The shared responsibility model

Once we begin consuming cloud resources, we need to be aware that we are operating our application on some kind of provider-managed infrastructure and that both parties have a different level of access to the environment. 

The following diagram represents an overview of the shared responsibility model:

There are quite a few differences between the shared responsibilities depending on whether a customer is running an IaaS or a PaaS. For example, if the customer is using IaaS and running a virtual machine with a database instance on the cloud, the provider has access to and responsibility for securing the following:

  • The underlying hardware in their data center
  • The server and hypervisor where the VM instance is running
  • The storage subsystem where the data volume is residing
  • The physical network devices that connect the hypervisor to the internet
  • The uplink to the internet and the uplinks between the data center and other provider locations

The customer has access to and responsibility for maintaining the following:

  • Network and user access to the operating system (ports, users, keypairs, and so on)
  • Updating and upgrading the operating system
  • Installing, updating, and upgrading the database application
  • Securing the database application running inside the operating system
  • Securing access to the database application and the database instance
  • Securing the customer data inside the database instance

In the case of a PaaS service with the same requirements, you must run a database in the cloud, where the customer has consumed a database instance that's been delivered by the cloud provider. The cloud provider will, of course, keep the same responsibilities for the infrastructure, but also take on some of the responsibilities for securing the following:

  • Network and user access to the operating system (ports, users, keypairs, and so on)
  • Updating and upgrading the operating system
  • Installing, updating, and upgrading the database application
  • Securing the database application running inside the operating system
  • Securing access to the database application

The customer's responsibility is now reduced only to the following:

  • Securing access to the database instance (when using additional user-generated credentials)
  • Securing the customer data inside the database instances

The overall management footprint of the services being consumed in the cloud can be reduced dramatically when using PaaS. This usually means that the developers, SysOps, and architects can focus on building the application instead of focusing on building and maintaining infrastructure. PaaS is ideal for enterprises that strive for high agility, lean and effective development and DevOps teams, and overall high efficiency. On the other hand, PaaS has drawbacks when it comes to strict the control of data flows, high security requirements, regulatory and compliance, and so on.

The following diagram summarizes the difference between the IaaS and PaaS shared responsibility models:

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.225.57.126