Larry G. Wlosinski, CISA, CISM, CRISC, CAP, CDP, CISSP, ITIL
How will an organization’s information security staff be affected if the organization’s computer systems are moved to a cloud environment? What about the change in responsibilities within the organization and the expectations of the cloud service provider (CSP)?
While the three common cloud delivery models1 —Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS)—are pretty well known and described in literature, the latest service being defined by the Cloud Security Alliance (CSA) is Security as a Service (SecaaS).2 SecaaS “provides third-party facilitated security assurance, incident management, compliance attestation, and identity and access oversight. SecaaS is the delegation of detection, remediation, and governance of security infrastructure to a trusted third party with the proper tools and expertise.”3 SecaaS covers 10 security domains that include products and/or services, which are available from many vendors, to manage security concerns with an organization’s cloud provider.
For PaaS, the organization and the provider share the responsibility for the application and the virtual management environment; the CSP provides and manages the control of the server, data storage and network services. For IaaS, the organization is responsible for the application and the responsibility of the virtual management environment is shared with the provider. For SecaaS, the vendor or designated contractors provide the products and/or services that support the cloud environment.
The cloud environment participants fall into the following categories:
The breakdown of responsibilities can fluctuate considerably based on the size variations of organizations (from small to large). The following is a baseline breakdown of responsibilities that may be implemented, to some degree, in organizations that have utilized one or more of the cloud delivery models.
The end user (or requesting enterprise) is responsible for:
The IT security responsibilities of the CSP include:
IT security controls managed by the end user or CSP (depending on the service model) include:
Shared responsibilities of the end user and CSP include:
The architect of the end user is responsible for:
From a cloud model perspective, there are two types of application developers, meaning the writer and tester of the program code. For a SaaS application, the developer is the vendor that offers the system/application. For PaaS and IaaS systems/applications, the developer is the user organization. For both types of developers, the following responsibilities apply:
The end user’s business manager is responsible for:
The end users’ IT manager is responsible for:
The third-party auditor is responsible for:
The service broker is responsible for:
The SecaaS vendor can be responsible for one or more of the 10 IT security domains according to the interconnection agreement. The 10 IT security domains for SecaaS as defined by the CSA are:
Figure 1 presents the security posture (i.e., protective, preventive, detective, reactive) for each SecaaS domain.
Figure 2 is a mapping of the SecaaS domains to the cloud delivery models.
More detailed information on the CSA SecaaS domains can be found on the CSA web site,6 where one can also find sample vendors, by domain, that can provide support in the way of software, hardware and/or staff to satisfy an organization’s needs. To effectively utilize these services, the organization needs to implement contractual relationships, adjust its security architecture and reevaluate staff assignments to determine who is tasked with performing the job functions and security responsibilities described here.
Enterprises working in or planning a transition to computer systems working in the cloud should consider the job function responsibilities of their technical staff and evaluate their skills and weaknesses. In some cases, it may be beneficial to change job descriptions, and in some cases, it may be necessary to provide them the training they need to function effectively. Remember that the enterprise’s administrators and programmers were trained to develop the new environment because of the changes in software, systems and appliances; therefore, the operational staff can also benefit from learning any new skills associated with moving to the cloud environment.
1 Jansen, Wayne; Timothy Grance; Guidelines on Security and Privacy in Public Cloud Computing, NIST Special Publication 800-144, National Institute of Standards and Technology, December 2011, http://csrc.nist.gov/publications/nistpubs/800-144/SP800-144.pdf 2 Cloud Security Alliance (CSA), Security Guidance for Critical Areas of Cloud Computing Version 3.0, 14 November 2011, https://cloudsecurityalliance.org/research/security-guidance/3 Ibid.4 An example of an independent assessor is the Federal Risk Authorization Management Program (FedRAMP), a US federal government organization that supports federal agency efforts in certification and accreditation of cloud systems hosted at vendor locations.5 Sample responsibility designations can be obtained from the FedRAMP (www.gsa.gov/portal/category/102371) and the CSA (https://cloudsecurityalliance.org) web sites.6 https://cloudsecurityalliance.org/research/secaas/#_downloads
Larry G. Wlosinski, CISA, CISM, CRISC, CAP, CDP, CISSP, ITIL, is a professional IT security consultant at Earth Resources Technology Inc. and has more than 37 years of experience in IT security. Wlosinski’s security experience includes policy and procedure writing, planning, information assurance, continuous monitoring, security and risk assessments, incident response, network and data security, contingency planning, and security awareness and training. He is also a past president of the Niagara Frontier Chapter of the Data Processing Management Association (DPMA). Wlosinski has spoken on cloud security at federal and professional conferences and has conducted many classes on various IT security topics.
Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2013 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.