Cloud Security Responsibilities

00:01

this video, we're gonna talk about cloud security responsibilities. We're going to review the distribution of responsibilities between the providers and the consumers. Introduce tools for assessing a provider, security controls and assessing your own security controls in place. And then we'll walk through a cloud security process model.

00:21

This simple diagram provides some very powerful information in terms of the shared responsibility model between the consumers and the providers in a SAS model on the far right. That's where the provider themselves has the majority of responsibility when it comes to securing

00:40

the infrastructure physical layer

00:42

logical layer, making sure that the wrong application ports aren't exposed. That would allow AH, bad actor to gain access, say, two SS age or to other, more privileged actions

00:57

they are responsible for even making sure that their application is secure. Itself may be deploying a Web application, firewall

01:04

or some other means to detect erratic behaviors in illicit usage patterns of the software that they're providing. They're still responsibilities of the consumer, but it's primarily the provider, and as we move towards platform as a service, the cloud provider is responsible for the security of the platform.

01:23

So, for example, in the case of a database as a service type platform. The provider is. It is their responsibility to make sure that the virtual machines hosting the underlying database are getting patched, their set up securely and the core configurations are in place.

01:41

But the consumer, in that example, is going to be responsible for other things, such as ensuring there are security rules around who can connect to this managed database. What machines can connect to it? Are there restrictions on the incoming I P addresses? Is it only for

01:59

machines that reside within a certain virtual network, or VPC area? What are the

02:04

counts that are used within the database itself? The admin account, the user accounts, permissions of the accounts to perform database operations? Those responsibilities sit with the consumer, so it's a little more split down the middle. And then, as we move over the infrastructure as a service

02:22

in this situation, a lot is going to be sitting on the consumer

02:25

because there's fitting of virtual machines. And if they decide to expose all sorts of ports to the general public Internet and not put in place certain firewalls, additional precautions, that machine could very quickly get poem. Another example would be the perimeter attacks. The consumer is fully responsible for that define

02:45

implement their virtual network security

02:47

and making sure that people can't just get into the underlying virtual machines can't directly access database storage. This is a very simplistic picture, and I really like how this allocates and is introducing the concept of shared responsibilities is this is a recurring theme throughout security in general, but definitely in cloud security room.

03:07

In fact, you really want to make sure one of your top considerations of cloud concerning

03:13

is really understanding where who is responsible for what, Where is that line drawn between what the cloud provider is responsible for and the cloud consumer? If you're a cloud provider itself, you're gonna be interested in drawing that line too, and fulfilling all your responsibilities to Certainly, if you're a cloud consumer,

03:30

you want to know where is the provider going to stop providing security, and what capabilities

03:36

are they not going to take responsibility for?

03:38

The Cloud Security Alliance has some tools to help in this process of assessment. When you're dealing with really big public cloud providers, they're very unlikely to negotiate specific terms with you on our contract unless, say, you are coming in and it's called Project Jet I

03:57

and you're the Pentagon and you are providing a bid for $18 billion.

04:00

Then the big cloud providers are much more willing to make amends to their standard agreements. But for the most part in the private industry, you are going to be following a lot of the public cloud providers thing, prerequisites and existing terms, which define and layout

04:18

the variance in the shared responsibilities

04:21

on a SAS provider. At, however,

04:24

they may not be that big. They may be big, but they may not have well defined terms. Either way, the cake is a great c ai que cake. The consensus assessment information questionnaire is a great tool, a great starting point for organizations when they want to assess cloud vendors

04:42

and understand what kind of security and precautions do these cloud vendors have in place.

04:46

And then the clouds controls matrix helps you evaluate the different security controls that themselves are in place, regardless, is that the Provence ability of the provider is the responsibility of the cloud consumer. You want to make sure your implementations are secure and meeting compliance.

05:03

We will look at both of these more in depth in a later lesson,

05:08

but I want to introduce them here because I will be making reference to them as we proceed in subsequent lessons.

05:15

Last but not least, let's talk about the cloud security process model, right? What's the way you go about thinking off security? And how does the underlying technology affect security controls? Who will consume the assets and information and resource is

05:31

who's responsible for governance, security and compliance? These are all questions we wanted.

05:36

Answer. So we start by identifying the requirements because each project should be evaluated separately, they may use a different set of technologies. Some maybe appear, I asked. Base right, Some may be purely sass. You may be linking together multiple SAS vendors, and you have to jungle things. So identify the requirements. Select the provider service in deployment models

05:56

that help meet your compliance requirements and security requirements, defining the architecture

06:01

of the cloud. This could be just SAS integrations, assessing the security controls of these providers that are in place, identifying control gaps, implementing controls around those gaps and then finally managing subsequent and following changes

06:17

so It's important that you know the cloud architecture before you're translating into security requirements

06:23

or you're taking your security requirements and implementing controls to enforce those security requirements, as this allows you to identify the gaps based on the cloud providers own capability. No reason to create controls for something that the cloud provider conduce you.

06:39

And

06:40

you also want to know what are the controls and capabilities that the cloud provider is going to hit over to you, that you yourself are going to be responsible for configuring, managing and maintaining

06:53

just to summarize what we've covered in this video. We talked a lot about the balance of security responsibilities between the provider and the consumer in the different deployment models and in the different paradigms. Introduce Cake and CCM for assessing a provider security controls, as well as for assessing the implementation of a particular security.

07:13

Excuse me, a cloud

07:14

implementation a cloud system and assessing the cloud security aspects of it. That's what the CCM is useful for, and we talked about the steps for building and maintaining the security controls that you want to put in place, mitigating what you have to being aware of what's available to you,

07:30

and that wraps up this short video I look forward to continuing on it. Pretty much finishes down this domain. One