Deployment and Service Model Risk in Cloud

Deployment and Service Model Risk in Cloud

Cloud Service Model
Software as a Service (SaaS) ·        Application

·        CRM

·        Email

Platform as a Service (PaaS) CloudOS ·        Operating System

·        Windows

·        Linux

Infrastructure as a Service (IaaS) ·        Connectivity

·        Utilities

·        Virtual Machine

·        Hypervisor

·        Servers

·        Storage

·        Networking

·        Connectivity

·        Data Center

Responsibilities, by service model for Public Cloud
Infrastructure as a Service (IaaS) Platform as a Service (PaaS) Software as a Service (SaaS)
Governance, Risk  and Compliance Customer Responsibility Customer Responsibility Customer Responsibility
Data Security Customer Responsibility Customer Responsibility Customer Responsibility
Application Security Customer Responsibility Customer Responsibility Shared Responsibility
Platform Security Customer Responsibility Shared Responsibility Cloud Service Provider  Responsibility
Infrastructure Security Shared Responsibility Cloud Service Provider  Responsibility Cloud Service Provider  Responsibility
Physical Security Cloud Service Provider  Responsibility Cloud Service Provider  Responsibility Cloud Service Provider  Responsibility
Risk Private Cloud faces Risk Public Cloud faces 
Personnel Threats Personnel Threats
Natural Disasters Natural Disasters
External Attacks External Attacks
Regulatory Noncompliance Regulatory Noncompliance
Malware Malware
Vendor Lock-in (Customer-Risk)

·        Ensure favorable contract term for portability

·        Avoid proprietary Formats

·        No physical limitation to moving

·        Regulatory constraints

Vendor Lock-out (Customer- Risk)

·        Provider Longevity

·        Core Competency

·        Jurisdictional Suitability

·        Supply Chain Dependencies

·        Legislative Environment

Multitenant Environment (Customer- Risk)

·        Conflict of interest

·        Escalation of Privilege

·        Information Bleed

·        Legal Activity

Infrastructure as a Service (IaaS) Platform as a Service (PaaS) Software as a Service (SaaS)
Personal Threats Personal Threats Personal Threats
External Threats External Threats External Threats
Lack of Specific Skillsets Lack of Specific Skillsets Lack of Specific Skillsets
Interoperability Issues Interoperability Issues
Virtualization Virtualization
Resource Sharing Resource Sharing
Proprietary Formats
Virtualization

·        Attacks on the Hypervisor

·        Guest Escape

·        Information Bleed

·        Data Seizure

Web Application Security
Private Cloud Threats Countermeasure Public Cloud Threats
Malware Host-based Antimalware

Network-based Antimalware

Malware
Internal Threats ·        Background checks

·        Separation of duties

·        Least privilege

·        Monitoring

·        Egress monitoring

Internal Threats
External Attackers ·        Harden devices, hypervisors, and guess os (VM)

·        Strong Access Control

External Attackers
Man-in-the-Middle Attacks ·        Encrypt data in transit Man-in-the-Middle Attacks
Social Engineering ·        Regularly  Training Social Engineering
Theft/Loss of Devices ·        Physical Access Control

·        Encryption of store material

·        Inventory Control and monitoring

·        Remote wipe or kill cap

Theft/Loss of Devices
Regulatory Violations ·        Knowledgeable train personnel

·        DRM

Regulatory Violations
Natural Disasters ·        Multiple redundancies

·        ISP and utilities

·        BCP/DR

Natural Disasters
·        Access control and authentication

·        Analysis and review of all logs data

Escalation of Privilege
·        Off-site back or trusted third party vendor Contractual Failure