|
|
(33 intermediate revisions by the same user not shown) |
Line 7: |
Line 7: |
|
| |
|
| ==Sandbox begins below== | | ==Sandbox begins below== |
| ===2.2 Security in the cloud===
| |
| [[File:Virtual data room.png|right|500px]]For any organization, managing security is a challenging yet necessary part of operations. This includes deciding on and implementing physical controls like locks, alarms, and security staff, as well as IT controls like passwords, role-based access control, and firewalls. Much of this security is governed by standards, regulations, and common business practices. Yet while those standards, regulations, and practices also play a pivotal role in how cloud services should be rendered and managed, it would be foolish to forget the human element of cloud security. Employees, contractors, and other users who misconfigure cloud resources, fail to implement robust cloud security architecture, fail to practice proper identity and access management, fall for phishing and other account exploitation attacks, poorly design [[application programming interface]]s (APIs), or maliciously access and sabotage resources all pose potential risk to the security of cloud-based system.<ref name="CSATop20">{{cite web |url=https://cloudsecurityalliance.org/artifacts/top-threats-to-cloud-computing-egregious-eleven/ |format=PDF |title=Top Threats to Cloud Computing: The Egregious 11 |author=Cloud Security Alliance |date=06 August 2019 |accessdate=21 August 2021}}</ref>
| |
|
| |
| While these and other security concerns of CSPs are valid, concerns are beginning to shift more towards how the decisions of an organization’s senior management affect the human element within the organization using and managing cloud services.<ref name="CSATop20" /> Fortunately, the traditional management-driven business approaches towards on-premises computing projects—getting management buy-in; developing goals, scope, and responsibility documentation; identifying computing requirements and objectives; identifying risk; documenting and training on processes and procedures; monitoring performance; and employing corrective action<ref name="DouglasComp20">{{cite web |url=https://www.limswiki.org/index.php/LII:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan |title=Comprehensive Guide to Developing and Implementing a Cybersecurity Plan, Second Edition |author=Douglas, S. |work=LIMSwiki |date=March 2023 |accessdate=21 August 2021}}</ref>—still largely apply to cloud implementation and migration projects.<ref name="KearnsPlanning17">{{cite web |url=https://www.mitre.org/news-insights/publication/planning-management-methods-migration-cloud-environment |title=Planning & Management Methods for Migration to a Cloud Environment |author=Kearns, D.K. |publisher=The MITRE Corporation |date=December 2017 |accessdate=21 August 2021}}</ref><ref name="SheppardManaging15">{{cite web |url=https://www.itworldcanada.com/blog/managing-a-cloud-computing-project/374832 |title=Managing a cloud computing project |author=Sheppard, D. |work=IT World Canada |date=28 May 2015 |accessdate=21 August 2021}}</ref>
| |
|
| |
| Yet cloud security should be viewed more holistically, as a combination of standards, technologies, policies, and people influencing the end results. This sentiment is reflected in Kaspersky Lab's definition of cloud security, as "the whole bundle of technology, protocols, and best practices that protect cloud computing environments, applications running in the cloud, and data held in the cloud."<ref name="KasperskyWhatIs">{{cite web |url=https://usa.kaspersky.com/resource-center/definitions/what-is-cloud-security |title=What is Cloud Security? |work=Resource Center |publisher=AO Kaspersky Lab |date=2021 |accessdate=21 August 2021}}</ref> And as was suggested prior, addressing cloud security requires more than a narrow local networking-based cybersecurity approach. Maurer and Hinck noted in 2020 that "cloud security risks are different from other types of cybersecurity risks because cloud security is networked, concentrated, and shared."<ref name="MaurerCloud20">{{cite web |url=https://carnegieendowment.org/2020/08/31/cloud-security-primer-for-policymakers-pub-82597 |title=Cloud Security: A Primer for Policymakers |author=Maurer, T.; Hinck, G. |publisher=Carnegie Endowment for International Peace |date=31 August 2020 |accessdate=21 August 2021}}</ref> The networking is often spread across multiple locations and services; those services are concentrated with only a few major CSPs, with security disruptions having a much broader effect for many customers; and security is a shared responsibility for those services, spread across at least two parties, requiring clear delineation of responsibility for security.<ref name="MaurerCloud20" /> With the increased popularity of hybrid and multicloud, these networking challenges also increase complexity, which means more attention to security is required by not only the CSP but also the customer. Adopting security strategies such as the "zero trust" model, which assumes an attempted connection is untrustworthy until proven as trusted, increasingly make sense in these complex cloud environments. Requiring every user and device to verify first "helps security teams protect the enterprise against both sanctioned cloud deployments and shadow IT as well as cloud providers whose own embedded security isn’t as robust as the organization requires."<ref name="PrattBuilding20">{{cite web |url=https://www.csoonline.com/article/569951/building-stronger-multicloud-security-3-key-elements.html |title=Building stronger multicloud security: 3 key elements |author=Pratt, M.K. |work=CSO |date=14 December 2020 |accessdate=21 August 2021}}</ref>
| |
|
| |
| Additionally, through its recent work on the challenges of conducting digital forensics in the cloud, NIST also highlights data replication, location transparency, and multi-tenancy as "somewhat unique" challenges to cloud computing, and by extension digital forensics in the cloud. Though digital forensics isn't the primary topic of this guide, it's useful to mention because the process of cloud computing forensic science includes determinations of chain of custody, data integrity, and confidentiality status of cloud computing data<ref name="HermanNISTCloud20">{{cite web |url=https://csrc.nist.gov/pubs/ir/8006/final |title=NISTIR 8006 NIST Cloud Computing Forensic Science Challenges |author=Herman, M.; Iorga, M.; Salim, A.M. et al. |publisher=NIST |date=August 2020 |accessdate=21 August 2021}}</ref>, all critical considerations of using, storing, and transferring regulated, protected data in the cloud, especially for laboratories.
