As businesses continue to enter the cloud, choosing a cloud vendor and signing an agreement with this vendor is an important consideration that is clearly defined as responsibility. Most cloud environments feature shared security responsibilities as a continuum. For the SaaS environment, SaaS providers assume most of the responsibility. For http://www.aliyun.com/zixun/aggregation/13748.html "> Infrastructure as a Service (IaaS) or Platform as a Service (PaaS) environment, the responsibility of the manufacturer is smaller and the customer is bigger.
In an IaaS cloud environment (for the sake of simplicity, this article will be a combination of IaaS and PaaS), vendors provide the core infrastructure. This means basic network, process and storage services. Customer is responsible for granular network management, server management and data storage management. Most of the major cloud security considerations are in the hands of customers. Customer responsibilities include:
· Control network access (open and close ports and protocols)
Authorize or deny server and service layer access (client is responsible for server and service configuration)
Design, implement, maintain, and inspect in-application access control
Implementing failover and other redundancy solutions
· Continuous monitoring of access, security and availability
Through the primary controls of design, configuration and operation, the customer's responsibility in ensuring the IaaS environment is to ensure that the vendor (through technology or policy control) can not access the server or data. It is more appropriate for vendors to implement technology control rather than rely on tactics. As an IaaS client that limits technology control vendors and relies heavily on policies and procedures, it is important to understand vendor monitoring methods. Be sure that the vendor is able and will monitor unauthenticated attempts to access your resources. Remember: The goal is to limit your vendor's data and service access, and they can affect your service availability.
With the recent development of data encryption, vendor access to sensitive information can already be practiced via unreadable perspective data without encryption keys. The key consideration in this case is to control the displacement of the encryption key. A large number of IaaS vendors will agree to a "no-visit" scenario and if your vendor is putting pressure on key access, you should seriously re-think your relationship. Enforcing data encryption, keep in mind that relying on database encryption increases the risk. Application can successfully query the data in the database server, it will defeat the encryption work. For this reason, it is best to invest in the application layer encryption and decryption.
When signing a contract with the same IaaS vendor, your responsibilities include:
· Choose vendors with strong technical controls to block access or data and service disruptions
· Strengthening contractual relationships where appropriate, strengthening some of their largest demand controls and minimizing control of the manufacturer's part
· Develop and implement technical controls, strengthen contractual relationships, monitor potential service terminals and unauthorized access attempts
· Design and implement evaluation procedures to validate vendor operations at contract and technology boundaries
In short, the goal of your IaaS environment is to limit the risks posed by vendor security incidents, increase the likelihood that you will find inadequate technical and strategic controls in your assessment, and minimize the likelihood of a security incident being discovered at the time of the incident.
(Editor: Shi Bo-peng)