Cloud confusion

In an effort to educate the people about just who is responsible for the security of Azure hosted stuff, Microsoft has refreshed and renewed its cloud security docco.

This paper is the latest in a long line of sometimes baffling missives on the subject from the boys and girls at Redmond, and to be fair it does shed some light on this confusing subject and is easier to understand than some previous best practice guides we have reviewed.

Using the National Institute of Standards and Technology (NIST) definitions of cloud delivered services (infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS)), the document summarises the division of responsibilities between you the punter, and them, The Grey Gods In The Sky:

Shared responsibilities in Cloud Security
The left-most column shows seven responsibilities that organisations should consider, all of which contribute to the security and privacy of a computing environment.

While none of this is new (the diagram above has been round for ages), it appears that Microsoft is very eager to get its point over especially when it comes to responsibility for:

Client and endpoint protection: Pretty much always the customer’s responsibility, even if the device is a Microsoft device (sadly). Device diversity is explicitly referenced in this document, almost as if someone is trying to tell you to be careful about mobile devices connecting to your stuff!

Identity and access management: The real pain point for many cloud deployments, IAM is your responsibility for IaaS and shared for PaaS and SaaS. Our advice is to plan IAM very carefully when moving to Cloud based services because if you get it wrong, firstly you may be pwned and secondly it is a nightmare to retro-fix. Here be dragons.

Application level control, network control, host infrastructure and physical security are also covered in the document so it is well worth a read and is a great primer.

In our opinion, managing the security of your cloud-hosted services will always be your responsibility, no matter what the table above says, and you should care for it as you would your on premise services.

ITC’s NetSure360° Managed Security Service can do its very impressive stuff for both on-premise and cloud deployments. In fact we are busily developing cloud use cases to provide protection for our customers on the day that it rains. We would very much like to talk to you about it.

For more information, please contact us at: [email protected] or 020 7517 3900.

This week’s blog nearly didn’t make the deadline on account of the terrible new distraction technology that your kids are almost certainly all over like a rash: Periscope from Twitter. Enabling anybody to stream anything, anytime to anywhere. What could possibly go wrong? Resist the urge before its too late.