| |
|
| |
| This all leads to the questions of responsibility: who is ultimately responsible for the security of any given cloud service? From a shallow point of view, it may be easy, as a customer, to consider a CSP and say "their service, their responsibility." However, it's more complicated than that. This brings us to the topic of the shared responsibility model.
| |
|
| |
| ====2.2.1 The shared responsibility model====
| |
| In December 2019, [[software as a service]] (SaaS) cannabis software firm THSuite was discovered to have inadvertently left an Amazon Web Services (AWS) S3 bucket unsecured and unencrypted, exposing the fine details of tens of thousands of medical and recreational cannabis users associated with three dispensary clients in the U.S. Given that protected health information (PHI) was included in the exposed data, serious privacy concerns and legal repercussions were raised in the aftermath of this security failure.<ref name="MuncasterData20">{{cite web |url=https://www.infosecurity-magazine.com/news/data-30000-cannabis-users-exposed/ |title=Data on 30,000 Cannabis Users Exposed in Cloud Leak |author=Muncaster, P. |work=Infosecurity |date=23 January 2020 |accessdate=21 August 2021}}</ref><ref name="TrendmicroUnsec20">{{cite web |url=https://www.trendmicro.com/vinfo/dk/security/news/virtualization-and-cloud/unsecured-aws-s3-bucket-found-leaking-data-of-over-30k-cannabis-dispensary-customers |title=Unsecured AWS S3 Bucket Found Leaking Data of Over 30K Cannabis Dispensary Customers |publisher=Trend Micro, Inc |date=27 January 2020 |accessdate=21 August 2021}}</ref> Today, this inadvertent security failure highlights the shared responsibility model (occasionally referred to as the "shared security model"), a security model that clarifies elements of responsibility between the customer and the CSP.
| |
|
| |
| With its August 2010 update to AWS' ''Amazon Web Services: Overview of Security Processes'' documentation, the concept of a "shared responsibility environment" was added. To be sure, the concept of "shared responsibility" appeared before AWS began including it in its cloud security processes, as can be evidenced by 2004 New York State cybersecurity guidance<ref name="NYSCyber04">{{cite web |url=https://www.gc.cuny.edu/CUNY_GC/media/CUNY-Graduate-Center/PDF/Policies/IT/Cyber-Security-Dos-and-Don%E2%80%99ts.pdf?ext=.pdf |archiveurl=https://web.archive.org/web/20220123175134/https://gc.cuny.edu/CUNY_GC/media/CUNY-Graduate-Center/PDF/Policies/IT/Cyber-Security-Dos-and-Don%E2%80%99ts.pdf?ext=.pdf |format=PDF |title=Cyber Security Dos and Don'ts |publisher=New York State Office of Information Technology and Services |date=12 December 2004 |archivedate=23 January 2022 |accessdate=21 August 2021}}</ref> and 2004 Northwestern University IT protocol for data sharing.<ref name="NUProtocol04">{{cite web |url=https://www.it.northwestern.edu/docs/ExchangeSharedResponsibilityData.pdf |format=PDF |title=Protocol for Exchange and Shared Responsibility for Institutional Data |publisher=Northwestern University |date=15 August 2004 |accessdate=21 August 2021}}</ref> However, among cloud providers, Amazon arguably brought the concept fully into the world of cloud computing. In their 2010 documentation, they described AWS's shared responsibility environment as such<ref name="AWSAmazonWeb10">{{cite web |url=http://media.amazonwebservices.com/pdf/AWS_Security_Whitepaper.pdf |archiveurl=https://web.archive.org/web/20100823123605/http://media.amazonwebservices.com/pdf/AWS_Security_Whitepaper.pdf |format=PDF |title=Amazon Web Services: Overview of Security Processes |author=Amazon Web Services |publisher=Amazon Web Services |date=August 2010 |archivedate=23 August 2010 |accessdate=21 August 2021}}</ref>:
| |
|
| |
| <blockquote>An example of this shared responsibility would be that a customer utilizing Amazon EC2 should expect AWS to operate, manage and control the components from the host operating system and virtualization layer down to the physical security of the facilities in which the service operates. In this case the customer should assume responsibility and management of, but not limited to, the guest operating system (including updates and security patches), other associated application software as well as the configuration of the AWS provided security group firewall. Customers should carefully consider the services they choose as their responsibilities vary depending on the services and their integration. It is possible for customers to enhance security and/or meet more stringent compliance requirements with the addition of items such as host based firewalls, host based intrusion detection/prevention, encryption and key management.</blockquote>
| |
|
| |
| This statement has since evolved into a full-blown shared responsibility model that not only AWS includes today as an integral component of security-related agreements with clients, but also a model other public cloud service providers have adopted (see the next subsection for examples). Continuing to use AWS as an example, a clear shared security responsibility model differentiates "security ''of'' the cloud" and "security ''in'' the cloud."<ref name="AWSSharedRespon21">{{cite web |url=https://aws.amazon.com/compliance/shared-responsibility-model/?ref=wellarchitected |title=Shared Responsibility Model |author=Amazon Web Services |publisher=Amazon Web Services |date=2021 |accessdate=21 August 2021}}</ref> According to AWS, security of the cloud states that AWS is responsible for the "hardware, software, networking, and facilities that run AWS Cloud services." Security in the cloud addresses the customer responsibility, based upon the services selected, including client-side data encryption and data integrity authentication, firewall configurations, and platform and application identity and access management. In this way, operating the IT environment is shared in a clearly delineated fashion. Similarly, management, operation, and verification of IT controls are also shared, where the physical and environmental controls are the responsibility of AWS, customer-specific security controls are the responsibility of the customer, and some controls have shared responsibility between both AWS and the customer.<ref name="AWSSharedRespon21" />
