The Inner Circle

This is hopefully an easy question.  I was in a friendly debate recently on the meaning behind the value of 'CSP-Owned' in regards to some controls.

The specific example is around Infrastructure & Virtualization Security (IVS); the case given is that we should have controls that are auditable around host hardening (IVS-04) despite the value of "CSP-Owned" since Guest OS hardening is certainly our responsibility with IaaS.

The two sides are:

1. CSP-Owned means that we have no responsibility to implement or be audited on the controls efficacy and the Cloud Service Provider is responsible
2. CSP-Owned is just 'typical' ownership of the control... we still have responsibilities where it makes sense (e.g. Guest OS hardening)

My personal understanding is #2, that we have some responsibilities. 

Has anyone come across this debate before?  If so, is there something from CSA that helps detangle it?

------------------------------
JW Merrow
CyberSecurity Architect
Huntington National Bank
------------------------------

Hi, I've wondered the same thing as well, however, I'm normally selected CSP-owned in regards to controls like this even though their is a shared responsibly by both parties. However, I'm interested to hear what other think about this and would appreciate if CSA can clarify the true ownership meaning to help us complete the CAIQ.

This is hopefully an easy question.  I was in a friendly debate recently on the meaning behind the value of 'CSP-Owned' in regards to some controls.

The specific example is around Infrastructure & Virtualization Security (IVS); the case given is that we should have controls that are auditable around host hardening (IVS-04) despite the value of "CSP-Owned" since Guest OS hardening is certainly our responsibility with IaaS.

The two sides are:

1. CSP-Owned means that we have no responsibility to implement or be audited on the controls efficacy and the Cloud Service Provider is responsible
2. CSP-Owned is just 'typical' ownership of the control... we still have responsibilities where it makes sense (e.g. Guest OS hardening)

My personal understanding is #2, that we have some responsibilities. 

Has anyone come across this debate before?  If so, is there something from CSA that helps detangle it?

------------------------------
JW Merrow
CyberSecurity Architect
Huntington National Bank
------------------------------

This is hopefully an easy question.  I was in a friendly debate recently on the meaning behind the value of 'CSP-Owned' in regards to some controls.

The specific example is around Infrastructure & Virtualization Security (IVS); the case given is that we should have controls that are auditable around host hardening (IVS-04) despite the value of "CSP-Owned" since Guest OS hardening is certainly our responsibility with IaaS.

The two sides are:

1. CSP-Owned means that we have no responsibility to implement or be audited on the controls efficacy and the Cloud Service Provider is responsible
2. CSP-Owned is just 'typical' ownership of the control... we still have responsibilities where it makes sense (e.g. Guest OS hardening)

My personal understanding is #2, that we have some responsibilities. 

Has anyone come across this debate before?  If so, is there something from CSA that helps detangle it?

------------------------------
JW Merrow
CyberSecurity Architect
Huntington National Bank
------------------------------

This is hopefully an easy question.  I was in a friendly debate recently on the meaning behind the value of 'CSP-Owned' in regards to some controls.

The specific example is around Infrastructure & Virtualization Security (IVS); the case given is that we should have controls that are auditable around host hardening (IVS-04) despite the value of "CSP-Owned" since Guest OS hardening is certainly our responsibility with IaaS.

The two sides are:

1. CSP-Owned means that we have no responsibility to implement or be audited on the controls efficacy and the Cloud Service Provider is responsible
2. CSP-Owned is just 'typical' ownership of the control... we still have responsibilities where it makes sense (e.g. Guest OS hardening)

My personal understanding is #2, that we have some responsibilities. 

Has anyone come across this debate before?  If so, is there something from CSA that helps detangle it?

------------------------------
JW Merrow
CyberSecurity Architect
Huntington National Bank
------------------------------

Your CSP should have provided you with a Shared Security Responsibility Model regarding the service at hand. In this model, you should be able to identify the areas of your direct responsibility and the areas managed directly by the provider. 

For example, in the control you are mentioning, considering an IaaS service, you should find that the hardening of the Hypervisor is a CSP responsibility, while the hardening of the guest OS must be managed directly by the customer, as the CSP only provides you with an infrastructure. 

This is hopefully an easy question.  I was in a friendly debate recently on the meaning behind the value of 'CSP-Owned' in regards to some controls.

The specific example is around Infrastructure & Virtualization Security (IVS); the case given is that we should have controls that are auditable around host hardening (IVS-04) despite the value of "CSP-Owned" since Guest OS hardening is certainly our responsibility with IaaS.

The two sides are:

1. CSP-Owned means that we have no responsibility to implement or be audited on the controls efficacy and the Cloud Service Provider is responsible
2. CSP-Owned is just 'typical' ownership of the control... we still have responsibilities where it makes sense (e.g. Guest OS hardening)

My personal understanding is #2, that we have some responsibilities. 

Has anyone come across this debate before?  If so, is there something from CSA that helps detangle it?

------------------------------
JW Merrow
CyberSecurity Architect
Huntington National Bank
------------------------------

To sum up all the points, it seems as though using the Shared Responsibility Model from the CSP to gain an understanding of that division is the best way to go.  It would be good if some of the "CSP-Owned" items were marked with an asterisk or had an explanation that these were dictated by the Shared Responsibility Model.  I'll have to see where I can submit feedback on the CSA CCM for the next version to maybe add some commentary to that effect.

In my friendly debate, the other parties were under the impression that since it was marked "CSP-Owned" the onus for controls implementation laid upon the CSP.  Which was incorrect and eventually able to be made clear.  

The summary around managing the Guest OS security made perfect sense and was the logical 'argument' I utilized to make it clear that the control ownership was 'Shared'. :)

Thanks for the clarity and affirmation on the approach!

------------------------------
JW Merrow
CyberSecurity Architect
Huntington National Bank

Original Message:
Sent: Sep 07, 2023 07:10:35 AM
From: Francesco Calabretta
Subject: CSA CCM - 'Typical Control Applicability and Ownership'

Your CSP should have provided you with a Shared Security Responsibility Model regarding the service at hand. In this model, you should be able to identify the areas of your direct responsibility and the areas managed directly by the provider. 

For example, in the control you are mentioning, considering an IaaS service, you should find that the hardening of the Hypervisor is a CSP responsibility, while the hardening of the guest OS must be managed directly by the customer, as the CSP only provides you with an infrastructure. 

------------------------------
Francesco Calabretta
Consultant
BIP Cybersec

Original Message:
Sent: Aug 09, 2023 01:21:37 PM
From: JW Merrow
Subject: CSA CCM - 'Typical Control Applicability and Ownership'

This is hopefully an easy question.  I was in a friendly debate recently on the meaning behind the value of 'CSP-Owned' in regards to some controls.

The specific example is around Infrastructure & Virtualization Security (IVS); the case given is that we should have controls that are auditable around host hardening (IVS-04) despite the value of "CSP-Owned" since Guest OS hardening is certainly our responsibility with IaaS.

The two sides are:

1. CSP-Owned means that we have no responsibility to implement or be audited on the controls efficacy and the Cloud Service Provider is responsible
2. CSP-Owned is just 'typical' ownership of the control... we still have responsibilities where it makes sense (e.g. Guest OS hardening)

My personal understanding is #2, that we have some responsibilities. 

Has anyone come across this debate before?  If so, is there something from CSA that helps detangle it?

------------------------------
JW Merrow
CyberSecurity Architect
Huntington National Bank
------------------------------