How to Share the Security Responsibility Between the CSP and Customer
By Dr. Kai Chen, Chief Security Technology Officer, Consumer BG, Huawei Technologies Co. Ltd.
The behemoths of cloud service providers (CSPs) have released shared security responsibility related papers and articles, explaining their roles and responsibilities in cloud provisioning. Although they share similar concepts, in reality, there are different interpretations and implementations among CSPs.
While there are many cloud security standards to help guide CSPs in fulfilling their security responsibilities, the cloud customers still find it challenging to design, deploy, and operate a secure cloud service. “Guideline on Effectively Managing Security Service in the Cloud” (referred to as the ‘Guideline’) developed by CSA’s Cloud Security Services Management (CSSM) Working Group provides an easy-to-understand guidance for cloud customers. It covers how to design, deploy, and operate a secure cloud service for different cloud service models, namely IaaS, PaaS, and SaaS. Cloud customers can use it to help ensure the secure running of service systems.
In the Guideline, the shared security responsibility figure was developed with reference to Gartner’s shared security responsibility model. It illustrates the security handoff points for IaaS, PaaS, and SaaS cloud models. The handoff point moves up the stack across the models. Staying Secure in the Cloud Is a Shared Responsibility, Gartner,
Security responsibility division between CSPs and cloud customers in different cloud service models.
While there are differences in the security responsibility across the models, some responsibilities are common to all cloud service models:
CSPs’ Common Security Responsibilities
- Physical security of the infrastructure, including but not limited to: equipment room location selection; power supply assurance; cooling facilities; protection against fire, water, shock, and theft; and surveillance (for details about the security requirements, see related standards)
- Security of computing, storage, and network hardware
- Security of basic networks, such as anti-distributed denial of service and firewalls
- Cloud storage security, such as backup and recovery
- Security of cloud infrastructure virtualization, such as tenant resource isolation and virtualization resource management
- Tenant identity management and access control
- Secure access to cloud resources by tenant
- Security management, operating monitoring, and emergency response of infrastructure
- Formulating and rehearsing service continuity assurance plans and disaster recovery plans for infrastructure
Cloud Customers’ Common Security Responsibilities
- User identity management and access control of service systems
- Data security (in the European General Data Protection Regulation (GDPR) mode, cloud customers control the data and should be responsible for data security while CSPs only process the data and should take security responsibilities granted by data controllers.)
- Security management and control of terminals that access cloud services, including hardware, software, application systems, and device rights
Besides that, the Guideline contains chapters that describe the technical requirements for the security assurance of cloud service systems and provides an implementation guide based on the existing security technologies, products, and services. It also illustrates security assurance technologies, products, and services that CSPs and customers should provide in different cloud service models as mentioned previously.
Security responsibilities between CSPs and cloud customers
Mapping of the Guideline with CCM
To help provide an overview to end users about the similarities and differences between the security recommendations listed in the Guideline and the Cloud Controls Matrix (CCM) controls, the CSSM working group conducted a mapping of CCM version 3.0.1 to the Guideline.
The Mapping of “Guideline on Effectively Managing Security Service in the Cloud” Security Recommendations to CCM was a one-way mapping, using the CCM as base, done in accordance with the Methodology for the Mapping of the Cloud Controls Matrix.
The mapping document is supplemented with a detailed gap analysis report that breaks down the gaps in each CCM domain and provides recommendations to readers.
“This mapping work brings users of the Guideline a step closer to being CCM compliant, beneficial to organizations looking to extrapolate existing security controls to match another framework, standard or best practice,” said Dr. Chen Kai, Chief Security Technology Officer, Consumer BG, Huawei Technologies Co. Ltd., and chair of the CSSM Working Group.
Users of the Guideline will be able to bridge lacking areas with ease based on the gap analysis. By understanding what it takes to go from the Guideline to CCM, the mapping work complements the Guideline to help users achieve holistic security controls.
Download the gap analysis report on mapping to the CSA’s Cloud Controls Matrix(CCM) now.
Learn more about the Cloud Services Management Working Group here.