| Service Name |
Level |
IaaS Rationale |
PaaS Rationale |
FaaS Rationale |
SaaS Rationale |
| Secure Development |
0 |
Consumers are responsible for the security of any in-house developed applications that they host on an IaaS Cloud. |
A PaaS will typically include a set of provided APIs for the consumer’s use. The provider is responsible for the secure develop-ment of those APIs; the consumer is responsible for the security develop-ment of any applications that use those APIs. |
A FaaS provider will offer a set of back-end services that a consumer can utilise as part of a serverless application. The consumer is responsible for securing their code, whilst the provider is responsible for the security of the back-end services. |
The SaaS provider is responsible for the delivery of a secure application. |
| Coding Standards |
1 |
|
The consumer must implement a set of coding standards to ensure that they use the CSP-provided APIs correctly.
The provider must implement a set of coding standards to ensure that they code secure APIs for their consumers’ use. |
The consumer must implement a set of standards to ensure consistency across their serverless application architectures. |
|
| Code Review |
1 |
|
|
|
|
| Repository |
1 |
|
|
|
|
| Automate |
1 |
Infrastructure as code enables the automated provisioning of environments and testing by the consumer. |
The consumer can automate their build and testing activities.
The provider must do the same for the elements under their control. |
The consumer can automate their build and testing activities.
The provider must do the same for the elements under their control. |
|
| Build |
1 |
Infrastructure as code must be instantiated as a working infrastructure at some point. |
|
|
|
| Secrets Management |
1 |
The consumer is responsible for any operating level system credentials necessary to configure the environment. |
The consumer is responsible for the manage-ment of any application secrets required by their code. |
The consumer is responsible for the management of any application secrets required by their code. |
|
| Mitigate |
1 |
|
|
|
|
| Test |
1 |
|
|
The consumer remains responsible for the testing of their own application code. |
|
| Integrity |
0 |
Consumers are responsible for building any integrity checking mechanisms into the services they host on an IaaS Cloud. |
The provider is responsible for the integrity of the operating system and any provided APIs. The consumer is responsible for the integrity of the hosted application. |
|
The provider is responsible for the integrity of the data that they host and the service(s) that they offer. |
| Non-Repudiation |
1 |
|
|
|
|
| Content Check |
1 |
|
|
|
Depending on the nature of the SaaS, consumers may be required to set up data validation rules. |
| Snapshot |
1 |
|
|
|
|
| Hosting |
0 |
The provider is responsible for the physical hosting of their service. |
The provider is responsible for the physical hosting of their service. |
|
The provider is responsible for the physical hosting of their service. |
| Physical Security |
1 |
|
|
|
|
| Environ-mental Security |
1 |
|
|
|
|
| Storage |
1 |
|
|
|
|
| Communi-cations |
1 |
|
|
|
|
| Compliance |
0 |
The risks and penalties associated with breaches of compliance cannot be outsourced. Whilst the compliance status of the provider can be helpful, the primary responsibility for compliance remains with the consumer. |
The risks and penalties associated with breaches of compliance cannot be outsourced. Whilst the compliance status of the provider can be helpful, the primary responsi-bility for compliance remains with the consumer. |
The risks and penalties associated with breaches of compliance cannot be outsourced. Whilst the compliance status of the provider can be helpful, the primary responsibility for compliance remains with the consumer. |
The risks and penalties associated with breaches of compliance cannot be outsourced. Whilst the compliance status of the provider can be helpful, the primary responsibility for compliance remains with the consumer. |
| Audit |
1 |
|
|
|
|
| Test |
1 |
|
|
|
|
| Regime |
1 |
|
|
|
|
| Identify |
2 |
|
|
|
|
| Translate |
2 |
|
|
|
|
| Availability |
0 |
The responsibility for delivering availability requirements is shared between the consumer and the provider. The provider must provide a resilient service; the consumer must build a resilient application upon that service. |
The responsi-bility for delivering availability requirements is shared between the consumer and the provider. The provider must provide a resilient service; the consumer must build a resilient application upon that service. |
The responsibility for delivering availability requirements is shared between the consumer and the provider. The provider must provide a resilient service; the consumer must build a resilient application upon that service. |
The responsibility for delivering availability requirements is shared between the consumer and the provider. The provider must provide a resilient service; the consumer must build appropriate business continuity processes to ensure that it can survive any outages at the provider. |
