Cloud 101CircleEventsBlog
Master CSA’s Security, Trust, Assurance, and Risk program—download the STAR Prep Kit for essential tools to enhance your assurance!

Shared Responsibilities for Security in the Cloud, Part 2

Published 11/25/2014

Shared Responsibilities for Security in the Cloud, Part 2

By Alexander Anoufriev, CISO, ThousandEyes

Shared Responsibilities for Security in the Cloud continues...

Infrastructure Protection Services

This domain uses a traditional defense in depth approach to make sure that the data containers and communications channels are secure. For infrastructure protection services, all server, network, and application-related processes are fully owned by the service provider (see Figure 5).

Fig 5 Figure 5: Responsibility for Infrastructure Protection Services

End-point security remains an independent object on both sides of the responsibility matrix. The service provider is responsible for securing the end-points used by its workers, while the service consumers ensure the security of their own desktops, laptops, and other end-user computing devices.

Data Protection

This domain is really the most central to information security, since data is the asset we protect. Data protection needs to cover all data lifecycle stages, data types, and data states. Data stages include creation, storage, access, roaming, sharing, and retention. Data types include unstructured data such as word processing documents, structured data such as data within databases, and semi-structured data such as emails.

Fig 6 Figure 6: Responsibility for Data Protection

As is to be expected, this is one of the most involved areas of information security for both parties. See Figure 6 for detailed information on the responsibilities of these two parties. Data lifecycle management is a process driven by the asset owner. Often, the customer of the service is also the owner. At ThousandEyes, this is always the case. Other processes/services have their own implementations on both sides.

Policies and Standards

Security policies and standards are derived from risk-based business requirements. They include Information Technology security (infrastructure and applications), physical security, business security, and human resources security. Security policies are statements that capture requirements specifying what type of security and how much should be applied to protect the business. Figure 7 provides details on responsibility relating to policies and standards.

Fig 7 Figure 7: Responsibility for Security Policies and Standards

As we can see, in the cloud era, the provider owns the operational security baseline (the consumer still owns their part, which is minimal for the scope of provided services and represents end-point and connectivity parts). Job aid guidelines traverse both parties, and the data owner (consumer) defines data classification. All other processes/services exist in their scope at both sides.

Conclusion

In a shared security model it is really important to understand who is responsible for what. This must be defined in associated security level agreements. Ask your CSP what you should do to ensure that security is implemented end-to-end and your data stays secure despite changing operational responsibilities.

References

Security and Risk Management TCI Domain.

Share this content on your favorite social network today!