Cloud confusion

 In ITC's Threat of the Week

In an effort to educate the people about just who is responsible for the security of Azure hosted stuff, Microsoft has refreshed and renewed its cloud security docco.

This paper is the latest in a long line of sometimes baffling missives on the subject from the boys and girls at Redmond, and to be fair it does shed some light on this confusing subject and is easier to understand than some previous best practice guides we have reviewed.

Using the National Institute of Standards and Technology (NIST) definitions of cloud delivered services (infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS)), the document summarises the division of responsibilities between you the punter, and them, The Grey Gods In The Sky:

Shared responsibilities in Cloud Security

The left-most column shows seven responsibilities that organisations should consider, all of which contribute to the security and privacy of a computing environment.

While none of this is new (the diagram above has been round for ages), it appears that Microsoft is very eager to get its point over especially when it comes to responsibility for:

Client and endpoint protection: Pretty much always the customer’s responsibility, even if the device is a Microsoft device (sadly). Device diversity is explicitly referenced in this document, almost as if someone is trying to tell you to be careful about mobile devices connecting to your stuff!

Identity and access management: The real pain point for many cloud deployments, IAM is your responsibility for IaaS and shared for PaaS and SaaS. Our advice is to plan IAM very carefully when moving to Cloud based services because if you get it wrong, firstly you may be pwned and secondly it is a nightmare to retro-fix. Here be dragons.

Application level control, network control, host infrastructure and physical security are also covered in the document so it is well worth a read and is a great primer.

In our opinion, managing the security of your cloud-hosted services will always be your responsibility, no matter what the table above says, and you should care for it as you would your on premise services.

ITC’s NetSure360° Managed Security Service can do its very impressive stuff for both on-premise and cloud deployments. In fact we are busily developing cloud use cases to provide protection for our customers on the day that it rains. We would very much like to talk to you about it.

For more information, please contact us at: enquiries@itcsecure.com or 020 7517 3900.

This week’s blog nearly didn’t make the deadline on account of the terrible new distraction technology that your kids are almost certainly all over like a rash: Periscope from Twitter. Enabling anybody to stream anything, anytime to anywhere. What could possibly go wrong? Resist the urge before its too late.

 

Author: Kevin Whelan

Recent Posts

Leave a Comment

Contact ITC Secure

If you have a question, request, comment or requirement, please send us an email now and we will get back to you by return