| Business Continuity (BC) |
1 |
The consumer must ensure that its critical business processes can continue in the event of the application failing. |
The consumer must ensure that its critical business processes can continue in the event of the application failing. |
The consumer must ensure that its critical business processes can continue in the event of the application failing. |
The consumer must ensure that its critical business processes can continue in the event of the application failing. |
| BC Planning |
2 |
|
|
|
|
| BC Implement |
2 |
|
|
|
|
| BC Test |
2 |
|
|
|
|
| Disaster Recovery (DR) |
1 |
Disaster recovery is a joint responsibility. The provider is responsible for ensuring that any hardware or data centre failure can be recovered. The consumer is responsible for designing their service so that it can be recovered in similar circumstances. |
Disaster recovery is a joint responsi-bility. The provider is responsible for ensuring that any hardware, data centre failure or shared service failure can be recovered. The consumer is responsible for designing their service so that it can be recovered in similar circum-stances. |
|
Disaster recovery is a joint responsibility. The provider is responsible for ensuring that any hardware, data centre or application failure can be recovered. The consumer is responsible for ensuring that their service can be recovered in the event of a DR invocation. |
| DR Planning |
2 |
|
|
|
|
| DR Implement |
2 |
|
|
|
|
| DR Test |
2 |
|
|
|
|
| Resilience |
1 |
Resilience is a joint delivery responsibility. The consumer must design their services so that they can failover effectively – either within different containers (e.g. AWS regions or Availability Zones) within a single IaaS or, alternatively, across different IaaS Clouds. The provider must ensure that hardware failures are transparent to their consumers. |
The consumer must code their application so that it takes advantage of the failover capabilities of the Cloud platform.
The provider must ensure that their services failover gracefully in the event of a system or application fault. |
The consumer must code their application so that it takes advantage of the failover capabilities of the Cloud platform.
The provider must ensure that their services failover gracefully in the event of a system or application fault. |
The provider must ensure that their services failover gracefully in the event of a system or application fault.
The consumer remains responsible for ensuring that their connectivity to their provider can failover gracefully in the event of a hardware or ISP failure. |
| Copy |
2 |
|
|
|
The consumer should still ensure that their business data is replicated so as to enable business continuity in the event of a provider failure. |
| Reliability and Chaos |
2 |
Consumers are responsible for enabling the scoped automated failure of infrastructure and application components. |
Consumers are responsible for automating the failure of application compon-ents.
The provider is responsible for automating the scoped failure of the underlying infra-structure. |
Consumers are responsible for automating the failure of individual functions.
The provider is responsible for automating the scoped failure of the underlying infrastructure and back-end services. |
|
| Evergreen |
2 |
Consumers are responsible for building parallel environments to enable evergreen approaches to configuration management. |
Providers offer application deployment mechan-isms that enable consumers to adopt evergreen approaches. |
Providers offer application deployment mechanisms that enable consumers to adopt evergreen approaches. |
Providers are fully responsible for the patching status of their environments. |
| Content Distribution |
2 |
|
|
|
|
| DoS Prevention |
2 |
|
|
|
|
| Cryptography |
0 |
The consumer retains primary delivery responsibility for cryptography services, e.g. data encryption and the encryption of traffic between end users and the hosted application. |
The consumer is responsible for the appropriate use of the crypto-graphy services provided by the platform. The consumer can also develop their own crypto-graphic services to run on the platform.
The provider is responsible for the delivery of the crypto-graphic services they offer. |
The consumer is responsible for the appropriate use of the cryptography services provided by the platform. The consumer can also develop their own cryptographic services to run on the platform.
The provider is responsible for the delivery of the cryptographic services they offer. |
The provider now has primary responsibility for the implement-ation of cryptographic services.
The consumer retains responsibility for ensuring the security of the keys and certificates used to access the SaaS. |
| Encryption |
1 |
The consumer is responsible for the design and implementation of encryption services from the operating system upwards. This includes the use of encrypted network protocols within their virtual environment.
