Cloud security – shared responsibility model
To protect cloud-based solutions, the tenant (customer) and the CSPs usually share the security responsibilities. The three common models of cloud service offerings are listed as follows:
- Infrastructure-as-a-Service (IaaS)
- Platform-as-a-Service (PaaS)
- Software-as-a-Service (SaaS)
The split in responsibilities varies according to the cloud service level agreement between the customer and cloud provider, as specified in the ISO/IEC 17789 standard. Since the customer is in control of the edge functionalities, a separation of duties is key to ensure the implementation of the right security controls. To avoid any ambiguity, the ISO/IEC 27017 standard recommends a cloud service agreement between the customer and the provider to clearly enumerate these shared roles and responsibilities.
In the case of the IaaS cloud service model, the customer is typically responsible for the security of data, application software stack, systems, networks, and also security...