This document describes the obligations and differences of the shared responsibility model for deploying and maintaining the Dispel Zero Trust Engine. It discusses the challenges and nuances of the shared responsibility model. This document also describes how we partner with our customers to address security challenges.
Understanding the shared responsibility model is important when determining how to best protect your data and environments behind Dispel. The shared responsibility model describes the tasks that you have when it comes to security in remote access and how these tasks are different between on-premises, customer cloud, and SaaS deployments.
Shared responsibility
You're the expert in knowing the security and regulatory requirements for your business, and knowing the requirements for protecting your confidential data and resources. When you use Dispel, you must identify the security controls that you need to employ around Dispel and during sessions to help protect your confidential data and environments. To decide which security controls to implement, you must consider the following factors:
Your regulatory compliance obligations
Your organization's security standards and risk management plan
Security requirements of your customers and your vendors
Defined by deployment method
Traditionally, responsibilities are defined by the type of deployment method you elect to use, and the Dispel services you require.
Deployment Method | Description |
SaaS | Fully managed, cloud-hosted deployment where Dispel handles infrastructure, security, and maintenance.
Runs in Dispel’s secure cloud environments (AWS, Azure).
Best for organizations seeking a hands-off, scalable, and fast-to-deploy solution. |
Customer Cloud | Deployed within a customer’s own cloud environment (AWS, Azure, GCP, or private data centers)
Customers maintain direct control over cloud security settings, with Dispel providing platform support.
Best for organizations with strict data sovereignty, compliance, or integration needs. |
On-Premises | Fully contained, on-premise deployment within a customer’s industrial or enterprise network.
Runs on dedicated hardware or virtualized environments within the customer’s facility.
Best for highly regulated industries (e.g., defense, utilities, critical infrastructure) that require air-gapped or offline environments. |
The following diagram shows the cloud services and defines how responsibilities are shared between Dispel and customer.
Defined by component
Central Management Dashboard, Region, & Virtual Desktops
Dispel is responsible for the security of our software components. Responsibility for the underlying infrastructure on which these components are deployed varies by deployment method.
Wicket ESI
Dispel is responsible for the security of the Wicket ESI software, including development, security updates, and application security.
The Customer is responsible for maintaining the environment where Wicket ESI is deployed, including hardware, OS updates, network security, and compliance.
Category | Responsibility Area | Dispel Responsibility (Software Security) | Customer Responsibility (Environment Security) |
Hardware | Provisioning & Maintenance | N/A | Deploying Wicket ESI on physical/virtual hardware |
| Physical Security | N/A | Securing physical access to the device |
| Performance & Resource Allocation | N/A | Ensuring sufficient CPU, RAM, and storage |
Operating System | OS Patching & Updates | N/A | Keeping OS up to date with security patches |
| OS Hardening | N/A | Applying security baselines and CIS benchmarks |
| User Access Management | N/A | Managing OS admin/user accounts and access policies |
Network | Firewalls | N/A | Managing network firewalls, VLANs, and routing |
| Uptime & Availability | N/A | Maintaining Internet connectivity and reliability |
| Monitoring & Logging | Generates network activity logs | Monitoring and responding to events and incidents |
Tunnel Security | Encryption | Cipher implementation | N/A |
| Routing & SD-WAN | Provisioning and connectivity | N/A |
Software Security | Application-Level Security | Secure coding, security testing, and reviews | N/A |
| Software Updates & Vulnerability Fixes | Providing Wicket ESI patches and updates | N/A |
| Software Patching | Available with Support | Applying Wicket ESI patches and updates |
| Configuration Security Guidance | Offering security best practices for setup | Applying recommended security configurations |
Backup & Disaster Recovery | Data Protection & Recovery | N/A | Implementing backup and restore procedures for Wicket ESI |
Defined by industry and regulatory framework
Various industries have regulatory frameworks that define the security controls that must be in place for operational technology (OT) and industrial control systems (ICS). When deploying your secure remote access and data streaming within Dispel’s Zero Trust Engine, it is essential to understand:
Which security controls are your responsibility
Which security controls are provided as part of the Dispel platform
Which security controls are inherited from Dispel’s infrastructure
Inherited security controls—such as Dispel’s default encryption, secure development lifecycle, and disaster recovery/business continuity—can be used as evidence of compliance when engaging with auditors and regulators.
For example, IEC 62443 defines security standards for industrial automation and control systems. When deploying within Dispel, these compliance responsibilities are shared between your organization and Dispel. To better understand how IEC 62443 requirements are distributed, refer to Dispel’s IEC 62443 Shared Responsibility Matrix.
Similarly, in the United States, NIST 800-53 and CMMC (Cybersecurity Maturity Model Certification) establish security requirements for defense contractors and critical infrastructure operators. Dispel provides secure remote access, micro-segmentation, and real-time monitoring to help organizations meet these compliance requirements.
Other industries—such as utilities, maritime, and healthcare—have regulations that define how data must be secured, processed, and stored. For more details on how Dispel supports compliance in these sectors, refer to our Compliance Resource Center.
Defined by location
Depending on your industry and operational needs, you may need to evaluate your security responsibilities based on the location of your business, your customers, and your data. Various countries and regions enforce regulatory requirements that dictate how data must be processed, stored, and accessed.
For example, if your organization serves customers in the European Union (EU), you may be required to comply with the General Data Protection Regulation (GDPR) and ensure that customer data remains within EU-based infrastructure. In this case, you are responsible for enforcing data residency policies, ensuring that collected data remains in Dispel's EU cloud regions or within your own EU-based infrastructure if deployed in a private cloud or on-premises environment.
To better understand regional compliance requirements, refer to Dispel’s Compliance Offerings. If your compliance needs are complex—such as cross-border data transfer restrictions, industry-specific mandates, or hybrid deployments—we recommend speaking with Dispel’s security and compliance team or one of our partners to help you evaluate your responsibilities.