The provider is only responsible for the provision of the encrypted channel used to administer the service. |
The consumer is responsible for the appropriate use of the crypto-graphy services provided by the platform. The consumer can also develop their own crypto-graphic services to run on the platform.
The provider is responsible for the delivery of the crypto-graphic services they offer. |
The consumer is responsible for the appropriate use of the cryptography services provided by the platform. The consumer can also develop their own cryptographic services to run on the platform.
The provider is responsible for the delivery of the cryptographic services they offer. |
The provider is responsible for the design and implement-ation of encryption at network and data levels.
Typically, the consumer can only decide whether to access the service using http or https. |
| Key Management |
1 |
Key management is primarily the responsibility of the consumer. |
Key manage-ment can be a joint respon-sibility in a PaaS, e.g. where keys or certificates are imported into the authenti-cation and authori-sation services offered by the provider. |
Key management can be a joint responsibility in an FaaS, e.g. where keys or certificates are imported into the authentication and authorisation services offered by the provider. |
Key management remains a joint responsibility in a SaaS environment as the consumer retains responsibility for the secure management of the certificates used to access the service. |
| Access Management |
0 |
The consumer is responsible for access management relating to the hosted application. (The provider secures access to the IaaS administration features.) |
Many platforms provide access manage-ment services. The provider is responsible for the security of these access manage-ment services; the consumer is responsible for the secure use of these services. Consumers can also develop their own access manage-ment services. |
Many platforms provide access management services. The provider is responsible for the security of these access management services; the consumer is responsible for the secure use of these services. |
The provider is responsible for the provision of access management services.
The consumer is limited to use of the access management services, e.g. deciding which roles should be assigned to their users. |
| Identity Management |
1 |
The consumer is responsible for designing and implementing the identity management services used by their application. |
The consumer may be responsible for the develop-ment of the identity manage-ment services used by their application. The consumer may use the shared identity manage-ment services provided by the PaaS.
The provider is responsible for the security of the identity manage-ment services that they offer. |
The consumer is responsible for the secure implement-ation of identity management, which may involve using the services offered by the platform provider.
The provider is responsible for the security of the identity management services that they offer. |
The provider has primary responsibility for the provision of identity management services.
Typically, the consumer will only make use of the services made available by their provider. |
| Registration |
2 |
|
The consumer is responsible for ensuring that they have a suitable user registration process. This may involve using services provided by the PaaS. |
The consumer is responsible for ensuring that they have a suitable user registration process. This may involve the usage of back-end identity services provided by the wider platform. |
The consumer is responsible for ensuring that they have a suitable user registration process. Either users must be registered in the SaaS, or the SaaS must be configured to use federated identity management. |
| Provisioning |
2 |
Application users will be provisioned using mechanisms that the consumer controls. |
Depending on the application, users may be provisioned indepen-dently of the Cloud provider. Typically, application users will be configured using APIs provided by the Cloud provider. |
FaaS developers will typically use identity services made available by the Cloud provider. |
Application users are provisioned using the tools provided by the SaaS provider.
