Shared Responsibilities for Security in the Cloud, Part 2
By Alexander Anoufriev, CISO, ThousandEyes
Shared Responsibilities for Security in the Cloud continues...
Infrastructure Protection Services
This domain uses a traditional defense in depth approach to make sure that the data containers and communications channels are secure. For infrastructure protection services, all server, network, and application-related processes are fully owned by the service provider (see Figure 5).
End-point security remains an independent object on both sides of the responsibility matrix. The service provider is responsible for securing the end-points used by its workers, while the service consumers ensure the security of their own desktops, laptops, and other end-user computing devices.
This domain is really the most central to information security, since data is the asset we protect. Data protection needs to cover all data lifecycle stages, data types, and data states. Data stages include creation, storage, access, roaming, sharing, and retention. Data types include unstructured data such as word processing documents, structured data such as data within databases, and semi-structured data such as emails.
As is to be expected, this is one of the most involved areas of information security for both parties. See Figure 6 for detailed information on the responsibilities of these two parties. Data lifecycle management is a process driven by the asset owner. Often, the customer of the service is also the owner. At ThousandEyes, this is always the case. Other processes/services have their own implementations on both sides.
Policies and Standards
Security policies and standards are derived from risk-based business requirements. They include Information Technology security (infrastructure and applications), physical security, business security, and human resources security. Security policies are statements that capture requirements specifying what type of security and how much should be applied to protect the business. Figure 7 provides details on responsibility relating to policies and standards.
As we can see, in the cloud era, the provider owns the operational security baseline (the consumer still owns their part, which is minimal for the scope of provided services and represents end-point and connectivity parts). Job aid guidelines traverse both parties, and the data owner (consumer) defines data classification. All other processes/services exist in their scope at both sides.
In a shared security model it is really important to understand who is responsible for what. This must be defined in associated security level agreements. Ask your CSP what you should do to ensure that security is implemented end-to-end and your data stays secure despite changing operational responsibilities.