Problem

Cloud services differ

Cloud computing service differ a lot with respect to their IT security and compliance risk profile. Two examples are shown in Figure 2.

The cloud’s Deployment Model has an influence on the risk profile. Refer to the left-hand side in Figure 2. Users (Cloud Service Consumers, CSC) are often concerned putting some of their applications and data into a Public Cloud. If a cloud computing service is offered to everyone, it must be accessible publicly. Private environments can use other means to restrict the access. With respect to this, they entail lower risks than public ones. Moreover, confining who can be a user may reduce risks. Sharing the environment with trusted neighbors entails lower risks than sharing it with a great number of unknown and potentially untrusted parties. The organization of the access to and the use of the cloud computing service, the location of data processing and storage etc. are important factors that influence the risk profile, compliance issues and maybe also the level of IT security.

Figure 2: Cloud computing service differ a lot

Gartner predicted in 2015 for the next five years that about 95% of security failures would be caused by the party setting-up and configuring the cloud service and not by the Cloud Service Provider (CSP) providing the cloud computing core services and additional optional components. So, it may affect IT security and risks which party is performing what activity and if the activity is performed with the necessary knowledge and skill. This example demonstrates that the division of labor does have an influence on the level of security of the cloud service. In a wider sense, the distribution of responsibility and work is subject to the Service Model. Refer to the right-hand side in Figure 2. That’s why the cloud’s Service Model must be detailed. Otherwise, there is the danger of having gaps in the overall course of activities and no party feels responsible or is appropriately prepared for or capable of ensuring security.

Figure 3 shows an example which provides more insight into the division of labor between the Cloud Service Provider (CSP) and the User organization (Cloud Computing Consumer, CSC). A full-outsourcing deal is considered first (lower part in Figure 3):

(1) The IT service provider takes responsible for the provisioning of most IT components and provides the core IT service (refer to No. 1 in Figure 3).

(2) The provider also integrates and configures all the IT components (No. 2).

(3) Operating the IT and thereby providing the actual IT services is obviously also done by the IT service provider (No. 3 in the figure).

(4) The IT components are also managed by the IT service provider. That is, the IT service provider maintains the IT service and ensures that the agreed level of security is maintained (No. 4).

(5) The user organization defines the requirements including those related to IT security and compliance, integrates the IT services into its own business environment and utilizes the IT service (No. 5 in Figure 3).

In all the areas 1 through 4, the IT service provider cares about the most essential security aspects

Figure 3: Cloud Service Providers often leave critical tasks to users

Especially in case of modern public cloud offerings with customer self-service, the division of labor is different. Refer to the upper part of Figure 3. The differences between the above case and the public cloud offering lies in the activities No. 2 and 3 in the figure:

(2) Many activities relating to the final integration and configuration of the cloud computing service are not performed by the IT service provider (Cloud Service Provider, CSP). They are left to the user organization. Or, the user organization involves another, second IT service provider to perform these tasks on behalf of the user organization.

(4) The same is true for several IT service management activities during operations. For instance, monitoring and incident management is not provided by the cloud service provider. In many cases, the user organization must also care for backup and recovery services itself.