(Provisioning is, essentially, a technical service, unlike registration.) |
| Privilege Management |
2 |
|
|
|
The consumer will still be responsible for the allocation of application administer-ation privileges. |
| Directory |
2 |
|
|
|
The user directory is provided by the SaaS provider. |
| Validate |
1 |
The consumer is responsible for the delivery of validation services, e.g. delivery of application authentication mechanisms. |
The provider offers authent-ication and authori-sation APIs that should be reused by the consumer. The provider is, therefore, primarily responsible for the delivery of these services. |
The consumer will typically reuse authentication and authorisation services offered by the platform. The provider is, therefore, primarily responsible for the delivery of these services. |
The shared application includes the validate services. |
| Authenticate |
2 |
The consumer decides on and implements the authentication mechanisms used by their application. |
The consumer will typically use the authentic-ation services delivered by the provider. |
The consumer will typically use the authentication services delivered by the provider. |
The consumer must use the authentication mechanisms supported by the shared application. |
| Authorise |
2 |
The consumer decides on and implements the authorisation mechanisms used by their application. |
The consumer will typically use the authoris-ation services delivered by the provider. |
The consumer will typically use the authorisation services delivered by the provider. |
The consumer must use the authorisation mechanisms supported by the shared application. |
| Federate |
1 |
The consumer is responsible for any federation mechanisms, e.g. the establishment of trust frameworks. |
The consumer has primary respons-ibility for any federation mechan-isms, e.g. the establish-ment of trust frame-works. |
The consumer has primary responsibility for any federation mechanisms, e.g. the establishment of trust frameworks. |
The consumer has primary responsibility for any federation mechanisms, e.g. the establishment of trust frameworks. The provider’s application must be able to support federation. |
| Policy (AM) |
1 |
The consumer sets the access management policy for the hosted service. |
The consumer sets the access manage-ment policy for the application. The provider sets the access manage-ment policy for the shared APIs. |
The consumer sets the access management policy for the application. The provider sets the access management policy for the shared APIs. |
The provider sets the overall access management policy for the service. The consumer may set the specific access management policy for their implemen-tation. |
| Filter |
1 |
Delivery of the filter service is a joint responsibility. The provider is responsible for the provision of filter capabilities relating to the underlying IaaS. The consumer is responsible for filter services protecting the hosted application. |
Delivery of the filter service is a joint respons-ibility. The provider is responsible for the provision of filter capabilities relating to the underlying PaaS. The consumer is responsible for filter services protecting the hosted application. |
The consumer is responsible for filter services protecting the hosted application, e.g. API security. |
The provider is responsible for the filter services protecting the shared application. |
| Security Governance |
0 |
The consumer must provide the security governance frameworks under which the hosted application is delivered and operated. |
The consumer and provider must jointly provide the security governance frameworks under which the hosted application is delivered and operated. |
The consumer and provider must jointly provide the security governance frameworks under which the hosted application is delivered and operated. |
The consumer and provider must jointly provide the security governance frameworks under which the shared application is delivered and used. |
| Security Management |
1 |
The consumer must design the technical architecture and operating procedures for the hosted application; this includes the associated security management capabilities. |
The consumer must design the technical architecture and operating procedures for the hosted application. The provider must do the same for the shared services. |
The consumer must design the technical architecture and operating procedures for the hosted application. The provider must do the same for the shared services. |
The consumer must design the operating procedures for their use of the hosted application. The provider must provide the security management of the hosted application. |
| Assurance |
2 |
|
|
|
|
| Architecture and Design |
3 |
The consumer is responsible for the architecture and design of their application and its hosting environment. The provider is only responsible for the design of the underlying hardware. |
The provider is responsible for the architecture and design of the shared services.
The consumer is responsible for the architecture and design of the hosted application itself. |
The provider is typically responsible for the architecture and design of the run-time and back-end services.
The consumer is responsible for the architecture and design of the serverless application itself. |
The provider is responsible for the architecture and design of the service.
The consumer may be responsible for small levels of customisation, e.g. ‘skinning’ the application with corporate colours and logos. |
| Procedures |
3 |
|
|
|
Consumers remain responsible for the creation of the procedures governing application usage. |
| Policy (SM) |
2 |
The consumer is responsible for producing the security policies relating to the hosted application. |
The provider is responsible for setting the security manage-ment policies for the usage of their shared services. The consumer is responsible for the security manage-ment policies regarding how those shared services are to be used and how the application itself must be used. |
The provider is responsible for setting the security management policies for the usage of their back-end services. The consumer is responsible for the security management policies regarding how those back-end services are to be used and how the application itself must be used. |
The provider is responsible for the application’s top level security management policy.
The consumer can only set policies governing their usage of the application. |
| Policy Research |
3 |
|
|
|
|
| Policy Design |
3 |
|
|
|
|
| Disseminate |
2 |
Dissemination of security policy regarding the application is primarily the responsibility of the consumer. |
Dissem-ination of security policy is a joint respon-sibility; both the consumer and provider must disseminate the security policy to their respective users. |
Dissem-ination of security policy is a joint responsibility; both the consumer and provider must disseminate the security policy to their respective users. |
Dissem-ination is a joint responsibility; both the consumer and provider must disseminate the security policy to their respective users. |
| Enforce |
2 |
|
|
|
|
| Risk Management |
1 |
The consumer remains responsible for ensuring that risks to the application are identified and appropriately managed. |
The consumer must ensure that risks to their own application are identified and managed.
