Deployment and Service Model Risk in Cloud
Deployment and Service Model Risk in Cloud
| Cloud Service Model | |
| Software as a Service (SaaS) | · Application
· CRM |
| Platform as a Service (PaaS) CloudOS | · Operating System
· Windows · Linux |
| Infrastructure as a Service (IaaS) | · Connectivity
· Utilities · Virtual Machine · Hypervisor · Servers · Storage · Networking · Connectivity · Data Center |
| Responsibilities, by service model for Public Cloud | |||
| Infrastructure as a Service (IaaS) | Platform as a Service (PaaS) | Software as a Service (SaaS) | |
| Governance, Risk and Compliance | Customer Responsibility | Customer Responsibility | Customer Responsibility |
| Data Security | Customer Responsibility | Customer Responsibility | Customer Responsibility |
| Application Security | Customer Responsibility | Customer Responsibility | Shared Responsibility |
| Platform Security | Customer Responsibility | Shared Responsibility | Cloud Service Provider Responsibility |
| Infrastructure Security | Shared Responsibility | Cloud Service Provider Responsibility | Cloud Service Provider Responsibility |
| Physical Security | Cloud Service Provider Responsibility | Cloud Service Provider Responsibility | Cloud Service Provider Responsibility |
| Risk Private Cloud faces | Risk Public Cloud faces |
| Personnel Threats | Personnel Threats |
| Natural Disasters | Natural Disasters |
| External Attacks | External Attacks |
| Regulatory Noncompliance | Regulatory Noncompliance |
| Malware | Malware |
| Vendor Lock-in (Customer-Risk)
· Ensure favorable contract term for portability · Avoid proprietary Formats · No physical limitation to moving · Regulatory constraints |
|
| Vendor Lock-out (Customer- Risk)
· Provider Longevity · Core Competency · Jurisdictional Suitability · Supply Chain Dependencies · Legislative Environment |
|
| Multitenant Environment (Customer- Risk)
· Conflict of interest · Escalation of Privilege · Information Bleed · Legal Activity |
| Infrastructure as a Service (IaaS) | Platform as a Service (PaaS) | Software as a Service (SaaS) |
| Personal Threats | Personal Threats | Personal Threats |
| External Threats | External Threats | External Threats |
| Lack of Specific Skillsets | Lack of Specific Skillsets | Lack of Specific Skillsets |
| Interoperability Issues | Interoperability Issues | |
| Virtualization | Virtualization | |
| Resource Sharing | Resource Sharing | |
| Proprietary Formats | ||
| Virtualization
· Attacks on the Hypervisor · Guest Escape · Information Bleed · Data Seizure |
||
| Web Application Security |
| Private Cloud Threats | Countermeasure | Public Cloud Threats |
| Malware | Host-based Antimalware
Network-based Antimalware |
Malware |
| Internal Threats | · Background checks
· Separation of duties · Least privilege · Monitoring · Egress monitoring |
Internal Threats |
| External Attackers | · Harden devices, hypervisors, and guess os (VM)
· Strong Access Control |
External Attackers |
| Man-in-the-Middle Attacks | · Encrypt data in transit | Man-in-the-Middle Attacks |
| Social Engineering | · Regularly Training | Social Engineering |
| Theft/Loss of Devices | · Physical Access Control
· Encryption of store material · Inventory Control and monitoring · Remote wipe or kill cap |
Theft/Loss of Devices |
| Regulatory Violations | · Knowledgeable train personnel
· DRM |
Regulatory Violations |
| Natural Disasters | · Multiple redundancies
· ISP and utilities · BCP/DR |
Natural Disasters |
| · Access control and authentication
· Analysis and review of all logs data |
Escalation of Privilege | |
| · Off-site back or trusted third party vendor | Contractual Failure |
