Topic Overview
The shared responsibility model (SRM) is an understanding between the cloud service provider (CSP) and an end-user of its services. This agreement says that a CSP will be responsible for securing the platform infrastructure of its cloud operations while an end-user is responsible for securing the workloads running on the cloud platform.
Indeed, Gartner underscores csp的客户需要彻底理解协议, stating that CSPs cannot offer complete security and security leaders must understand the scope of their responsibilities for security in the cloud. This is especially true for an organization in the process of migrating all or a portion of their workloads to the cloud.
Therefore, it would be most ideal for the architects building a cloud to take into account the specific security implications of the environment in which they want to operate. This will help all stakeholders to get a more complete picture of the risks and responsibilities the business is taking on in migrating to the cloud. A lack of understanding in the concept of SRM as it relates to a specific organization and their CSP could result in the misconception that the CSP is responsible for security of a certain area – which could then lead to misconfigurations and/or improperly secured cloud assets.
Understanding your role in the SRM can help you both uphold your responsibilities with regard to your CSP as well as implement and enforce cloud security 最佳实践,如定期漏洞扫描.
让我们看一下一些顶级csp是如何为其环境定义srm的. After all, this information will be key in finding the best-fitting provider for your organization's unique needs.
This model states that AWS is responsible for the security of the cloud while customers are responsible for security in the cloud. While AWS works to keep its infrastructure safe, customers are in charge of IT controls such as encryption and 身份和访问管理(IAM), patching guest operating systems, configuring databases, and employee cybersecurity training.
该模型表明,在本地数据中心中,客户拥有整个堆栈. 随着客户迁移到云,一些责任转移到微软. 这些职责将根据栈部署的类型而有所不同.
对于所有的云部署类型,客户拥有自己的数据和身份. 他们有责任保护这些数据和身份的安全, on-premises resources, 以及它们控制的云组件. 无论部署类型如何, 客户将始终保留以下数据, endpoint, account, 以及访问管理职责.
This model states that an in-depth understanding is required for each service a customer uses, along with the configuration options each service provides and what Google Cloud does to secure the service. 每个服务都有不同的配置文件, 而且很难确定最佳的安全配置.
The customer is the expert in knowing the security and regulatory requirements for their business and knowing the requirements for protecting confidential data and resources. GCP 还引入了“共命运”的概念,” which enables a customer to essentially purchase the right to pass a responsibility on to GCP.
现在,让我们看看SRM是如何基于 type of cloud model on which a business is running. Under each heading below are listed the components a CSP is responsible for and those for which a customer is responsible.
要记住的是,当我们从上到下移动每个区域时, CSP管理着越来越多的组件. Therefore, 客户获得了越来越多的便利和安心, but with less ability to customize.
CSP is responsible for:
Customer is responsible for:
CSP is responsible for:
Customer is responsible for:
CSP is responsible for:
Customer is responsible for:
在完全定制的本地基础设施中,用户可以, of course, 负责上面列出的所有方面.
对SRM通常包含的内容进行更技术性的总结, many experts would say that the customer is responsible for anything they can change/add/remove/reconfigure in their cloud environment. 如果他们没有能力修改某些东西, odds are the oversight responsibility for that aspect of cloud operations falls to the CSP.
然而,如上所述,可能存在重叠的领域. 这些灰色地带也被称为共享控制区, and need to be intricately known by both CSPs and their customers for operations to run as smoothly as possible. 例如,就AWS而言,共享控制区域将包括以下方面 patch management, configuration management for infrastructure as code (IaC), and security awareness training. Why are these areas shared?
Specifically, AWS将负责修补和修复其基础设施中的缺陷, while customers are responsible for patching their guest operating system and applications. Similarly, AWS维护其基础设施的配置, 但是客户要负责配置自己的操作系统, databases, and applications.
Lastly, it is incumbent upon both AWS and its cloud customers to provide security awareness training to their respective employee organizations. These shared control areas only help to strengthen the abilities of both CSPs and their customers to secure the areas for which they are solely responsible.
SRM的好处是按照下面的好处来定义的 migrating to the cloud can yield. As a customer, you're engaging with a partner – just make sure it’s one you can trust.
最佳实践显然取决于您的组织的独特需求. 因此,让我们看一下可靠SRM的一些更通用的最佳实践.