The provider must ensure that risks to their shared APIs are identified and managed. |
The consumer must ensure that risks to their own application are identified and managed.
The provider must ensure that risks to the serverless APIs are identified and managed. |
The provider is responsible for ensuring that risks to the application are identified and appropriately managed.
The consumer may wish to assure themselves that the provider is managing risk appropriately. |
| Threat Model |
2 |
|
|
|
The consumer is responsible for modelling threats to their data and service. The provider is responsible for modelling threats to the application itself. |
| Classify |
2 |
|
|
|
|
| Inform |
2 |
|
|
|
|
| Assess |
2 |
|
|
|
|
| Treat |
2 |
|
|
|
|
| Accredit |
2 |
|
|
|
|
| Personnel Security |
1 |
Personnel security is a joint responsibility: the consumer is responsible for the vetting, discipline and training of their end users and administrative staff; the provider is responsible for their own staff. |
Personnel security is a joint respon-sibility: the consumer is responsible for the vetting, discipline and training of their end users and admini-strative staff; the provider is responsible for their own staff. |
Personnel security is a joint responsibility: the consumer is responsible for the vetting, discipline and training of their end users and administrative staff; the provider is responsible for their own staff. |
Personnel security is a joint responsibility: the consumer is responsible for the vetting, discipline and training of their end users and administrative staff; the provider is responsible for their own staff. |
| Vetting |
2 |
|
|
|
|
| Discipline |
2 |
|
|
|
|
| Training |
2 |
|
|
|
|
| Coordinate |
1 |
It is the consumer’s responsibility to coordinate all aspects of the security of their service. |
It is the consumer’s respon-sibility to coordinate all aspects of the security of their service. |
It is the consumer’s responsibility to coordinate all aspects of the security of their service. |
It is the consumer’s responsibility to coordinate all aspects of the security of their service. |
| Privacy |
1 |
The consumer remains primarily accountable for managing their privacy requirements. |
The consumer remains primarily accountable for managing their privacy require-ments. |
The consumer remains primarily accountable for managing their privacy requirements. |
The consumer remains primarily accountable for managing their privacy requirements. |
| Impact Assess |
2 |
|
|
|
|
| Consent Management |
2 |
|
|
|
|
| Data Sanitisation |
2 |
|
|
|
The consumer may use tokenisation, encryption or anonymi-sation to prevent data entering the platform. Once it is within the provider platform, the provider is responsible for data sanitisation. |
| Security Operations |
0 |
Security operations primarily remain the consumer’s responsibility but the provider must play its part. |
The provider is responsible for security operations up to and including the operating system layer.
The consumer is responsible for security operations at the application level (with the exception of the shared APIs). |
The provider is responsible for security operations up to and including the run-time.
The consumer is responsible for security operations at the application level (with the exception of the shared APIs). |
The provider is responsible for security operations up to and including the application.
The consumer may choose to implement some security operations services on-premise. |
| Monitoring |
1 |
The consumer is responsible for the security monitoring of the hosted application. The provider is responsible for the monitoring of the underlying IaaS. For example, the provider must be able to recognise distributed denial of service attacks against its service. |
The consumer is responsible for the security monitoring of the hosted application. The provider is responsible for the monitoring of the underlying hardware and also of the shared services (e.g. authenti-cation and authori-sation). |
The consumer is responsible for maintaining the observability of the serverless application. The provider is responsible for the monitoring of the underlying hardware and also of the shared services (e.g. authentication and authori-sation). |
The consumer is responsible for monitoring the application’s use by their end users.
The provider is responsible for monitoring the security of the application and the supporting platform. |
| Log |
2 |
The consumer must decide which (virtual) network, operating system and application level events they wish to capture. |
The consumer must decide which events their application must log. |
The consumer must decide which events their application must log. |
The provider is responsible for deciding which events the application can log.
