All cloud stakeholders must understand:

• CSP responsiblities
• Consumer organization responsibilities

Differentiate CSP partner responsibilities

Responsibilities vary depending on:

• Hosting
• Services consumed
• Partner and broker use
• Terms and conditions
• Compliance

Consumer:

• Ensures security
• Understands CSP security responsibilities
• Reviews audit results

CSPs don´t review security for individual consumers

Consumer defines:

• Secure cloud usage
• Security tool usage

Check differences between CSPs´shared responsibilities

Responsibilities if service in-house ?

All responsibilities assigned ?

Factors affecting responsibilities:

• Service relationship
• Service type
• Integration
• Laws and regulations

Cloud consumer and CSP never share responsibility: each controls its own area of ownership for security

Consumer audit access and configures security

Consumer organization security responsiblity: when it moves application, data, containers, workloards to the cloud

CSP security responsibility for other activities like physical infrastructure

Define security responsibilities

Work with CSP

Meet security needs

Reduce costs

Dedicated security approach for each:

• Environment
• Application
• Service

Weakest link defines security

CSP provides standard, proven security

Consumer security developed when needed

Consumer security must work within CSP framework

1. Shared responsibility model Model defines: CSP responsibilities Consumer responsibilities Model outlines responsibility for: Security Compliance Maintenance Support Responsibilities vary: Hosting Cloud solution Deployment model

Define responsibilities to reduce risk

CSP never has full responsibility

Understand responsibilities before CSA

Key factors:

• Service relationship
• Service package
• Tailoring
• Integration
• Regulation

In-house: service provider responsible for all security

Cloud environment: security responsibility shared

Security ownership clearly defined

Secure environment with less operational overhead

Security gaps affect all systems

CSP security standardized

Consumer security less comprehensive

Include security in CSP agreement

1.1 Provider and consumer responsibilities

Cloud vendor controls:

• Physical infrastructure security
• Surveillance and security (CSP systems)
• Network security
• Resource management
• Access control
• Monitoring and security
• Emergency response
• Business continuity planning
• Virtualization and segmentation

Consumer responsibilities:

• Identity and access controls
• Data security and security management
• Business processes using cloud

Single security aspects never shared

Consumer and CASP have total control over their responsibilities

Consumer right to audit verification

Ensure non-CSP responsibilities are managed

Go back to ITIL 4 Acquiring Managing Cloud Services Certification Course: Agree to finish this chapter or to the main page ITIL 4 Acquiring Managing Cloud Services Certification Course.