| |
|
| |
| The concept of shared responsibility between a provider and a customer has woven its way into the fabric of most cloud-based services, from SaaS to multicloud. A trusted CSP will make this responsibility clear at every step of the way, from early contract discussions to late-stage changes to customer services. However, pressure also remains solidly on the organization seeking cloud services—including the organization’s legal counsel—when making decisions about contracting for cloud computing services. This includes understanding aspects of consent, security requirements, reporting requirements, and enforcement mechanisms of any laws and regulations in the organization’s operating governing entity (e.g., state, country, political and economic union), as well as in other external governing entities where related data may inevitably be transferred, stored, and managed.<ref name="EusticeUnder18">{{cite web |url=https://legal.thomsonreuters.com/en/insights/articles/understanding-data-privacy-and-cloud-computing |title=Understand the intersection between data privacy laws and cloud computing |author=Eustice, J.C. |work=Legal Technology, Products, and Services |publisher=Thomson Reuters |date=2018 |accessdate=21 August 2021}}</ref> And, by extension, the organization will need to verify the provider is able to comply with—and provide mechanisms to help the organization comply with—those laws and regulations. This is typically done by examining the CSP's documented compliance certifications, attestations, alignments, and frameworks (see the next subsection for examples). This includes System and Organization Controls (SOC) 1, 2, and 3 reports (which provide independent third-party assurances about the effectiveness of a CSP's security controls)<ref name="MealusTheSOC18">{{cite web |url=https://medium.com/@paulmealus/the-soc-2-report-explained-for-normal-people-50b4626d6c96 |title=The SOC 2 Report Explained for Normal People |author=Mealus, P. |work=Medium |date=19 December 2018 |accessdate=21 August 2021}}</ref>, Federal Risk and Authorization Management Plan (FedRAMP) compliance<ref name="ETSIAbout">{{cite web |url=https://www.etsi.org/about |title=About ETSI |publisher=European Telecommunications Standards Institute |accessdate=21 August 2021}}</ref>, Coalition of Cloud Infrastructure Services Providers in Europe (CISPE) Code of Conduct compliance<ref name=AWSCISPE">{{cite web |url=https://aws.amazon.com/compliance/cispe/ |title=CISPE |publisher=Amazon Web Services |accessdate=21 August 2021}}</ref>, and more.
| |
|
| |
| The next subsections examine public cloud, hybrid cloud, multicloud, SaaS, and other cloud services in relation to cloud security, providing examples of major CSPs in those arenas.
| |
|
| |
| ====2.2.2 Public cloud====
| |
| "The public cloud services market has more than doubled since 2016," found International Data Corporation (IDC) in 2020, noting that "the worldwide public cloud services market, including [[infrastructure as a service]] (IaaS), [[platform as a service]] (PaaS), and software as a service (SaaS), grew 26.0% year over year in 2019, with revenues totaling $233.4 billion."<ref name="IDCWorldwide20">{{cite web |url=https://www.idc.com/getdoc.jsp?containerId=prUS46780320 |archiveurl=https://web.archive.org/web/20220131120937/https://www.idc.com/getdoc.jsp?containerId=prUS46780320 |title=Worldwide Public Cloud Services Market Totaled $233.4 Billion in 2019 with the Top 5 Providers Capturing More Than One Third of the Total, According to IDC |author=International Data Corporation |publisher=International Data Corporation |date=18 August 2020 |archivedate=31 January 2022 |accessdate=21 August 2021}}</ref> In November 2020, Gartner predicted global public cloud computing spend would increase more than 18 percent in 2021, with PaaS growth leading the way due to remote workers needing more powerful, scalable infrastructure to complete their work.<ref name="GartnerForecast20">{{cite web |url=https://www.gartner.com/en/newsroom/press-releases/2020-11-17-gartner-forecasts-worldwide-public-cloud-end-user-spending-to-grow-18-percent-in-2021 |title=Gartner Forecasts Worldwide Public Cloud End-User Spending to Grow 18% in 2021 |publisher=Gartner, Inc |date=17 November 2020 |accessdate=21 August 2021}}</ref> Gartner added that "survey data indicates that almost 70% of organizations using cloud services today plan to increase their cloud spending in the wake of the disruption caused by [[COVID-19]]."<ref name="GartnerForecast20" />
| |
|
| |
| These statistics highlight the continued transition and investment into the public cloud for organizations, and recent surveys of IT professionals appear to find a matching level of increased confidence in the public cloud.<ref name="PRNNewRes21">{{cite web |url=https://www.prnewswire.com/news-releases/new-research-reveals-it-professionals-growing-confidence-in-public-cloud-despite-security-concerns-301208046.html |title=New research reveals IT professionals' growing confidence in public cloud despite security concerns |author=Barracuda Networks, Inc |work=PR Newswire |publisher=Cision |date=14 January 2021 |accessdate=21 August 2021}}</ref> But as reliance on the public cloud continues to grow, organizations inevitably discover new security and networking challenges, including difficulties keeping services seamlessly available and scalable, and network costs more affordable while limiting complexity upticks<ref name="PRNNewRes21" />, which makes security more difficult.<ref name="BocettaProblem19">{{cite web |url=https://www.networkcomputing.com/network-security/problem-complex-networks-getting-harder-secure |title=Problem: Complex Networks Getting Harder to Secure |author=Bocetta, S. |work=Network Computing |date=09 July 2019 |accessdate=21 August 2021}}</ref>
| |
|
| |
| As of April 2021, the bulk of public cloud market share is represented by 10 companies: Alibaba, Amazon, DigitalOcean, Google, IBM, Linode, Microsoft, Oracle, OVH, and Tencent. From a security perspective, we have to ask at a minimum four questions about these companies:
| |
|
| |
| * What are their compliance offerings?
| |
| * Where is their SOC 2 audit report?
