Understand Shared

Security Responsi-

bility Model Of

Public Cloud

Choose The Cloud

Model Best Aligned

with Security &

Compliance Obliga-

tions

Institute Controls

To Fulfill Your Secu-

rity Responsibilities

In Public Cloud

By design, Cloud is built on a shared security model in which Cloud Ser-vice Providers (CSPs) and users both have security responsibility. With proliferation of various cloud delivery models, sometimes it becomes difficult to delineate the boundaries of accountability for Security.

In order to leverage cloud effectively, business strategy, compliance/security obligations needs to be aligned with shared security model of the cloud.

Historically, an enterprise running and managing its own IT infra-structure, within in its own data center was responsible for the security of that infrastructure, applications and data that run on it. When this business moves to a public cloud computing model, it transfers some (but not all) of these IT security responsibilities to its cloud provider. Both entities – cloud provider and cloud user- must work together and are responsible for various aspects of security.

Cloud Service Model Types – SaaS, PaaS, IaaS

There are three prevalent models of cloud service delivery - Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS).

Understanding Shared Security Responsibility Model of Public Cloud

Security In Public Cloud

Software as a Service (SaaS)

SaaS, the most familiar form of cloud service, where client’s, point of access to software running on servers is via browsers.

Use of SaaS reduces the cost of software owner-ship by removing the need for technical staff to

manage install, manage, and upgrade software, as well as reduce the cost of licensing software.

Most familiar SaaS applications for business are CRM applications, productivity software suites

like Google Apps, and storage solutions like Drop-box.

Security In Public Cloud

Platform as a Service (PaaS)

PaaS functions at a lower level than SaaS, typically providing a platform on which software can be

developed and deployed.

PaaS is built on top of virtualization technology.

Businesses can request resources as they need

them, scaling as demand grows, rather than in-vesting in hardware with redundant resources.

Examples of PaaS providers include Heroku, Google App Engine, and Red Hat’s OpenShift.

Infrastructure as a Service (IaaS)

IaaS, which is the fundamental and most flexible building block, is comprised of highly automated and scalable compute, storage and network capability, which can be self-provisioned, metered, and available

on-demand.

Users of IaaS can outsource and build a “virtual data center” in the cloud and have access to many of the same technologies and resource capabilities of a traditional data center without having to invest in capaci-

ty planning or the physical maintenance and management of it. Following exhibit depicts benefits of each model and some examples.

Separation of Responsibilities

Staying secure in a cloud is a shared responsibility. Type of cloud service model – IaaS, PaaS and SaaS dic-

tates who is responsible for which security task.

SaaS moves the task of managing software and its deployment to third-party services. In a SaaS model, the

provider is primarily responsible for the infrastructure and software stack, as the user has less control over these components.

PaaS provides its’ clients an environment in which the O/S, server software, and the underlying hardware and network infrastructure are taken care of. This lets the user free to focus on their product or service.

Contact us

https://www.cloudoptics.io

India Phone: +91-88926-07042

US Phone: +1-508-310-5457

E-mail: sales@cloudoptics.io

Twitter: CloudOptics1

Security In Public Cloud

In IaaS, cloud provider supplies and is re-sponsible for securing basic cloud infra-structure components, such as virtual ma-chines, disks and networks. The provider is also responsible for the physical security of the data centers that house its infrastruc-ture. IaaS users, are generally responsible for the security of the operating system and software stack required to run their applica-tions, as well as their data.

Users' responsibilities generally increase as they move from SaaS to PaaS to IaaS.

Implication of Cloud Model on business

Choice of cloud model has direct bearing on the business, governance & compliance.

For example – AWS, as an IaaS, may claim to be PCI compliant, however a customer using AWS may not be PCI compliant until it implements required controls for the layers O/S and above. Hence each of the cus-tomers must implement additional controls such as vulnerability management programs, continuous con-figuration monitoring to safely consume IaaS service.