Responsibilities in the Cloud

Cloud Customer - has resonsibilities but ... varies depending on service model. They have no physical access.

Cloud Service Provider - has responsibilities but varies depending on the service model

Case Law is still being sorted out on how this will be handled.

GRC and data security is always handled by customer regardless of service model.

Foundations of managed Services

Business Requirements

In the end, the goal for this arrangement is to meet the customer's business requirements

• The cloud provider Perspective

  • Physical Plant - cloud provider

    • Purchase facility - free to make changes

    • Lease facility - not the best, may be limited on changes to make

    • Rural settings, provide the least amount of restrictions

  • Secure hardware components

    • Secure BIOS, TPM

    • Three categories of equipment - compute, storage, and networking

  • Manage hardware configuration

    • Each node, keep track of configuration and equipment type

  • Set hardware to log events and incidents

    • Ensure sufficient data related to activity on each machine gets recorded

  • Determine compute component composition by customer need

    • Keep data for customer on a host that is not used by other tenants

  • Configure secure remote administrative access

    • Provider must have access to components remotely.

  • Secure logical framework

    • Install virtual OS

  • Secure Config of various elements

  • Secure networking

    • Firewalls

    • IDS/IPS

    • Honeypots

    • Vulnerability assessments - scan network find weaknesses

    • Communication Protection

      • Encryption

      • VPNs

    • Strong authentication

Management Plane

• • • Physical - endorce hw baselines

    • Logical - maintain and update sw/hw

    • Networking

    • Risks - must be configured exactly - great risk

Mapping and Selection of Controls

• Identify governance

• Identify jurisdiction based on physical location

Shared Responsibilities by Service Type

IAAS

customer responisble for infrastructure security

Provider everything else

PAAS

Provider - physical and OS Security

Customer -everything else

SAAS

Provider all hw/sw

Customer - data and configuration

Shared Administration of OS Middleware and Applications

PAAS/SAAS - shared control over software elements by customer and provider

Maintain OS with backups/snapshots, etc...

Benefits of having many eyeballs maintain the OS software, i.e. open source

Share Responsibilities: Data Access

Customer Directly Administers Access

• IAAS - yes always

• PAAS/SAAS - not common, need to be spelled out in a process

Provider administers access on behalf of customer

• Need aggreed upon process

Third Party - CASB administers access

• 3rd Party makes changes to cloud on behalf of customer - need agreed upon process

Lack of Physical Access

• Audits - done by 3rd party, passed to vendor, are used by customers to validate configuration, security, etc..

• SOC 1 - Financial reporting info

• SOC 2 - Report on security controls

  • Type 1 - design of controls

  • Type 2 - assessment of controls at an organization

• Shared Policy

  • Contract/SLA

  • Reports

  • Financial Restitution from a breach possible if customer can show cloud provider didn't follow their requirements

• Shared Monitoring and Testing

  •