Physical Environment

The physical environment depends on the cloud security model:

• Private cloud is usually on prem, in which case the organization is the CSP. If it is built using a commercial vendor, they are the CSP.
• Community cloud the member host the cloud is the CSP.
• Public cloud the vendor is the CSP.

The physical security of the environment is sole responsibility of the CSP. Common methods to protect the environment include locks, security personnel, lights, fences, etc.

Network and Communications

All the networking components that maintain the cloud are the responsibility of the CSP, including security. The customer is responsible for all the networking infrastructure at their organization. To provide security over the internet is a shared responsibility. The CSP must use secure protocols top provide a secure means of data transfer. It is the responsibility of the customer to set up and use the secure protocols.

Compute

Compute resources are componenets that provide VMs, disk, processor, memory, and network resources, which are all under the responsibility of the CSP. All physical components are the responsibility of the CSP, all the data and users are the responsibility are the responsibility of the customer. The software that runs on the hardware and is used by the customer falls under the responsibility of both the CSP and the customer depending on the service model.

• IaaS: When then CSP provides software such as virtualization and OS, they are responsible. If the software is configurable, the customer is responsible for the configurations. All other software is the responsibility of the customer.
• PaaS: The CSP is responsible for all the services they provide, the customer is responsible for the configurations they change, all data and users, and any additional software or applications that they install on the platform.
• SaaS: The CSP is responsible for all compute resources, the customer is responsible for the customization of the services provided, data, and users.

Virtualization

There are two types of hypervisors that provide virtualization, Type-1 hypervisor (bare-metal) and Type-2 hypervisor (hosted). Type-1 being the most prevalent.

• Type-1: the hypervisor is installed on the physical server and its hardware. It is not installed as part of an OS, but rather provides the OS functionality. Management of the VMs is performed through a console that is not part of the hypervisor.
• Type-2: the hypervisor is software that is installed on top of the OS (Windows, macOS, or Linux). The VMs are usually managed on the server itself.

The security of the hypervisor is essential. The CSP is responsible for the hypervisor itself. Depending on the hosting model, the security of the networking and VM may fall under the tennant or the CSP.

The virtual network uses software defined switches, routers, and firewalls. Keeping VMs isolated reduces the possibilty of attackers moving from one network to the other. Security tools meant for physical networks may not work in a virtual environment, make sure to use tools designed for virtual networks.

Storage

The security for storage is shared between the customer and the CSP. The CSP is responsible for the physical security of the data centers and the security patches. The customer is responsible for the security and privacy of the information that is being stored. One of the best ways to protect the data stored is using encryption at rest and using crypto shredding when the data is no longer needed.

Management Plane

The management plane is the tools used to configure, monitorm and control the cloud environment. This is usually in the form of web interfaces and apis. There are other planes as well such as the control and data planes. The management plane has control of the cloud environment. Access to the management plane should be monitored and controlled using role-based access control. Root and admin accounts are usually the only accounts with access to the management plane.