Cloud service providers operate under a model known as “shared responsibility,” where customers of the service provider have varying levels of responsibility and control of security configurations, depending on the cloud service they use and the amount of control that the cloud service provider has abstracted away from their customers.
Users that rely on cloud service providers may have questions that resemble the following:
- What is my total cloud footprint?
- How can I understand and manage the risks inherent in the parts of the Cloud that are within my control?
- How do I ensure my and my vendors’ cloud service providers are holding up their end of the bargain?
- How can I efficiently quantify and report on these risks along with my vendors in a standard manner?
Since organizations use a vast array of different cloud services today, this can often be a challenging topic. Among many others, Amazon Web Services and Microsoft both offer useful guidance on this topic.
The amount of control that might rest with each organization for a given type of cloud service demonstrates the security posture of the corporate control, where no responsibility is shared between the cloud service provider and their customers.
Service Provider Segmentations
We have the technical capability to curate a security rating for each box in this model. When data becomes available, we provide these segmentations. See Service Provider Models.
By using the Bitsight platform for monitoring cloud services, you can start to communicate the impact of shared responsibility more clearly to your stakeholders:
- Cloud services in the basic rating category may reflect the additional responsibility of the customer for managing the security configurations of that service. Therefore, strict attention should be paid towards their usage within your organization. This is typical with Infrastructure-as-a-Service(IaaS) cloud services.
- Cloud services in the intermediate or advanced rating category may indicate that the service provider has consolidated certain security features within their control. If done properly, there’s a smaller surface across which a customer can make mistakes or unnecessarily expose themselves to risk. This is typical with Platform-as-a-Service (PaaS) and Software-as-a-Service (SaaS) cloud services.
Refer to the Adding Cloud Services to Your Portfolio instructions to get started.
Content Delivery Network
If a company is hosting a website on a Content Delivery Network (CDN), that IP address is typically not included in their IP address map. The domain that‘s hosted there is included in the rating. In many CDN situations, the actual hardware may be used by more than just that one company. Therefore, it wouldn’t be fair to attribute findings that are coming from that IP address to the company.
You or your vendor should consider monitoring the CDN through our platform to be confident that the CDN is managing the infrastructure cleanly.