How is host infrastructure a shared responsibility in cloud computing?
How is host infrastructure a shared responsibility in cloud computing?
My Confusion: I thought "host infrastructure" refers to compute, network, and storage components that are physical, which are solely provided, and maintained by the cloud provider.
ASKER
Aha! To be more specific, referencing the Microsoft table-diagram (2nd link), I have placed a yellow question mark on the colored shape that puzzles me. How can I, an IaaS customer, have any [shared] responsibility for "Host infrastructure"? See below:
(I expected by provide to have all responsibility for "host infrastructure: why am I wrong?)
Read the FAQ on the page I referenced
ASKER
I do agree that I "provide the software and setup of the components".
So then, is it therefore true that "software and setup of components" are a part of "host infrastructure"?
The document on shared responsibility refer to security.
Yes the cloud provider has responsibility for the hardware infrastructure and its security.
However when it comes to IaaS, YOU are responsible for the security of your cloud configuration. You still need to configure a secure IaaS infrastructure.
@Daryl... "The document on shared responsibility refers to security."
I think the shared responsibility model is not just about security. It also includes the workloads and IT controls. In terms of security, yes the responsibility is shared in the sense that the cloud service provider (CSP ) provides "security of the cloud", and the customer is responsible for the "security in the cloud". Two distinct aspects which I think AWS does a better job of explaining (https://aws.amazon.com/compliance/shared-responsibility-model/).
@waltforbes... "So then, is it therefore true that "software and setup of components" are a part of "host infrastructure"?"
That is correct. Under the IaaS for example, you create the virtual network and define firewall rules etc. It's your responsibility to make sure that your configuration is secure. This is part of "host infrastructure". That is how you share responsibility with the CSP.
@Mlanda
I agree that shared responsibility refers to more than just security. I was just pointing out that the article referenced in waltforbes original post refers to security in the shared responsibility model.
I like the "security of the cloud" and "security in the cloud" phrase. That illustrates my point well.
Cloud-Specific Risk is one of them insecure or incomplete data deletion. Crypto shredding is the best option. When the application is no longer needed, it's time for a disposal phase. Crypto shredding is used to erase application data in the cloud. Additionally, it would be best to have a data disposal policy that outlines the procedures used to delete or sanitize cloud data. In the end, you need to have a solid contract between you and CSP. Beware Data security is your responsibility, you are always responsible for the data itself.
A vital core concept when using cloud resources is that implementing and managing security controls is not a "hands-off" endeavor and that identifying the boundary between customer and CSP responsibilities requires a conscious effort.
Additional Resources
NIST Cloud Computing Reference Architecture SP 500-292
https://www.nist.gov/publications/nist-cloud-computing-reference-architecture
Microsoft Shared Responsibility for Cloud Computing (White Paper)
https://azure.microsoft.com/en-us/resources/shared-responsibility-for-cloud-computing/
https://learn.microsoft.com/en-gb/azure/security/fundamentals/shared-responsibility
Cloud Security Alliance Shared Responsibility Model Explained
https://cloudsecurityalliance.org/blog/2020/08/26/shared-responsibility-model-explained/
Google has put a matrix for PCI-DSS compliance
https://cloud.google.com/files/PCI_DSS_Shared_Responsibility_GCP_v32.pdf
Responsibilities in the Cloud
https://www.studynotesandtheory.com/single-post/Responsibilities-in-the-Cloud
Samples:
ASKER
The resources here are super-wonderful!
I believe I have identified my confusion: I was [wrongly] defining "host infrastructure" as follows:
- "host" = physical server at the CSP's data center
- "infrastructure" = physical components (network switches, cabling, cabinet, physical storage) used by the "host" (physical server at CSP's data center).
So, the final help I need is for someone to correct (or confirm) this above understanding of the term "host infrastructure". Then I will view (and comprehend) all the illustrations & explanations through the lens of truly understanding what the phrase "host infrastructure" really means.
I am super grateful for all the patience, efforts, and insights offered so far. I am merely having a struggle with a fundamental understanding of the expression "host infrastructure".
ASKER
@Milanda T: your latest post 100% clarifies my understanding, and I thank you in spades! Finally, everything else in this topic makes total sense! With gratitude, I will now close this question.
ASKER
Special mention (kudos) to madunix: you provided the best documentation & illustrations! Thank you ever so much!
compare the 2 diagrams
https://azure.microsoft.com/en-us/resources/cloud-computing-dictionary/what-is-iaas/ and
https://learn.microsoft.com/es-es/archive/blogs/azuresecurity/what-does-shared-responsibility-in-the-cloud-mean