| |
| * What is their shared responsibility model?
| |
| * What is their architecture framework based upon?
| |
|
| |
| In this context, compliance offerings are the documented compliance certifications, attestations, alignments, and frameworks a public CSP boasts as part of an effort maintain security and compliance for their cloud services. Each of the seven public CSPs has a landing page introducing customers to those compliance offerings (Table 5), though some vendors' pages are more clearly organized than others. Each offering then links off to another page, document, or related certificate explaining compliance. In particular, the SOC 2 audit report should be viewed, though most providers require you to be a customer or inquire with their sales department to obtain it. The SOC 2 audit results outline nearly 200 aspects of a CSP's security, as audited by an independent third party, providing the closest look one can get to a CSP's ability to assist with regulatory compliance (more on this in Chapter 4).<ref name="HemmerTrust19">{{cite web |url=https://linfordco.com/blog/trust-services-critieria-principles-soc-2/ |title=Trust Services Criteria (formerly Principles) for SOC 2 in 2019 |author=Hemer, N. |work=Linford & Company IT Audit & Compliance Blog |publisher=Linford and Co. LLP |date=18 December 2019 |accessdate=21 August 2021}}</ref><ref name="TillerIsThe19">{{cite web |url=https://storage.pardot.com/468401/1614781936jHqdU6H6/Whitepaper_Is_the_cloud_a_safe_place_for_your_data.pdf |archiveurl=https://web.archive.org/web/20210308231558/https://storage.pardot.com/468401/1614781936jHqdU6H6/Whitepaper_Is_the_cloud_a_safe_place_for_your_data.pdf |format=PDF |title=Is the Cloud a Safe Place for Your Data?: How Life Science Organizations Can Ensure Integrity and Security in a SaaS Environment |author=Tiller, D. |publisher=IDBS |date=2019 |archivedate=08 March 2021 |accessdate=21 August 2021}}</ref> As previously discussed, a shared responsibility (or shared security) model is the common approach to clarifying who's responsible for what portions of security, and each CSP has indicated somewhere what that model is. (In the case of Tencent, it's unfortunately buried in a 2019 white paper.) Public CSPs also provide some sort of "architecture framework," though this varies from provider to provider. For example, AWS and Google Cloud provide a framework that allows customers to stably and efficiently deploy in the cloud based on both best practices and the organization's unique requirements. Linode, Oracle, and Tencent don't seem to offer this type of framework for customers but still discuss their overall cloud architecture in a broad manner. See Table 5 for links to these four security research aspects for each public CSP.
| |
|
| |
| {|
| |
| | STYLE="vertical-align:top;"|
| |
| {| class="wikitable" border="1" cellpadding="5" cellspacing="0" width="60%"
| |
| |-
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;" colspan="5"|'''Table 5.''' Public cloud providers and their compliance offerings, SOC 2 report, shared responsibility model, and architecture framework
| |
| |-
| |
| ! style="background-color:#e2e2e2; padding-left:10px; padding-right:10px;"|Company and offering
| |
| ! style="background-color:#e2e2e2; padding-left:10px; padding-right:10px;"|Compliance offerings
| |
| ! style="background-color:#e2e2e2; padding-left:10px; padding-right:10px;"|SOC 2 report
| |
| ! style="background-color:#e2e2e2; padding-left:10px; padding-right:10px;"|Shared responsibility model
| |
| ! style="background-color:#e2e2e2; padding-left:10px; padding-right:10px;"|Architecture framework
| |
| |-
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Alibaba Cloud
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.alibabacloud.com/trust-center/resources Link]
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.alibabacloud.com/trust-center/compliance-repository Link] (Must be customer/contact sales to access)
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.alibabacloud.com/solutions/security Link]
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.alibabacloud.com/architecture/index Link]
| |
| |-
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Amazon Web Services
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://aws.amazon.com/compliance/programs/ Link]
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://aws.amazon.com/compliance/soc-faqs/ Link] (Must be customer/contact sales to access)
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://aws.amazon.com/compliance/shared-responsibility-model/ Link]
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://aws.amazon.com/blogs/apn/the-5-pillars-of-the-aws-well-architected-framework/ Link]
| |
| |-
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|DigitalOcean
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.digitalocean.com/trust Link]
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.digitalocean.com/trust/certification-reports Link] (Must email company to access)
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.digitalocean.com/trust/faq Link]
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://docs.digitalocean.com/products/platform/availability-matrix/ Link]
| |
| |-
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Google Cloud
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://cloud.google.com/security/compliance/offerings Link]
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://cloud.google.com/security/compliance/compliance-reports-manager Link]
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://cloud.google.com/anthos/docs/concepts/gke-shared-responsibility Link]
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://cloud.google.com/architecture/framework Link]
| |
| |-
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|IBM Cloud
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.ibm.com/cloud/compliance Link]
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.ibm.com/cloud/compliance Link] (Must be customer/contact sales to access)
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://cloud.ibm.com/docs/overview?topic=overview-shared-responsibilities Link]
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.ibm.com/cloud/architecture Link]
| |
| |-
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Linode
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.linode.com/legal-security/ Link]
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Unknown (Presumably must be customer/contact sales to access)
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.linode.com/legal-security/ Link]
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.linode.com/global-infrastructure/ Link]
| |
| |-
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Microsoft Azure
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://docs.microsoft.com/en-us/compliance/regulatory/offering-home Link]
