navigating complex regulatory landscapes like GDPR, NIS2, and ISO 27001.
By understanding and fulfilling their respective responsibilities, all parties can work together to secure the application environment,
protect data, and maintain compliance, thereby mitigating risks and ensuring trust.