The consumer may have some flexibility regarding which of these events they log. |
| Analyse |
2 |
The consumer must put in place the capability to analyse security logs. |
The analysis tasks are split between the consumer and the provider. Both parties must implement analysis capabilities. |
The analysis tasks are split between the consumer and the provider. Both parties must implement analysis capabilities. |
The analysis tasks are split between the consumer and the provider. Both parties must implement analysis capabilities. |
| Event Management |
2 |
The consumer has the access to manage most events, with the exceptions of hardware and physical network issues. |
The consumer has the access to manage application level events. |
Events are used to trigger functions. Event management has different connotations in the FaaS environment. Event triggers are often provided by the platform. |
Events affecting the application as a whole or the underlying platform must be managed by the provider.
Traditional misuse of authorised access by end users must still involve the consumer. |
| Report |
2 |
The consumer has access to most of the information required to report on security events. |
The consumer can instrument their application to deliver most of the information required to report on security events. |
The consumer can instrument their application to deliver most of the information required to report on security events. |
The consumer must work with the services offered by the provider to gather the necessary information to produce the report. |
| Threat Hunting |
2 |
|
|
|
|
| Administration |
1 |
The consumer is responsible for the administration of all aspects of the hosted application from the operating system upwards. |
The provider is responsible for the admini-stration of everything except the application itself. |
The provider is responsible for the admini-stration of everything except the application itself. |
The provider is responsible for all system admini-stration. |
| Secure Channel |
2 |
The consumer must choose appropriate management channels for their virtualised environment. |
The provider must ensure that appropriate out-of-band manage-ment channels are used. |
The provider must ensure that appropriate out-of-band management channels are used. |
The provider must ensure that appropriate out-of-band management channels are used. |
| Decommi-ssion |
2 |
Decommi-ssioning is a joint responsibility: the consumer must decommission its hosted services, whilst the provider must ensure that released resources do not expose consumer data to other IaaS users. |
Decommi-ssioning is primarily the responsi-bility of the provider: both virtual images and physical hardware are within their scope of provision. |
Decommi-ssioning is primarily the responsibility of the provider: both virtual images and physical hardware are within their scope of provision. |
Decommi-ssioning is the responsibility of the provider. |
| Manage |
2 |
The consumer is responsible for the management of their virtual environment from the network upwards. |
The provider is responsible for server manage-ment and the manage-ment of any shared services.
The consumer is responsible for application manage-ment. |
The provider is responsible for server management and the management of any shared services.
The consumer is responsible for application management. |
The provider is responsible for all management of the service (with the exception of any user-configurable elements such as ‘skinning’). |
| Dispose |
2 |
The provider is responsible for the secure disposal of decomm-issioned hardware. |
The provider is responsible for the secure disposal of decomm-issioned hardware. |
The provider is responsible for the secure disposal of decomm-issioned hardware. |
The provider is responsible for the secure disposal of decomm-issioned hardware. |
| Deploy |
2 |
|
The consumer is responsible for the code to be deployed and has a degree of control over how the code is deployed. |
The consumer is responsible for the code to be deployed; the provider is responsible for actual deployment. |
|
| Orchestrate |
2 |
|
|
|
|
| Change Management |
1 |
The consumer retains primary responsibility for managing change to the hosted application and the supporting operating system. |
The consumer retains respon-sibility for managing change to the application but must consider the effects on any shared services.
The provider is responsible for managing change to the underlying platform. |
The consumer retains responsibility for managing change to the application but must consider the effects on any back-end services it relies upon.
The provider is responsible for managing change to the underlying platform. |
The provider is responsible for technical change management to the application.