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://servicetrust.microsoft.com/ViewPage/MSComplianceGuideV3?docTab=7027ead0-3d6b-11e9-b9e1-290b1eb4cdeb_SOC_/_SSAE_16_Reports Link] (Must be customer/contact sales to access)
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://docs.microsoft.com/en-us/azure/security/fundamentals/shared-responsibility Link]
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://docs.microsoft.com/en-us/azure/architecture/framework/ Link]
| |
| |-
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Oracle Cloud Infrastructure
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.oracle.com/cloud/cloud-infrastructure-compliance/ Link]
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Unknown (Presumably must be customer/contact sales to access)
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://docs.oracle.com/en-us/iaas/Content/Security/Concepts/security_overview.htm#Shared_Security_Model Link]
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.oracle.com/cloud/architecture-and-regions/ Link]
| |
| |-
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|OVHcloud
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://us.ovhcloud.com/overview/certification Link]
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://us.ovhcloud.com/overview/certification/soc Link] (Must be customer/contact sales or legal to access)
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://us.ovhcloud.com/legal/service-specific-terms Link]
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://us.ovhcloud.com/about/company/data-centers Link]
| |
| |-
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Tencent Cloud
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://intl.cloud.tencent.com/services/compliance Link]
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Unknown (Presumably must be customer/contact sales to access)
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://main.qcloudimg.com/raw/ea77661307adc3825990e159d851d406.pdf Link]
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://intl.cloud.tencent.com/global-infrastructure Link]
| |
| |-
| |
| |}
| |
| |}
| |
|
| |
| Chapter 1 noted that for public cloud services, organizations tied to strong regulatory or security standards ... must thoroughly vet the cloud vendor and its approach to security and compliance, as the provider may not be able to meet regulatory needs. For example, public CSP will allow you to enter into a HIPAA-compliant business associate agreement (BAA) with them, as required by the U.S. Department of Health & Human Services<ref name="HHSGuidance20">{{cite web |url=https://www.hhs.gov/hipaa/for-professionals/special-topics/health-information-technology/cloud-computing/index.html |title=Guidance on HIPAA & Cloud Computing |author=Office for Civil Rights |work=Health Information Privacy |publisher=U.S. Department of Health & Human Services |date=24 November 2020 |accessdate=21 August 2021}}</ref>, but that does not mean you'd be running in a HIPAA-compliant fashion. If your organization is handling PHI protected by HIPAA, that organization is still responsible for having internal compliance programs and documented processes that support HIPAA, while also using the CSP's services in ways that align with HIPAA.<ref name="MSHealthHIPAA21">{{cite web |url=https://docs.microsoft.com/en-us/compliance/regulatory/offering-hipaa-hitech |title=Health Insurance Portability and Accountability (HIPAA) & HITECH Acts |work=Microsoft Documentation |publisher=Microsoft |date=17 February 2021 |accessdate=21 August 2021}}</ref><ref name="DashNav20">{{cite web |url=https://www.dashsdk.com/hipaa-compliant-cloud/ |title=Navigating HIPAA Compliant Cloud Solutions |publisher=Dash |date=2020 |accessdate=21 August 2021}}</ref> That includes ensuring that the services your organization will utilize are indeed in-scope with HIPAA and other such regulations; not all services offered by a CSP are in-scope to a specific regulation. The BAA should make clear which services are covered for handling PHI and other sensitive or critical information. Additionally, your organization will still need to ensure the correct technical security controls are implemented to ensure compliance.<ref name="DashNav20" /> Remember, you're working under the shared responsibility model.
| |
|
| |
| ====2.2.3 Hybrid cloud and multicloud====
| |
| The ''Flexera 2020 State of the Cloud Report'' and its associated survey found that 87 percent of respondents had already taken a hybrid cloud stance for their organization and 93 percent of respondents had already implemented a multicloud strategy within their organization.<ref name=WeinsCloud20">{{cite web |url=https://www.flexera.com/blog/industry-trends/trend-of-cloud-computing-2020/ |title=Cloud Computing Trends: 2020 State of the Cloud Report |author=Weins, K. |work=Flexera Blog |date=21 May 2020 |accessdate=21 August 2021}}</ref> A 2020 report by IDC predicted 90 percent of enterprises around the world will be relying on some combination of hybrid or multicloud with existing legacy platforms by 2022, though they may not necessarily have a sufficient investment in in-house skills to navigate the complexities of rolling out those strategies.<ref name="IDCExpects2021_20">{{cite web |url=https://www.idc.com/getdoc.jsp?containerId=prMETA46165020 |title=IDC Expects 2021 to Be the Year of Multi-Cloud as Global COVID-19 Pandemic Reaffirms Critical Need for Business Agility |author=International Data Corporation |publisher=International Data Corporation |date=31 March 2020 |accessdate=21 August 2021}}</ref> These complexities were discussed in Chapter 1; hybrid cloud reveals a greater attack surface, complicates security protocols, and raises integration costs,<ref name="CFWhatIsHybrid">{{cite web |url=https://www.cloudflare.com/learning/cloud/what-is-hybrid-cloud/ |title=What Is Hybrid Cloud? Hybrid Cloud Definition |publisher=Cloudflare, Inc |accessdate=04 March 2021}}</ref><ref name="HurwitzWhat21">{{cite web |url=https://www.dummies.com/programming/cloud-computing/hybrid-cloud/what-is-hybrid-cloud-computing/ |title=What is Hybrid Cloud Computing? |work=Dummies.com |author=Hurwitz, J.S.; Kaufman, M.; Halper, F. et al. |publisher=John Wiley & Sons, Inc |date=2021 |accessdate=21 August 2021}}</ref> while multicloud brings with it differences in technologies between vendors, latency complexities between the services, increased points of attack with more integrations, and load balancing issues between the services.<ref name="CFWhatIsMulti">{{cite web |url=https://www.cloudflare.com/learning/cloud/what-is-multicloud/ |title=What Is Multicloud? Multicloud Definition |publisher=Cloudflare, Inc |accessdate=21 August 2021}}</ref> Broadly speaking, these complexities and security challenges arise out of the fact more systems must be integrated.
