Shared Responsibility

Question 1

Describe Shared Responsibility Model in Cloud Computing WRT Security

Answer 1

Security of the cloud is the CSPs responsibility

Security in the cloud is the CSCs responsibility

Question 2

Who’s responsibility is it to provide Physical Security in Cloud relative to service models?

Answer 2

IaaS, PaaS and SaaS - All CSP

Question 3

Who’s responsibility is it to provide Infrastructure Security in Cloud relative to service models?

Answer 3

IaaS - Shared Responsibility

PaaS and SaaS - CSP

Question 4

Who’s responsibility is it to provide Platform Security in Cloud relative to service models?

Answer 4

IaaS - Customer
PaaS - Shared
SaaS - CSP

Question 5

Who’s responsibility is it to provide Application Security in Cloud relative to service models?

Answer 5

IaaS - Customer
PaaS - Customer
SaaS - Shared

Question 6

Who’s responsibility is it to provide Data Security in Cloud relative to service models?

Answer 6

IaaS, PaaS and SaaS - All Customer

Question 7

Who’s responsibility is it to provide Governance, Risk and Compliance in Cloud relative to service models?

Answer 7

IaaS, PaaS and SaaS - All Customer

Question 8

Who’s responsible for Physical Networks in Cloud relative to service models?

Answer 8

IaaS, PaaS, SaaS - All CSP

Question 9

Who’s responsible for Servers and Storage in Cloud relative to service models?

Answer 9

IaaS, PaaS, SaaS - All CSP

Question 10

Who’s responsible for Hypervisor in Cloud relative to service models?

Answer 10

IaaS, PaaS, SaaS - All CSP

Question 11

Who’s responsibile for Virtual Networks in Cloud relative to service models?

Answer 11

IaaS - Customer

PaaS, SaaS - CSP

Question 12

Who’s responsibility is the Operating System in Cloud relative to service models?

Answer 12

IaaS - Customer

PaaS, SaaS - CSP

Question 13

Who’s responsibility is the Application in Cloud relative to service models?

Answer 13

IaaS, PaaS - Customer

SaaS - CSP

Question 14

Who’s responsible for Data in Cloud relative to service models?

Answer 14

IaaS, PaaS, SaaS - Customer

Question 15

Who’s responsible for what people do in Cloud relative to service models?

Answer 15

IaaS, PaaS, SaaS - Customer

Question 16

What are the Shared Responsibility items between the CSP and CSC?

Answer 16

1. Auditability
2. Availability
3. Compliance
4. Governance
5. Interoperability
6. Maintenance & Versioning
7. Performance
8. Portability
9. Privacy
10. Protection of PII
11. Regulatory
12. Resiliency
13. Reversibility
14. Security
15. Service-Levels

Question 17

What does Auditability mean in the context of Shared Responsibility in the cloud between CSP and CSC?

Answer 17

Giving senior management assurance and evidence that we are doing things the correct way or due dligence.

Question 18

What does Compliance mean in the context of Shared Responsibility in the cloud between CSP and CSC?

Answer 18

A business requirement to conform to relevant laws, internal governance and external regulations. ex. PCI-DSS, HIPAA, FISMA, SOX

Question 19

What does Governance mean in the context of Shared Responsibility in the cloud between CSP and CSC?

Answer 19

Relating to processes and decisions, the business is defining actions, assigning roles and responsibilities and verifying performance.

After migration to the cloud, there may be a need to revise procedures, processes, and activities.

Question 20

What does Interoperability mean in the context of Shared Responsibility in the cloud between CSP and CSC?

Answer 20

The requirement of all the cloud components to work together to achieve the intended goal. These components need to be replaceable by new/different components from different providers and continue to work. Just as the exchange of data between systems should as well.

Question 21

What does Maintenance and Versioning mean in the context of Shared Responsibility in the cloud between CSP and CSC?

Answer 21

Maintenance refers to maintaining, upgrading, or fixing cloud services

Versioning refers to the CSP provides proper labeling of a service to the cloud service customer, so the customer knows what particular version is being used.

Question 22

What does Resiliency mean in the context of Shared Responsibility in the cloud between CSP and CSC?

Answer 22

The cloud data center and its components’ ability to continue to operate in the event of a disruption e.g. equipment failure, power outage, natural disaster

Question 23

What does Security mean in the context of Shared Responsibility in the cloud between CSP and CSC?

Answer 23

Security is the biggest concern for using the cloud and must be shared responsibility

Question 24

Cloud Service Agreement (CSA)

Answer 24

Describes the relationship between the provider and the customer that the customer must agree to

Should include explicit definitions of the roles and responsibilities and execution of processes

Provided by the CSP to the cloud customer

Question 25

Before signing an Cloud Service Agreement (CSA) what should the customer do?

Answer 25

1. Understand R&R 2. Evaluate business level policies 3. Understand service and deployment model differences 4. Identify critical performance objectives 5. Evaluate security and privacy requirements 6. Identify service management requirements 7. Prepare for service failure management 8. Understand disaster recovery plan 9. Develop an effective governance process 10. Understand the exit process

Question 26

Acceptable Use Policy (AUP)

Answer 26

A policy from the CSP to the customer that prohibits activities that the provider has determined is either improper or illegal use of their services Provided by the CSP to the CSC

Question 27

Service Level Requirements (SLR)

Answer 27

Requirements for a service or KPIs from the customers point of view, provided to prospective service providers to define what services and terms are required by the customer Customer must monitor SLA for compliance with KPIs/requirements Document which contains the service catalogue which defines the applicable services, the service level objectives (SLO's) associated with those available services which quantify the metrics by those services are provided and consumed

Question 28

Service Level Report

Answer 28

Insight into a service providers ability to deliver the agreed upon service quality. Used before engagement with the provider. Typically archived through audit reports.

Question 29

Service Level Agreements (SLA)

Answer 29

Documented agreement between service provider and customer to guarantee service or performance level. It identifies services required and the expected level of service. It measures the performance of service from the customer's point of view. Must have penalties and underpinning contracts. Must be auditable. Must capture compliance requirements, best practices and general operational activities

Question 30

What should SLA's include?

Answer 30

1. Minimum level fo services 2. Availability 3. Security 4. Serviceability 5. Performance 6. Communication 7. Support 8. Data location 9. Disaster Recovery Processes 10. Exit Strategy 11. Affirm data ownership 12. Specify data return and destruction (Reversibility) 13. Remedies for any failure to meet the agreement (Penalties) 14. More...

Question 31

What is the customer's due diligence WRT to SLA? Why?

Answer 31

Read it carefully, SLAs are often written in favor of CSP not the customer

Question 32

List Types of Cloud Service Agreement

Answer 32

Customer Agreements Acceptable Use Policies Service Level Agreements

Question 33

Customer Agreement Components

Answer 33

``` Master Agreement Term of Service Service Management CSP Processes & Procedures Roles & Responsibilities (CSP v CSC) Process Execution ```

Question 34

Customer Due Diligence Items WRT Customer Service Agreements

Answer 34

1. Understand R&R 2. Evaluate business level policies 3. Understand service and deployment model differences 4. Identify critical performance objectives 5. Prepare for service failure management 6. Understand the DR plan 7. Develop an effective governance process 8. Understand the exit process

Question 35

Operational Level Agreement

Answer 35

OLA's are forged between departments within the same organization and do not have penalties