Shared Responsibilities for Security in the Cloud

Posted by on December 9th, 2014
March 18th, 2015

This blog is to follow up on the ThousandEyes article on Cloud Security Alliance’s “Shared Responsibilities for Security in the Cloud”, Part 1 and Part 2 . We encourage you to take a look at these posts to get an overview of ThousandEyes’ security responsibility model using Cloud Security Alliance Trusted Cloud Initiative reference architecture.

As a cloud service provider we share responsibilities for security with our customers. To do this, we’ll explicitly define the responsibilities of our customers in respect to information protection and to make sure that data stays secure through its full lifecycle. We call it a Security Level Agreement.

Security Level Agreement

Identity Management

For the customer instance of the SaaS Platform, ThousandEyes creates an organization admin account for the employee listed as a technical contact on the contract. It is the responsibility of the customer to:

  1. Configure appropriate password policies
  2. Create other users and accounts with appropriate roles
  3. Periodically review access to the service to make sure only authorized workers have access with proper access levels

Many of these responsibilities will be simplified if the customer decides to implement Web SSO with SAML-based authentication. If customers use Enterprise Agents, they are required to change the password of a local web application admin account as part of the setup process.

Infrastructure Protection Services

Customers must ensure the security of their end-points (end-user computers) and connectivity.

If Enterprise Agents are in use, it is the customer’s responsibility to protect underlying physical infrastructure. If the Enterprise Agent is delivered as a Linux application, the customer must also secure the underlying Linux server.

Policies and Standards

In relation to the ThousandEyes SaaS Application, the most important steps for customers to execute as part of the “Policies and Standards” domain management are to:

  1. Classify data stored and processed by ThousandEyes.
  2. Establish a worker awareness and training program.

Doing Your Part

Implement required controls as described above, and contact a ThousandEyes account manager for more information. Ask other cloud service providers what you need to do as a customer to make sure your data is secure.

Security is everyone’s responsibility!

Processing...