| |
|
| |
| As of April 2021, four providers of hybrid and multicloud technology and services stand out: Cisco, Dell, HPE, and VMware. These providers don't provide public cloud services but rather take a service-based approach to supplying hardware, software, and managed services to assist customers adopt a hybrid or multicloud approach for their business. From a security perspective, we have to ask at a minimum three questions about these companies:
| |
|
| |
| * How do they manage your data and security in a trustworthy way?
| |
| * How are cloud technologies and services developed and audited for security?
| |
| * What public CSPs do they publicly state their technologies and services support or integrate with?
| |
|
| |
| In this context of trust, these companies should have a "trust center" that helps consumers and enterprises find answers to security questions about their cloud technologies and services. A trust center was found for three of the four CSPs; HPE's trust center could not be located. Whether through internal secure development processes or external auditing practices, the security of the technology and services offered by these providers remains vital, and they should be able to demonstrate by explaining their development and auditing processes. Additionally, hybrid and multicloud providers should make clear which public CSPs are supported for or integrated ideally with the provider's hybrid and multicloud services. Not all public clouds are fully supported by these providers. See Table 6 for links to these three security and interoperability aspects for each hybrid/multicloud CSP.
| |
|
| |
| {|
| |
| | STYLE="vertical-align:top;"|
| |
| {| class="wikitable" border="1" cellpadding="5" cellspacing="0" width="60%"
| |
| |-
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;" colspan="4"|'''Table 6.''' Providers of hybrid and multicloud technology and services, their trust center, their development and auditing practices, and supported public clouds
| |
| |-
| |
| ! style="background-color:#e2e2e2; padding-left:10px; padding-right:10px;"|Company and offering
| |
| ! style="background-color:#e2e2e2; padding-left:10px; padding-right:10px;"|Trust center
| |
| ! style="background-color:#e2e2e2; padding-left:10px; padding-right:10px;"|Development and auditing practices
| |
| ! style="background-color:#e2e2e2; padding-left:10px; padding-right:10px;"|Public clouds supported (U.S.)
| |
| |-
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.cisco.com/c/en/us/products/servers-unified-computing/ucs-director/index.html Cisco CloudCenter and UCS Director]
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.cisco.com/c/en/us/about/trust-center.html Link]
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|According to a [https://www.cisco.com/c/dam/en/us/products/collateral/cloud-systems-management/cloudcenter-suite/cc-suite-saas-trust-center.pdf 2019 document], Cisco is "evaluating SOC 2 as a potential roadmap item" for CloudCenter.
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.cisco.com/c/dam/en/us/products/collateral/cloud-systems-management/cloudcenter-suite/at-a-glance-c45-741883.pdf Alibaba, Amazon, Google, IBM, Microsoft]
| |
| |-
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.delltechnologies.com/en-us/cloud/dell-technologies-cloud.htm Dell Technologies Cloud]
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://corporate.delltechnologies.com/en-us/about-us/security-and-trust-center/index.htm#tab0=1 Link]
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.dell.com/en-us/shop/secure-development/cp/secure-development Link]
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.delltechnologies.com/en-us/data-protection/powerprotect-dd-series/cloud-tier.htm Alibaba, Amazon, Google, IBM, Microsoft]
| |
| |-
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.hpe.com/us/en/greenlake.html HPE GreenLake]
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Unknown
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Unknown
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.hpe.com/us/en/solutions/cloud.html Amazon, Google, Microsoft]
| |
| |-
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://cloud.vmware.com/ VMware Cloud]
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://cloud.vmware.com/trust-center Link]
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://cloud.vmware.com/trust-center/compliance/soc Link] (Must be customer/contact sales to access)
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.vmware.com/cloud-solutions/hybrid-cloud.html Amazon, Google, IBM, Microsoft, Oracle]
| |
| |-
| |
| |}
| |
| |}
| |
|
| |
| Managing your share of security in the hybrid cloud has several challenges. Most of those challenges involve attempting to manage and control multiple distributed systems. Giving administrators the ability to see into this complex network of components, at all levels, is critical. This is typically accomplished with a centralized management tool or platform based on open standards, providing automated management and control features that limit human error. Automation is also useful when scanning for and remediating problems detected with security controls, which in turn allows for documented changes and more reproducible processes. Disk encryption and network encryption tools may also need to be more robustly employed to protect data at rest and data in motion between private and public clouds. And of course, segmentation of services based on data sensitivity may be necessary.<ref name="KasperskyWhatIs" /><ref name="KernerFour18">{{cite web |url=https://techbeacon.com/security/4-hybrid-cloud-security-challenges-how-overcome-them |title=4 hybrid-cloud security challenges and how to overcome them |author=Kerner, L. |work=TechNeacon |date=2018 |accessdate=21 August 2021}}</ref>
| |
|
| |
| Multicloud has its issues as well. "The challenge that multicloud presents to security teams continues to grow," said Protiviti cloud consultant Rand Armknecht in December 2020. "The number of services that are being released, the new ways of interacting, the interconnecting of services and systems, all of that continues to advance and all of these add new complexities into the enterprise security model."<ref name="PrattBuilding20" /> Given the differences in tools and security approaches between cloud providers, stitching together services cohesively requires strong skills, knowledge, and attentiveness. It also requires a security strategy that is well-defined and unified in its approach to data management, minimization, anonymization, and encryption when considering multiple CSPs. Middleware placed between the enterprise and the CSP—in some cases referred to as a cloud access security broker (CASB)—that can "consolidate and enforce security measures such as authentication, credential mapping, device profiling, encryption and malware detection" adds an additional layer of semi-automated security for multicloud.<ref name="PrattBuilding20" />
| |
|
| |
| ====2.2.4 Container security and other concerns====
| |
| Before we move on to discussing SaaS solutions, let's take a quick moment to recognize a few additional security peculiarities particular to using cloud services and developing in the cloud. These peculiarities may not apply to you and your organization, but it's useful to recognize them, if nothing else because they highlight how deeply woven security must be into the thinking of CSPs and their clients.
