Information Technology Reference
In-Depth Information
line: on one side of the line, the cloud provider possesses responsibility for
security measures; on the other, the cloud user possesses responsibility (see
Figure 13.2). On the cloud provider's side of the trust boundary, the user is a
passive assessor of what the cloud provider implements in terms of security
practices. On the cloud user's side of the trust boundary, the user is an active
implementer of security practices.
The location of the trust boundary varies according to what model of cloud
computing is being used: IaaS, PaaS, or SaaS. Each model has the cloud pro-
vider taking on differing levels of responsibility for the total application, and
thereby affects where the trust boundary is located. The thick black zigzag
line indicates where the trust boundary lies for each Cloud delivery model.
As an example, in a PaaS environment, the Cloud provider is responsible for
the security of the infrastructure and the middleware, while the Cloud user
retains responsibility for the security of the application itself. As you can see
from the descriptions, this means that the Cloud user would need to audit
and evaluate whether the security measures of the provider in its areas of
responsibility are sufficient.
Every Cloud provider offers a security framework into which
users integrate their application. Naturally, every provider has a
somewhat different framework, so it is incumbent upon users to
understand the framework and ensure that they integrate with
it properly. In fact, it is more than crucial. Without understanding the
security framework presented by the Cloud provider, it is likely that
the Cloud user will fail to configure its usage properly, and thereby
leave security vulnerabilities that may be exploited by attackers.
Figure 13.2 is a chart of security responsibilities of each of the three Cloud
delivery models, along three key areas of responsibility: infrastructure, oper-
ating system (and middleware), and application. Here are brief descriptions
of each area of responsibility:
1. Application: This area refers to the software used to provide the
actual functionality of the application itself. Falling under this area
are topics like: software component version verification, patch instal-
lation practices, application identity management, and the like.
2. Operating system and middleware: This area refers to software
components that provide the operating environment within which
the application runs. Key security issues for this area of responsibil-
ity include whether appropriate security software is installed within
the OS, patch installation practices, administrative access to manage
these components, and so on.
Search WWH ::
Custom Search