The consumer is responsible for changes to the user-configurable elements of the service (e.g. data types, access rights, ‘skinning’) and associated business processes. |
| Problem Management |
1 |
Problem management is a joint responsibility: problems with the underlying IaaS must be communicated and managed jointly. |
Problem manage-ment is a joint respons-ibility: problems with the underlying PaaS must be commun-icated and managed jointly. |
Problem management is a joint responsibility: problems with the underlying FaaS must be communi-cated and managed jointly. |
Problem management is a joint responsibility: problems with the application must be communi-cated and managed in a coordinated manner. |
| Vulnerability Management |
1 |
The provider must identify and manage vulnerabilities within their IaaS. Consumers must identify and manage vulnerabilities to their hosted services (operating system and application). |
The provider must identify and manage vulnera-bilities within their PaaS. Consumers must identify and manage vulnera-bilities to their hosted application. |
The provider must identify and manage vulnerabilities within their FaaS. Consumers must identify and manage vulnerabilities to their hosted application. |
The provider must identify and manage vulnerabilities within their application and supporting infrastructure. |
| Threat Intelligence |
1 |
|
|
|
|
| Incident Management |
1 |
The consumer retains primary responsibility for incident management since the main source of incidents will usually be users, the application or the underlying operating system. |
Incidents may occur within the shared services or within the consumer-specific application, or in some combin-ation of the two. Consumers retain respons-ibility for user-initiated incidents. |
Incidents may occur within the shared services or within the consumer-specific application, or in some combination of the two. Consumers retain responsibility for user-initiated incidents. |
The provider is responsible for managing incidents affecting their service.
The consumer must still manage incidents affecting their users, data and business processes. |
| Respond |
2 |
|
|
|
|
| Investigate |
2 |
|
|
|
|
| Action |
2 |
|
|
|
|
| Close |
2 |
|
|
|
|
| Exercise |
2 |
|
|
|
|
| Asset Management |
1 |
The consumer is responsible for ensuring that they understand the assets they are operating in the Cloud, including whether or not they hold the appropriate licenses. |
The consumer is responsible for ensuring that they understand the applications they are operating in the Cloud.
The provider is responsible for ensuring that they understand their service portfolio and the underlying assets. |
The consumer is responsible for ensuring that they understand the applications they are operating in the Cloud.
The provider is responsible for ensuring that they understand their service portfolio and the underlying assets. |
The provider is primarily responsible for managing the assets that provide the service. |
| Catalogue |
2 |
|
|
|
|
| Configuration Management |
2 |
The consumer has primary responsibility for the configuration management of their virtual environment.
The provider must provide suitable configuration management of the underlying physical hardware. |
The consumer has configu-ration manage-ment respons-ibility for their deployed application.
The provider has configu-ration manage-ment respons-ibility for the underlying platform and its supporting physical hardware. |
The consumer has configuration management responsibility for their deployed application.
The provider has configuration management responsibility for the underlying platform and its supporting physical hardware. |
The provider is responsible for the configuration management of the application and its supporting physical hardware.
The consumer may retain responsibility for any user-configurable aspects. |
| License |
2 |
|
|
|
|
| Rights Management |
2 |
|
|
|
|
| Data Loss Prevention |
2 |
|
|
|
|
| Integration |
0 |
The consumer is responsible for the integration of their Cloud services. |
The consumer is responsible for the integration of their Cloud services. |
The consumer is responsible for the integration of their Cloud services. |
The consumer is responsible for the integration of their Cloud services. |
| CASB |
1 |
The consumer is responsible for Cloud security brokerage. |
The consumer is responsible for Cloud security brokerage. |
The consumer is responsible for Cloud security brokerage. |
The consumer is responsible for Cloud security brokerage. |
| API |
1 |
The consumer is responsible for the APIs they expose.
The provider is responsible for the APIs it exposes. |
The consumer is responsible for the APIs it exposes.
The provider is responsible for the APIs it exposes. |
The consumer is responsible for the APIs it exposes.
The provider is responsible for the APIs it exposes. |
The provider is responsible for the APIs it exposes. The consumer can only choose whether or not to use the APIs offered by the provider. |
| Cloud Workload Protection |
1 |
The consumer has almost complete control over which security controls are implemented on their workloads and over their portability. |
The consumer has a large degree of control over which security controls are implem-ented on their workloads and over their portability. |
The consumer has a significant degree of control over which security controls are implemented on their workloads and over their portability. |
Not applicable.
There is no opportunity to put a consistent security tooling wrapper around a SaaS workload within a SaaS platform. |