| |
|
| |
| First, let's look at container security. In Chapter 1, a container was referred to as "a complete runtime environment," but little else was said. In cloud computing, a container—as defined by IBM—is "an executable unit of software in which application code is packaged, along with its libraries and dependencies, in common ways so that it can be run anywhere, whether it be on desktop, traditional IT, or the cloud."<ref name="IBMContainers19">{{cite web |url=https://www.ibm.com/cloud/learn/containers |title=Containers |author=IBM Cloud Education |publisher=IBM |date=12 August 2019 |accessdate=21 August 2021}}</ref> These prove beneficial in cloud computing because containers act as a lightweight, portable way of replicating an isolated application across different environments, independent of operating system and underlying hardware. This essentially makes deployment into a cloud environment—or multiple clouds—a much more approachable task.<ref name="GoogleContainers">{{cite web |url=https://cloud.google.com/containers |title=Containers at Google |publisher=Google Cloud |accessdate=21 August 2021}}</ref>
| |
|
| |
| But with convenience also comes responsibility towards ensuring the security of the container. Unfortunately, the necessary precautions don't always get taken. According to GitLab's 2020 Global DevSecOps Survey, "56% of developers simply don’t run container scans, and a majority of DevOps teams don’t have a security plan in place for containers or many other cutting edge software technologies, including cloud native/serverless, APIs, and microservices."<ref name="GLABegin">{{cite web |url=https://about.gitlab.com/topics/application-security/beginners-guide-to-container-security/ |title=A beginner’s guide to container security |work=GitLab |accessdate=21 August 2021}}</ref> As such, it would appear more implementation teams should be updating and implementing revised security plans to address the complexities of container security, including the use of container orchestration, image validation, role-based access management, security testing, and runtime security monitoring. NIST's SP 800-190 ''Application Container Security Guide'', while slightly dated, provides a useful reference for more on the topic of container security.<ref name="GLABegin" /><ref name="NIST800-190_17">{{cite web |url=https://csrc.nist.gov/publications/detail/sp/800-190/final |title=SP 800-190 ''Application Container Security Guide'' |author=Souppaya, M.; Morello, J.; Scarfone, K. |publisher=NIST |date=September 2017 |accessdate=21 August 2021}}</ref>
| |
|
| |
| Some concerns also exist within the virtualization environment, which drives cloud computing. The virtualized environment allows containers to be implemented, but their smooth use depends on a virtualization component called a virtual machine monitor (VMM) or [[hypervisor]], which acts as the "management layer between the physical hardware and the virtual machines running above" it, managing system resource allocation to virtual machines—and by extension, containers—in the virtual environment.<ref name="BarrowcloughSecuring18">{{cite journal |title=Securing Cloud Hypervisors: A Survey of the Threats, Vulnerabilities, and Countermeasures |journal=Security and Communication Networks |author=Barrowclough, J.P.; Asif, R. |volume=2018 |at=1681908 |year=2018 |doi=10.1155/2018/1681908}}</ref> Since hypervisors are shared in a virtualized environment, a compromised hypervisor (say through a malware attack or a means of gaining root privileges) puts the virtual machines running off the hypervisor at risk, and by extension any data running on those virtual machines.<ref name="BarrowcloughSecuring18" /> Limiting the risks to a hypervisor and its associated virtualized machines means ensuring de facto encryption is in place to protect copied images and other files, migrated virtual machines are protected at all points along the migration route, and proper encryption and key management mechanisms are in place for effective access management.<ref name="BarrowcloughSecuring18" /> While the concerns of hypervisor security are largely the responsibility of the public CSPs (Microsoft, for example, touts a multi-layer approach to securing its hypervisors in Azure<ref name="SharmaHypervisor20">{{cite web |url=https://docs.microsoft.com/en-us/azure/security/fundamentals/hypervisor |title=Hypervisor security on the Azure fleet |author=Sharma, Y.; Lyon, R.; Lanfear, T. |work=Microsoft Documentation |publisher=Microsoft |date=10 November 2020 |accessdate=21 August 2021}}</ref>), those running private clouds will have to be sure their attention given to hypervisor security is similarly strong.
| |
|
| |
| Other areas of security concern are found in the overall networking of a cloud. There, attention to the various layers of firewalls, network traffic controls, transport-level encryption mechanisms, and encapsulation protocols is also recommended.<ref name="BoydAchieving18">{{cite web |url=https://www.sdxcentral.com/cloud/definitions/achieving-network-security-in-cloud-computing/ |title=Achieving Network Security in Cloud Computing |author=Boyd, N. |work=Cloud HQ |publisher=SDxCentral, LLC |date=20 July 2018 |accessdate=21 August 2021}}</ref>
| |
|
| |
| ====2.2.5 Software as a service====
| |
| Finally, we address security when using SaaS. Though not exactly the laboratory space, let's take a look at the financial sector to start. Like laboratories, banks are regulated not only to protect their own assets but also the assets of their customers, including customer data. Given the concerns about security in the cloud early in its history, it has taken some time for the financial sector to warm up to moving some of its functions into the cloud.<ref name="MoodysBest18">{{cite web |url=https://www.moodysanalytics.com/articles/2018/best-practices-for-saas-security |title=Best Practices for SaaS Security |work=Moody's Analytics |publisher=Moody's Analytics, Inc |date=April 2018 |accessdate=21 August 2021}}</ref> However, since approximately 2016, banks and financial services firms have begun shifting to the cloud in droves.<ref name="DeloitteCloud19">{{cite web |url=https://www2.deloitte.com/global/en/pages/financial-services/articles/bank-2030-financial-services-cloud.html |title=Cloud banking: More than just a CIO conversation |publisher=Deloitte |date=2019 |accessdate=21 August 2021}}</ref> Writing for the World Economic Forum in December 2020, the CEO of Tenemos, Max Chuard, noted<ref name="ChuardCloud20">{{cite web |url=https://www.weforum.org/agenda/2020/12/cloud-and-saas-technology-can-drive-inclusive-banking/ |title=Cloud and SaaS technology can drive inclusive banking. Here are 3 reasons how |author=Chuard, M. |work=World Economic Forum |date=10 December 2020 |accessdate=21 August 2021}}</ref>:
| |
|
| |
| <blockquote>Cloud and SaaS present an alternative way of running a bank’s IT infrastructure. Core banking and/or the digital front office operates on a public or private cloud rather than on physical infrastructure in the bank’s premises. Banks pay a subscription to access the solutions.
