https://www.engineeringnews.co.za
Business|Components|Environment|SECURITY|Service|Services|System|Systems|Infrastructure
Business|Components|Environment|SECURITY|Service|Services|System|Systems|Infrastructure
business|components|environment|security|service|services|system|systems|infrastructure

Clearly defined roles and responsibilities are critical for cloud security

8th December 2021

     

Font size: - +

This article has been supplied as a media statement and is not written by Creamer Media. It may be available only for a limited time on this website.

By Simeon Tassev, MD and QSA at Galix

When it comes to cloud versus on-premises infrastructure, security requirements remain the same, although the cloud requires additional controls because it is publicly available. The major difference is that on-prem has highly defined roles and responsibilities – when you own your infrastructure, this is all an internal responsibility. With the cloud, however, the boundaries can easily become blurred, because who is responsible for what depends on the cloud model deployed, the types of cloud in use, and many other different responsibilities. These need to be defined upfront, or businesses risk facing security issues. 

Blurred lines

IT infrastructure is made up of various systems and components, as well as applications, hosts, operating systems, and data. When this is housed on-prem, various teams may be charged with looking after the different elements, but it is all ultimately an internal responsibility. The cloud environment is different. 

There are many different cloud models, including public, private and hybrid, and also different types of cloud, from Infrastructure-as-a-Service (IaaS) to Platform-as-a-Service (PaaS) and Software-as-a-Service (SaaS), to name a few. Many businesses employ a hybrid multi-cloud strategy, but each provider will also have different services and offerings, and this is where the complexity begins to creep in. 

For example, IaaS covers the hardware, but may also include the Operating System (OS). The cloud provider is therefore responsible for the uptime of the hardware, but if the OS is included, are they also responsible for support, updates, and patching? Are there extra services offered, such as user and identity management? They are responsible for uptime of hardware, but if the OS is included, is there an element of support and patching? 

Similar situations could arise across any and all cloud services. The roles and responsibilities of the cloud provider need to be clearly defined, otherwise businesses may be under the assumption that certain elements are covered, when in fact nobody is looking after them at all. This is a security vulnerability. In addition, it is vital to understand that, while data backup and availability may be outsourced, the ultimate management of data and its content is always a business responsibility. 

Who are you?

With on-prem architecture, it is possible to physically restrict access, which makes control easier to achieve. The nature of the cloud, however, requires additional steps to be in place to mitigate threats, because unless a private cloud model is deployed, the cloud is publicly available and is therefore exposed to the internet. 

Physical controls cannot be implemented, so the priority with the cloud is identification and authentication to control authorised access. Access is therefore linked to the identity of the individual, and to assign roles and responsibilities it is critical to have full control of identity management. All the new cloud-based security frameworks are centred on this concept, including Zero Trust Networking (ZTN) and the Secure Access Service Edge (SASE). 

No trust until it is earned

ZTN is the foundation of cloud security in a borderless world. It is based on the premise that no device, user or entity is trusted until they can prove they are trustworthy. One of the criteria required to earn this trust is the ability to uniquely identify, without a doubt, who or what a device attempting to connect is. 

This is where SASE comes into the picture. SASE focuses on the edge and the identity of the person connecting to the resource in the cloud and manages it accordingly. By default, all devices are untrusted. To earn trust and gain access, policies need to be applied and criteria met, such as various levels of authentication that must be implemented. SASE then provides the relevant access based on identity and defined access management roles. 

Identification and authentication are key

With cloud, the priority is around identification and authentication, because all controls are linked to the identity of the individual and their various roles and responsibilities. This means that it is critical to define the roles of all parties involved, including the cloud service provider, then to assign responsibility to a role, which then needs to be uniquely identified, and held accountable by enforcing relevant policies. 

Cloud security is not a ‘one size fits all’ approach, and depends entirely on the situation, systems and infrastructure in place. However, the basis of all solid cloud security practices is centred on roles and responsibilities. If the roles of both the service provider and the business are not clearly defined from the outset, the result will be grey areas and therefore gaps in security that can be exploited.

Edited by Creamer Media Reporter

Comments

Showroom

Weir Minerals Africa and Middle East
Weir Minerals Africa and Middle East

Weir Minerals Europe, Middle East and Africa is a global supplier of excellent minerals solutions, including pumps, valves, hydrocyclones,...

VISIT SHOWROOM 
Goodwin Submersible Pumps Africa (Pty) Ltd
Goodwin Submersible Pumps Africa (Pty) Ltd

Goodwin Submersible Pumps Africa is sole distributors for Goodwin electrically driven, submersible, abrasion resistance slurry pumps.

VISIT SHOWROOM 

Latest Multimedia

sponsored by

Option 1 (equivalent of R125 a month):

Receive a weekly copy of Creamer Media's Engineering News & Mining Weekly magazine
(print copy for those in South Africa and e-magazine for those outside of South Africa)
Receive daily email newsletters
Access to full search results
Access archive of magazine back copies
Access to Projects in Progress
Access to ONE Research Report of your choice in PDF format

Option 2 (equivalent of R375 a month):

All benefits from Option 1
PLUS
Access to Creamer Media's Research Channel Africa for ALL Research Reports, in PDF format, on various industrial and mining sectors including Electricity; Water; Energy Transition; Hydrogen; Roads, Rail and Ports; Coal; Gold; Platinum; Battery Metals; etc.

Already a subscriber?

Forgotten your password?

MAGAZINE & ONLINE

SUBSCRIBE

RESEARCH CHANNEL AFRICA

SUBSCRIBE

CORPORATE PACKAGES

CLICK FOR A QUOTATION







sq:0.092 0.148s - 162pq - 2rq
Subscribe Now