Shared Responsibility Model

云服务提供商的责任共享模型

让我们看一下一些顶级csp是如何为其环境定义srm的. After all, this information will be key in finding the best-fitting provider for your organization's unique needs. 

AWS Shared Responsibility Model

This model states that AWS is responsible for the security of the cloud while customers are responsible for security in the cloud. While AWS works to keep its infrastructure safe, customers are in charge of IT controls such as encryption and 身份和访问管理(IAM), patching guest operating systems, configuring databases, and employee cybersecurity training.

微软Azure共享责任模型

该模型表明，在本地数据中心中，客户拥有整个堆栈. 随着客户迁移到云，一些责任转移到微软. 这些职责将根据栈部署的类型而有所不同.

对于所有的云部署类型，客户拥有自己的数据和身份. 他们有责任保护这些数据和身份的安全, on-premises resources, 以及它们控制的云组件. 无论部署类型如何, 客户将始终保留以下数据, endpoint, account, 以及访问管理职责.

谷歌云平台(GCP)责任共享模型

This model states that an in-depth understanding is required for each service a customer uses, along with the configuration options each service provides and what Google Cloud does to secure the service. 每个服务都有不同的配置文件, 而且很难确定最佳的安全配置.

The customer is the expert in knowing the security and regulatory requirements for their business and knowing the requirements for protecting confidential data and resources. GCP 还引入了“共命运”的概念,” which enables a customer to essentially purchase the right to pass a responsibility on to GCP.

云交付模型的责任共享模型

现在，让我们看看SRM是如何基于 type of cloud model on which a business is running. Under each heading below are listed the components a CSP is responsible for and those for which a customer is responsible. 

要记住的是，当我们从上到下移动每个区域时, CSP管理着越来越多的组件. Therefore, 客户获得了越来越多的便利和安心, but with less ability to customize. 

Infrastructure as a Service (IaaS)

CSP is responsible for: 

• Virtualization
• Firmware
• Hardware

Customer is responsible for: 

• User access
• Data
• Functions
• Runtime/Applications
• Containers
• Operating System

Platform as a Service (PaaS)

CSP is responsible for: 

• Containers
• Operating System
• Virtualization
• Firmware
• Hardware
• Runtime/Applications (partial)

Customer is responsible for: 

• User access
• Data
• Functions
• Runtime/Applications (partial)

Function as a Service (FaaS)

CSP is responsible for: 

• Containers
• Operating System
• Virtualization
• Firmware
• Hardware
• Runtime/Applications

Customer is responsible for: 

• User access
• Data
• Functions

在完全定制的本地基础设施中，用户可以, of course, 负责上面列出的所有方面. 

实践中的责任分担模式

对SRM通常包含的内容进行更技术性的总结, many experts would say that the customer is responsible for anything they can change/add/remove/reconfigure in their cloud environment. 如果他们没有能力修改某些东西, odds are the oversight responsibility for that aspect of cloud operations falls to the CSP.

然而，如上所述，可能存在重叠的领域. 这些灰色地带也被称为共享控制区, and need to be intricately known by both CSPs and their customers for operations to run as smoothly as possible. 例如，就AWS而言，共享控制区域将包括以下方面 patch management, configuration management for infrastructure as code (IaC), and security awareness training. Why are these areas shared?

Specifically, AWS将负责修补和修复其基础设施中的缺陷, while customers are responsible for patching their guest operating system and applications. Similarly, AWS维护其基础设施的配置, 但是客户要负责配置自己的操作系统, databases, and applications.

Lastly, it is incumbent upon both AWS and its cloud customers to provide security awareness training to their respective employee organizations. These shared control areas only help to strengthen the abilities of both CSPs and their customers to secure the areas for which they are solely responsible.

共同责任模式的好处是什么?

SRM的好处是按照下面的好处来定义的 migrating to the cloud can yield. As a customer, you're engaging with a partner – just make sure it’s one you can trust.

• Scalability:在CSP生态系统的平台内, a customer can expand security capabilities as much or a little as is needed at a given time. Major cloud providers like those we talked about above will have the innate ability to expand as your business’ operational needs demand. CSP的安全体系结构将始终按照SRM进行定义. Therefore, customers can feel confident in expanding their own data security protocols as needed.
• Collaboration: As described in detail above, SRM鼓励在安全方面明确责任. 因此，客户业务的利益来自于该部门. There is less of a security burden in the cloud operations SRM than would exist when a customer builds on-prem operational capabilities from the ground up.
• Architectural strength: Working with a trusted and well-reputed CSP can provide great peace of mind to a customer worried about data security on a provider’s cloud. Fully taking advantage of a CSP’s security data analytics technologies and strong architecture is a fantastic benefit of the SRM.

共同责任模式最佳实践

最佳实践显然取决于您的组织的独特需求. 因此，让我们看一下可靠SRM的一些更通用的最佳实践. 

• 是否有适当的服务水平协议(SLA): An SLA will help you thoroughly understand the nature of the CSP's security operations and expectations of themselves and their clients. SLA还将为CSP阐明他们对您的组织的期望.
• 将职责委派给CSP: If you’ve done your homework in shopping for a cloud provider, hopefully you can trust them. It’s still ideal for your organization to not get stuck with a security responsibility that should clearly lie under the CSP’s purview.
• Ensure compliance当涉及到……的时候，灰色地带是不好的 maintaining compliance with federal or territory-mandated regulations or your organization’s own compliance goals. Therefore, 仅仅通过确保SRM中责任的明确性, you and a potential CSP will be able to maintain good hygiene when it comes to internal and external compliance policies.

Read More

云安全:最新的Rapid7博客文章

电子书:使用AWS上的Rapid7加强您的容器化应用程序