Security Metric | Cloud Addendum | Vendor or Tenant? | Delivery Model | Target |
Describes a common security metric. | What is cloud specific about this security metric in a cloud context? | In cloud computing, there are multiple parties involved and a business process can be outsourced to one or more cloud vendors. In addition, the tenant is still accountable for the data and the information security and privacy risks associated with its data. | Each SPI delivery model, SaaS, PaaS, and IaaS, has different nuances and security responsibilities for the vendor and the tenant. | What is the acceptable range or value you want to achieve? |
Percentage of hosts that are up-to-date with critical security patches. | Here it might be important to know whether these hosts are at the cloud vendor site, on premises at the tenant site but interface with hosts at the cloud vendor, or both. | If you are a tenant, you need to understand all the layers and know exactly which assets you own, which assets you touch that may not be on premises, and which assets you interface with both locally and remotely. A vendor may be asked to report to customers on a metric similar to this on a quarterly basis in an effort to be transparent about its information security practices. | Depending on the cloud delivery model, responsibility for security generally lies mostly with the vendor for SaaS and mostly with the tenant for IaaS. | 100% |
Application security incident: mean time to fix. | No tenant wants to be exposed to application security vulnerabilities from its cloud vendor, especially if the tenant has outsourced important business functions to the cloud. Further, this could impact the tenant’s customers who have dependencies on services the tenant has outsourced to the cloud vendor. On the other hand, cloud vendors who provide infrastructure and platform services need to protect themselves from tenant application security vulnerabilities that could affect the infrastructure or platform. | Potentially both, depending on the deployment model. | This metric applies to the cloud vendor if it is responsible for the application. It applies to the tenant in a PaaS or IaaS delivery model if it has an application with a security vulnerability. |
Comments
Post a Comment