Deployment and Service Model Risk in Cloud
Deployment and Service Model Risk in Cloud
Cloud Service Model | |
Software as a Service (SaaS) | · Application
· CRM |
Platform as a Service (PaaS) CloudOS | · Operating System
· Windows · Linux |
Infrastructure as a Service (IaaS) | · Connectivity
· Utilities · Virtual Machine · Hypervisor · Servers · Storage · Networking · Connectivity · Data Center |
Responsibilities, by service model for Public Cloud | |||
Infrastructure as a Service (IaaS) | Platform as a Service (PaaS) | Software as a Service (SaaS) | |
Governance, Risk and Compliance | Customer Responsibility | Customer Responsibility | Customer Responsibility |
Data Security | Customer Responsibility | Customer Responsibility | Customer Responsibility |
Application Security | Customer Responsibility | Customer Responsibility | Shared Responsibility |
Platform Security | Customer Responsibility | Shared Responsibility | Cloud Service Provider Responsibility |
Infrastructure Security | Shared Responsibility | Cloud Service Provider Responsibility | Cloud Service Provider Responsibility |
Physical Security | Cloud Service Provider Responsibility | Cloud Service Provider Responsibility | Cloud Service Provider Responsibility |
Risk Private Cloud faces | Risk Public Cloud faces |
Personnel Threats | Personnel Threats |
Natural Disasters | Natural Disasters |
External Attacks | External Attacks |
Regulatory Noncompliance | Regulatory Noncompliance |
Malware | Malware |
Vendor Lock-in (Customer-Risk)
· Ensure favorable contract term for portability · Avoid proprietary Formats · No physical limitation to moving · Regulatory constraints |
|
Vendor Lock-out (Customer- Risk)
· Provider Longevity · Core Competency · Jurisdictional Suitability · Supply Chain Dependencies · Legislative Environment |
|
Multitenant Environment (Customer- Risk)
· Conflict of interest · Escalation of Privilege · Information Bleed · Legal Activity |
Infrastructure as a Service (IaaS) | Platform as a Service (PaaS) | Software as a Service (SaaS) |
Personal Threats | Personal Threats | Personal Threats |
External Threats | External Threats | External Threats |
Lack of Specific Skillsets | Lack of Specific Skillsets | Lack of Specific Skillsets |
Interoperability Issues | Interoperability Issues | |
Virtualization | Virtualization | |
Resource Sharing | Resource Sharing | |
Proprietary Formats | ||
Virtualization
· Attacks on the Hypervisor · Guest Escape · Information Bleed · Data Seizure |
||
Web Application Security |
Private Cloud Threats | Countermeasure | Public Cloud Threats |
Malware | Host-based Antimalware
Network-based Antimalware |
Malware |
Internal Threats | · Background checks
· Separation of duties · Least privilege · Monitoring · Egress monitoring |
Internal Threats |
External Attackers | · Harden devices, hypervisors, and guess os (VM)
· Strong Access Control |
External Attackers |
Man-in-the-Middle Attacks | · Encrypt data in transit | Man-in-the-Middle Attacks |
Social Engineering | · Regularly Training | Social Engineering |
Theft/Loss of Devices | · Physical Access Control
· Encryption of store material · Inventory Control and monitoring · Remote wipe or kill cap |
Theft/Loss of Devices |
Regulatory Violations | · Knowledgeable train personnel
· DRM |
Regulatory Violations |
Natural Disasters | · Multiple redundancies
· ISP and utilities · BCP/DR |
Natural Disasters |
· Access control and authentication
· Analysis and review of all logs data |
Escalation of Privilege | |
· Off-site back or trusted third party vendor | Contractual Failure |