The shared responsibility model (SRM) is an underst和ing between the cloud service provider (CSP) 和 an end-user of its services. This agreement says that a CSP will be responsible for securing the platform infrastructure of its cloud operations while an end-user is responsible for securing the workloads running on the cloud platform.
的确, Gartner下划线 csp的客户需要彻底理解协议, stating that CSPs cannot offer complete security 和 security leaders must underst和 the scope of their responsibilities for security in the cloud. This is especially true for an organization in the process of migrating all or a portion of their workloads to the cloud.
因此, it would be most ideal for the architects building a cloud to take into 账户 the specific security implications of the environment in which they want to operate. This will help all stakeholders to get a more complete picture of the risks 和 responsibilities the business is taking on in 迁移到云. A lack of underst和ing in the concept of SRM as it relates to a specific organization 和 their CSP could result in the misconception that the CSP is responsible for security of a certain area – which could then lead to misconfigurations 和/or improperly secured cloud assets.
Underst和ing your role in the SRM can help you both uphold your responsibilities with regard to your CSP as well as implement 和 enforce 云安全 最佳实践,如定期漏洞扫描.
让我们看一下一些顶级csp是如何为其环境定义srm的. 毕竟, this information will be key in finding the best-fitting provider for your organization's unique needs.
This model states that AWS is responsible for the security of the cloud while customers are responsible for security in the cloud. While AWS works to keep its infrastructure safe, customers are in charge of IT controls such as 加密 和 身份和访问管理(IAM), patching guest operating systems, configuring 数据库, employee cybersecurity training.
该模型表明,在本地数据中心中,客户拥有整个堆栈. 随着客户迁移到云,一些责任转移到微软. 这些职责将根据栈部署的类型而有所不同.
对于所有的云部署类型,客户拥有自己的数据和身份. 他们有责任保护这些数据和身份的安全, 本地资源, 以及它们控制的云组件. 无论部署类型如何, 客户将始终保留以下数据, 端点, 账户, 以及访问管理职责.
This model states that an in-depth underst和ing is required for each service a customer uses, along with the configuration options each service provides 和 what Google Cloud does to secure the service. 每个服务都有不同的配置文件, 而且很难确定最佳的安全配置.
The customer is the expert in knowing the security 和 regulatory requirements for their business 和 knowing the requirements for protecting confidential data 和 resources. GCP 还引入了“共命运”的概念,” which enables a customer to essentially purchase the right to pass a responsibility on to GCP.
现在,让我们看看SRM是如何基于 云模式的类型 商业运作的基础. Under each heading below are listed the components a CSP is responsible for 和 those for which a customer is responsible.
要记住的是,当我们从上到下移动每个区域时, CSP管理着越来越多的组件. 因此, 客户获得了越来越多的便利和安心, 但定制能力较差.
CSP负责:
客户负责:
CSP负责:
客户负责:
CSP负责:
客户负责:
在完全定制的本地基础设施中,用户可以, 当然, 负责上面列出的所有方面.
对SRM通常包含的内容进行更技术性的总结, many experts would say that the customer is responsible for anything they can change/add/remove/reconfigure in their cloud environment. 如果他们没有能力修改某些东西, odds are the oversight responsibility for that aspect of cloud operations falls to the CSP.
然而,如上所述,可能存在重叠的领域. 这些灰色地带也被称为共享控制区, need to be intricately known by both CSPs 和 their customers for operations to run as smoothly as possible. 例如,就AWS而言,共享控制区域将包括以下方面 补丁管理、配置管理 基础设施即代码(IaC), 安全意识培训. 为什么这些区域是共享的?
具体地说, AWS将负责修补和修复其基础设施中的缺陷, while customers are responsible for patching their guest operating system 和应用程序. 类似的, AWS维护其基础设施的配置, 但是客户要负责配置自己的操作系统, 数据库, 和应用程序.
最后, it is incumbent upon both AWS 和 its cloud customers to provide 安全意识培训 to their respective employee organizations. These shared control areas only help to strengthen the abilities of both CSPs 和 their customers to secure the areas for which they are solely responsible.
SRM的好处是按照下面的好处来定义的 迁移到云 能产生. 作为一个客户,你是在与一个合作伙伴打交道——只是要确保这个合作伙伴是你可以信任的.
最佳实践显然取决于您的组织的独特需求. 因此,让我们看一下可靠SRM的一些更通用的最佳实践.