Security Responsibility by Service Model
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
12 hours 57 minutes
Difficulty
Intermediate
CEU/CPE
13
Video Transcription
00:01
>> We talked about the Cloud security process
00:01
and now we're really going to
00:01
talk about the security responsibilities
00:01
by service model.
00:01
Now we've gone into this
00:01
in our discussion of past service models,
00:01
but now we're going to take it a layer
00:01
deeper to understand at a granular level,
00:01
each of the security concerns
00:01
>> and how they differ between the service models.
00:01
>> In this lesson, we're going to discuss
00:01
the security considerations
00:01
>> for each service model
00:01
>> and then very importantly,
00:01
>> the division of responsibility between
00:01
customer and the provider.
00:01
In this diagram you see
00:01
all our service models infrastructure service platform
00:01
and software service
00:01
>> and then also it's contrasted with on-premise.
00:01
>> The blue refers to what
00:01
is the responsibility of the customer,
00:01
the gray is what's
00:01
in the responsibility of the Cloud provider.
00:01
It's also important to see
00:01
>> that some of these security responsibilities
00:01
>> are shared between the two.
00:01
>> Now, that's always the customer's responsibility,
00:01
is data classification and accountability.
00:01
We're going to go into this more in future lessons,
00:01
but data classification is really
00:01
identifying what is the value of the data?
00:01
What protections does it require?
00:01
>> Where is it?
00:01
>> How do you ensure
00:01
>> that you've effectively labeled data
00:01
>> or the environments to ensure that
00:01
>> data of a certain sensitivity level is protected.
00:01
This is always the customer's responsibility
00:01
across all of the various models.
00:01
Client and end-point protection.
00:01
This is also largely
00:01
>> the responsibility of the customer,
00:01
>> except a little bit of shared responsibility
00:01
>> when it comes to software as a service.
00:01
>> Client end-point protection refers to
00:01
ensuring that all of the devices
00:01
>> that are going to connect wirelessly
00:01
>> to your Cloud environment
00:01
>> are appropriately monitored
00:01
>> for security threats and vulnerabilities,
00:01
>> have antivirus software, etc.
00:01
Ensure that they are able to
00:01
connect in a secure manner.
00:01
Next responsibility is identity and access management.
00:01
You'll see that this one is shared between
00:01
the customer and the provider in platform
00:01
as a service and software as a service
00:01
because as the model shift,
00:01
the provider is taking even more responsibility
00:01
>> for management of the underlying infrastructure.
00:01
>> In identity and access management is ensuring
00:01
that everybody who is
00:01
accessing this Cloud environment know who they are.
00:01
You know though,
00:01
>> rights that they're supposed to have
00:01
>> and that this individual has to truly authenticate
00:01
>> who they are before granting access
00:01
>> to the Cloud environment.
00:01
>> In addition to setting up technical controls that
00:01
enforce identity and access management,
00:01
there has to be good governance and policies on
00:01
the inside of the environment to ensure
00:01
that the logical axis are viewed for appropriateness.
00:01
That there's segregation of duties,
00:01
that people can't necessarily create cheques
00:01
and write texts to themselves as a classic example.
00:01
Then also that over time,
00:01
people's responsibility don't grow beyond what
00:01
their job really needs to ensure
00:01
enforce what they refer to as least privilege.
00:01
Then the next level is application level controls.
00:01
This is application security.
00:01
This one is most important
00:01
>> for infrastructure in service
00:01
>> and then it's all just shared in platform as a service
00:01
>> where we talked about many software environments
00:01
>> are being developed.
00:01
This is ensuring that
00:01
>> there's a secure software development.
00:01
>> Life cycle, their vulnerabilities
00:01
>> and application are constantly being
00:01
>> tested, patched and monitored.
00:01
Then network controls,
00:01
this is really only a small segment
00:01
that's in the responsibility of the customer
00:01
where it's important for the provider has
00:01
effective controls to monitor performance
00:01
>> as security threats on their network,
00:01
>> upper segmentation to ensure
00:01
that customers data doesn't get commingled
00:01
>> or that customers are able to escalate further
00:01
>> and get access to other customers data.
00:01
>> A lot of these controls are
00:01
enforced at the network layer.
00:01
The host security.
00:01
This is really ensuring that
00:01
>> there's proper security over
00:01
>> individual servers and hardware
00:01
that's running on the host infrastructure.
00:01
As you can see,
00:01
>> this is for the most part of
00:01
>> the Cloud provider's responsibility.
00:01
>> The Cloud provider really
00:01
>> has do effective due diligence
00:01
>> to show customers that
00:01
>> they are being a good steward
00:01
>> when it comes to host security.
00:01
>> Then physical security.
00:01
This one is very squarely in
00:01
the Cloud provider's responsibility.
00:01
One of the advantages of shifting
00:01
and using a Cloud provider is that
00:01
>> you don't have to worry about the utilities
00:01
>> and they always use the phrase guards,
00:01
>> guns and gates
00:01
>> to keep people out of the data center,
00:01
>> but still a very important piece of maintaining.
00:01
There is no security without physical security.
00:01
This is a huge responsibility
00:01
in the Cloud provider's perspective.
00:01
We've now gone through
00:01
>> all of the different service models
00:01
>> and all these different categories or responsibility.
00:01
We're going to go in more depth throughout this course.
00:01
But at a high level,
00:01
these are all the security considerations
00:01
>> and how they exist on
00:01
>> this gradient of shared responsibility
00:01
within the Cloud customer and the Cloud provider.
00:01
Quiz question.
00:01
>> Which Cloud service model comes with
00:01
>> the greatest security responsibility for the customer?
00:01
Is it software as a service?
00:01
Platform as a service?
00:01
Or infrastructure as a service?
00:01
If you said infrastructure as a service,
00:01
>> you are correct.
00:01
>> Now, our diagram also had on-premise
00:01
>> and which the customer
00:01
>> is responsible for everything.
00:01
That gets at many of the advantages from
00:01
a cost perspective of shifting the Cloud but
00:01
introduces new risks in terms of shared responsibility.
00:01
In regards to this question,
00:01
infrastructure as a service definitely
00:01
>> has the greatest security responsibilities
00:01
>> because the customer is more responsible
00:01
>> for all those different facets
00:01
>> of securing the Cloud environment
00:01
when compared to the provider.
00:01
In this lesson, we talked about
00:01
>> how security considerations differ on
00:01
>> the Cloud service models
00:01
>> and then also talked about
00:01
>> how they're shared responsibility
00:01
>> for some aspects of Cloud security.
00:01
>> Then also areas where there's a need for coordination,
00:01
where there's direct shared responsibility,
00:01
where there isn't a clear dividing line between
00:01
the provider and the customer
00:01
when it comes to securing the environment.
00:01
Then we also talked about many of the controls
00:01
>> and considerations with
00:01
>> each of these security responsibilities.
00:01
>> We covered a lot in this lesson
00:01
but I'll see you in the next one.
Up Next
Instructed By
Similar Content
