Cyber Security: Whose responsibility is it?

These are issues related to security and shared compliance between AWS and the customer. This shared model can ease the operational burden on the customer, as AWS operates, manages, and controls the components of the host operating system and virtualization layer right down to the physical security of the premises in which the services operate. Customer assumes responsibility for and management of the guest operating system (including updates and security patches), any other associated application software, and security group firewall configuration provided by AWS.

Customers should think carefully about the services they choose, as responsibilities vary depending on the services they use, the integration of those services into their IT environment, and the relevant laws and regulations. The nature of this shared responsibility also offers the flexibility and control on the part of the customer that allows the implementation to be completed. As shown below, the differentiation of responsibilities is commonly referred to as “on” cloud security and “on” cloud security.

AWS Responsibility

AWS is responsible for securing the infrastructure that runs all services provided in the AWS Cloud. This infrastructure is made up of the hardware, software, networks, and facilities that run AWS cloud services.

Customer Responsibility

Customer liability will be determined by the AWS cloud services that Customer selects. This determines the scope of configuration work by the customer as part of their security responsibilities. For example, a service such as Amazon Elastic Compute Cloud (Amazon EC2) is classified as Infrastructure as a Service (IaaS) and, as such, requires the customer to perform all necessary security configuration and management tasks.

Customers who deploy an Amazon EC2 instance are responsible for managing the guest operating system (including security patches and updates), any utilities or application software that the customer has installed on the instances, and configuring the AWS-provided firewall (called a security group) on each instance. For pulled services, such as Amazon S3 and Amazon DynamoDB, AWS handles the infrastructure layer, operating system, and platforms, while customers access endpoints to retrieve and store data. Customers are responsible for managing their data (including encryption options), classifying their resources, and using IAM tools to request appropriate permissions.

This model of shared responsibility between customers and AWS also encompasses IT controls. Just as AWS and its customers share responsibility for the operation of the IT environment, they also share responsibility for managing, operating, and verifying IT controls. AWS can help ease the burden on customers by operating controls by managing the controls associated with the physical infrastructure deployed in the AWS environment that was previously managed by the customer. Because each customer’s deployment is done differently on AWS, customers have the opportunity to migrate the management of certain IT controls to AWS for a (new) distributed control environment. Customers can use the available AWS compliance and control documentation to execute their controls verification and assessment procedures as needed. Below are examples of controls that are managed by AWS, AWS customers, or both.

Physical and environmental controls

Legacy controls

Controls that a customer inherits entirely from AWS.

Shared Controls

Controls that apply to both the infrastructure layer and the customer layers, but in completely separate contexts or perspectives. In a shared control, AWS provides the requirements for the infrastructure, and the customer must provide its own implementation of controls on its use of AWS services. Examples include:

Patch Management

AWS is responsible for patching and fixing imperfections within the infrastructure, but customers are responsible for patching their applications and guest operating systems.

Configuration Management

AWS maintains the configuration of its infrastructure devices, but the customer is responsible for configuring its applications, databases, and guest operating systems.

Technical information and training

AWS trains AWS employees, but the customer must train their own employees.

Customer-specific controls

controls that are the sole responsibility of the customer based on the application they deploy within AWS services. Examples include:

Zone security or protection of communications and services, which might require the client to route or zone data in specific security environments.

Source: https://aws.amazon.com/es/compliance/shared-responsibility-model/

At Itera we can help you.
Contact a specialist: seguridad@iteraprocess.com

Related posts

71_2
14 February, 2020

Cloud Data Security

The information and data we store are fundamental. The loss of them, the possibility of intruders ac
73_2
8 January, 2020

Security: AWS Identity

Manage access to workloads and applications securely. For applications running on AWS, you can use s
75_2
8 January, 2019

Itera Process Consulting becomes an Amazon Web Services Training Partner in Spain.

Itera Process Consulting, Advanced Consulting Partner on AWS Partner Network (APN) ups the ante

Topics

Cybersecurity Safety

Ready to take full control of your cloud investment?

Contact us at

Casos de éxito

Ver más
Aumentar en 50% la generación de créditos por parte de sus asesores
link
Incremento del 50% de agilidad en sus procesos
link
Aumento del 20% de la transaccionalidad

link
Incremento del 50% en ventas durante temporadas altas
link
Disponibilidad de la aplicación superior al 99.95%
link
Acompañamiento y soporte de un partner
link
Adaptación del 100% de su personal
link
Ahorro del 80% en servicios de mensajería
link
Niveles de disponibilidad de 99.95%
link
Cumplimiento de las exigentes regulaciones
link
Reducción del 29% en los costos
link