Search over 27,600 MOOC courses
enter subject, university name or course name
Career Evolve is your partner in online learning and career development. Search our catalog of 28,000+ courses from over 21,000 top colleges and universities. Our partners have helped over 2 million students and continue to enroll over 30,000 students each month. Career Evolve provides you with access to free and affordable online training.

You can take courses in subjects varying from Philosophy to Computer Science or even Advanced Fiction Writing to Becoming a Physical Therapy Aide. Learn at your pace anytime and anywhere.
Career Evolve also integrates with LinkedIn to profile your achievements to potential employers.

Whether you are searching for micro learning from providers, such as Coursera, EdX or courses from leading Universities like MIT, Stanford and Peking University, Career Evolve is the answer for affordable learning and shrinking training budgets.

Invest in yourself with Career Evolve.

Discover your next learning opportunity from just one of our many Universities



Massachusetts Institute of Technology Georgetown University University of Queensland Boston University McGill University
Harvard University UC Berkeley Cornell University University of British Columbia Hong Kong University of Science and Technology

Wednesday, 30 November 2016

A look at the shared responsibility model of cloud providers

Many cloud providers now offer a shared responsibility model for their customers. Expert Dave Shackleford looks at the major providers' models and what they might be missing.

As the use of cloud computing has grown, so has the concept of the shared responsibility model for data protection and cybersecurity in general. While not a new concept -- we've shared security responsibilities with most outsourcing arrangements for many years -- the nature of shared security responsibilities has changed with the advent of the cloud. In a recent whitepaper, Microsoft made it clear that it supports shared responsibility in the cloud, but not all shared responsibility models are created equal. Microsoft stated that defining data classification and protection controls are the responsibility of the customer, and progress down through the cloud computing stack, describing application and operating system controls, network capabilities and the underlying host infrastructure that includes hypervisors, storage components, redundancy and scalability tools and more. The following breaks down the basic responsibility model Microsoft describes in its paper:
  • Data protection and classification: Customer responsibility in all models;
  • Endpoint and client protection: These are the responsibility of the customer except in software as a service environments, where the responsibility is shared. An example would be mobile device security when using Microsoft InTune;
  • Identity and access management: With SaaS and platform as a service (PaaS) offerings, identity and access management is shared, but is the responsibility of the customer entirely in IaaS environments;
  • Application level control: Naturally, application level controls within SaaS offerings are secured by the providers. PaaS offerings are shared, and infrastructure as a service (IaaS) requires the customer to secure the application stacks they deploy;
  • Network control: This is very limited, and only partial network configuration is available within IaaS; the provider controls everything else; and
  • Host infrastructure: Much like the network, the underlying computer stack is largely managed by providers entirely -- only in IaaS environments will consumers have any access to or control over some of these capabilities.

Shared responsibility models in other cloud providers

Amazon Web Services follows a similar model. AWS breaks down the responsibility model into two primary categories: security in the cloud, and security of the cloud. Security in the cloud is the responsibility of the customer, and this includes data protection, identity and access management, operating system configuration, network security -- access controls -- and encryption. AWS is responsible for the underlying pieces of the infrastructure, including the compute elements, storage infrastructure, databases and networking.
Most other cloud providers follow a similar model to Microsoft's and Amazon's. CenturyLink has a published shared responsibility model that also includes secure coding as one of its core responsibilities. Google does not have a public site or document describing its shared responsibility model for the Google Cloud platform, but it does have a document specifically outlining shared responsibility in its cloud for meeting PCI DSS compliance. All cloud providers are wholly responsible for physical security of their data center environments.

What's missing from the shared responsibility model?

One area that shared responsibility models rarely cover is in security processes and workflows. For example, who is responsible for what aspects of incident response in the cloud? Microsoft attempts to address this in another recently published whitepaper that describes its concept of shared responsibility for incident response. For any areas of customer responsibility -- within a VM running in the Azure IaaS cloud, for example -- Microsoft does not perform intrusion monitoring or incident response. For Microsoft's areas of responsibility, it details the roles and responsibilities of all team members, as well as notifications and communications for each stage and steps taken within the internal incident response teams.

Currently, most other providers offer little guidance in the way of security process responsibilities, leaving this somewhat of a mystery to many until contracts are reviewed. Hopefully, more large providers will follow Microsoft's lead and document all responsibility aspects of both security controls maintenance and security processes and workflows in the near future.
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)
Find Enroll Learnbanner

Featured

Starting a Consulting Practice

Starting a Consulting Practice

Find out how you can earn income by sharing your training or knowledge with others.
PMP ® Certification Prep 1

PMP ® Certification Prep 1

Begin a well-paying career as a project manager by preparing to take--and pass--the PMP® certification exam.
How to Get Started in Game Development

How to Get Started in Game Development

Take steps toward a new career in game development by building a foundation to design games in a wide variety of genres for different audiences and platforms.
Accounting Fundamentals

Accounting Fundamentals

Gain a marketable new skill by learning the basics of double-entry bookkeeping, financial reporting, and more.
Conversational Japanese

Conversational Japanese

Whether you want to learn conversational Japanese for travel or just for fun, you'll find this course makes it easy and enjoyable for beginners to master the essentials of the Japanese language.
Introduction to QuickBooks 2015

Introduction to QuickBooks 2015

Learn how to quickly and efficiently gain control over the financial aspects of your business using this powerful software program.

Student Profiles