| |
|
| |
| Both cloud and SaaS carries lower infrastructure costs, they allow products to be created, delivered and changed faster, and they offer immense resilience, scalability, and security. Cloud-based SaaS platforms are also continuously updated, meaning banks benefit from the latest innovations.</blockquote>
| |
|
| |
| However, the improved security of cloud and SaaS does not preclude challenges. In the case of financial services firms, finding a balance between client-side encryption to protect financial data and its tendency to constrain overall performance and functionality is a real challenge.<ref name="DeloitteGetting19">{{cite web |url=https://www2.deloitte.com/content/dam/Deloitte/ch/Documents/financial-services/deloitte-ch-fs-Cloud-for-Swiss-Banks-report-digital.pdf |format=PDF |title=Getting cloud right: How can banks stay ahead of the curve? |publisher=Deloitte |date=2019 |accessdate=21 August 2021}}</ref> And that same challenge exists for other regulated (and less regulated) organizations turning to SaaS cloud solutions.
| |
|
| |
| When moving to a SaaS-based approach to running critical systems, the shared responsibility paradigm says that both CSP and customer should be managing SaaS security. Are access and audit rights in the SaaS implementation as strong as they should be? How is data managed and processed in relation to location requirements? How are risks mitigated if the vendor goes out of business or changes its operational focus? What contingency plans are in place should the organization need to migrate to a new vendor or bring applications back in-house? What assessments and audits have been made of the CSP's security?<ref name="MoodysBest18" /> (These and other questions are addressed further in Chapter 5.)
| |
|
| |
| In 2018, Moody's Analytics pointed out "seven pillars of SaaS security wisdom." While they were looking at these pillars from the perspective of banks and financing, they are equally applicable to any regulated organization moving to SaaS cloud solutions, including laboratories. Those SaaS security pillars are<ref name="MoodysBest18" />:
| |
|
| |
| :1. ''Access management'': Carefully control user access uniformly across the SaaS platform, using strong, vetted business rules (addressing user roles, data requirements, allowed system, allowed workflows, etc.) that have been documented, disseminated, and learned.
| |
| :2.'' Network control'': Decide what network mechanisms to employ in order to meet security goals, including jump servers, network access control lists, etc. if more granular access control is required.
| |
| :3. ''Perimeter network control'': Decide whether a simple firewall or set of firewalls is sufficient. Additional perimeter protections include intrusion detection and prevention systems.
| |
| :4. ''Virtual machine management'': Recognize that while costly, keeping virtual machines up-to-date is vital. Whether this is your responsibility or the CSP's, staying on top of patches and updates better ensures protection from the latest threats.
| |
| :5. ''Data protection'': Determine if the data encryption is sufficient for your regulatory needs to protect personally identifiable information. Best practices and standards should be guiding the endeavor to protect both data in transit and data at rest.
| |
| :6. ''Data governance and incident management'': Decide how data governance policies dictate your SaaS services. Data governance determines who has the authority to manage and control data assets and how authorized individuals are able to use those data assets.<ref name="OlavsrudWhatIs21">{{cite web |url=https://www.cio.com/article/3521011/what-is-data-governance-a-best-practices-framework-for-managing-data-assets.html |title=What is data governance? A best practices framework for managing data assets |author=Olavsrud, T. |work=CIO |date=18 March 2021 |accessdate=21 August 2021}}</ref> Not only does this also guide the first pillar, access management, but it also clarifies responsibilities for data management and security. This includes stating who's responsible for incident management and how the organization will go about monitoring, tracking, reporting, and learning from security incidents.
| |
| :7. ''Scalability and reliability'': Determine how scalable the underlying cloud infrastructure will be to run your SaaS applications. Is it horizontal or vertical scaling? Are proxy servers geographically distributed for a more robust service? And what assurances are in place should disaster strike (i.e., recovery plan)?
| |
|
| |
| Like public, hybrid, and multicloud cloud services, SaaS vendors should make clear the security aspects. Most major vendors like SAP<ref name=SAPTrustCenter">{{cite web |url=https://www.sap.com/about/trust-center/certification-compliance.html |title=SAP Trust Center |publisher=SAP America, Inc |accessdate=21 August 2021}}</ref>, Adobe<ref name="AdobeTrustCenter">{{cite web |url=https://www.adobe.com/trust.html |title=Adobe Trust Center |publisher=Adobe, Inc |accessdate=21 August 2021}}</ref>, and Atlassian<ref name="AtlassianTrustCenter">{{cite web |url=https://www.atlassian.com/trust |title=Atlassian Trust Center |publisher=Atlassian, Inc |accessdate=21 August 2021}}</ref> will have a trust center for customers to gauge how the vendor's SaaS products are managed in reference to security and compliance. Some SaaS software vendors, however, will host and manage their solutions in a public cloud. Those SaaS vendors should have at a minimum one or more web pages explaining where their solution is hosted, what security controls are in place with that public cloud provider, and what additional security controls, if any, the vendor applies. Of course, access management and other security controls are still very much the responsibility of the customer.
| |