The shared responsibility model is reflective of the fact that the obligations of security and compliance are shared between the cloud service provider (like Microsoft) and the customer. However, the degree of responsibility varies depending on the cloud service model in use: Infrastructure as a Service (IaaS), Platform as a Service (PaaS), or Software as a Service (SaaS).
The shared responsibility model is split into two tiers:
- Security “of” the cloud: This is the responsibility of the cloud provider. It pertains to the foundational services that constitute the cloud environment, such as physical hosts, networks and data centers.
- Security “in” the cloud: This is the responsibility of the customer. It pertains to customer data and the security controls for applications and data deployed in the cloud.
IaaS, PaaS and SaaS in the Shared Responsibility Model
Infrastructure as a Service (IaaS)
In this model, the cloud service provider, such as Microsoft Azure, handles a significant portion of the security ‘of’ the cloud, including physical security, server hardware, and virtualization. The customer, on the other hand, is responsible for the security ‘in’ the cloud, covering areas such as data, endpoints, accounts, and access management.
Platform as a Service (PaaS)
With PaaS, the cloud service provider takes on more responsibility than with IaaS. The provider’s responsibilities now also include middleware, runtime, and OS patching. In contrast, the customer’s responsibilities are reduced, though data security, access management, and applications remain under their purview.
Software as a Service (SaaS)
For SaaS, the cloud service provider assumes the most responsibility. They manage all aspects of the environment’s security ‘of’ the cloud, including applications. The customer’s responsibilities are limited to data and access management.
Here’s a comparative summary of the shared responsibilities across the three cloud models:
| Component | IaaS | PaaS | SaaS |
|---|---|---|---|
| Data | Customer | Customer | Customer |
| Endpoint | Customer | Customer | Customer |
| Accounts/Access | Customer | Customer | Customer |
| Application | Customer | Customer | Provider |
| Network Control | Customer | Provider | Provider |
| Network Foundation | Provider | Provider | Provider |
| Physical Hosts | Provider | Provider | Provider |
| Data Center | Provider | Provider | Provider |
Implications of the Shared Responsibility Model
The shared responsibility model impacts one’s approach to security, compliance, and identity management. While cloud providers manage certain elements of security, compliance, and identity in providing their services, as a customer, you are not absolved from all duties pertaining to these areas.
Implementing and managing security strategies, maintaining compliance with relevant regulations, and managing users’ identities and access are shared tasks.
In summary, the shared responsibility model is a critical aspect of leveraging cloud services effectively and securely. This understanding plays a significant role in mastering the content covered in the SC-900 Microsoft Security, Compliance, and Identity Fundamentals exam, aiding in deciphering and solving exam problems, and in practical applications when working within a cloud environment.
Practice Test
True or False: In the shared responsibility model, only the cloud provider is responsible for ensuring the security and compliance of the cloud infrastructure.
- True
- False
Answer: False
Explanation: In the shared responsibility model, both the cloud service provider and the customer share responsibilities for security and compliance. The cloud service provider is responsible for the security of the cloud, while the customer is responsible for security in the cloud.
What does Microsoft’s shared responsibility model for Office 365 entail?
- A) Microsoft is responsible for all aspects of security.
- B) The customer is entirely responsible for security.
- C) Both Microsoft and the customer share responsibilities for security.
- D) The customer is responsible for the platform, while Microsoft manages security.
Answer: C) Both Microsoft and the customer share responsibilities for security.
Explanation: Microsoft is responsible for securing the Office 365 infrastructure and ensuring services are available to users. Customers are responsible for their data, identity, and device management.
True or False: In the Shared Responsibility Model, customers are primarily responsible for data classification and accountability.
- True
- False
Answer: True
Explanation: Customers hold the responsibility for data classification, accountability, and ensuring the security of their user-accounts, data, and devices.
Which of the following responsibilities is NOT a part of customer’s identity and directory infrastructure in the shared responsibility model?
- A) Password policies
- B) Identity federation
- C) Encryption at rest
- D) User and administrator account management
Answer: C) Encryption at rest
Explanation: Encryption at rest falls under the responsibility of the cloud service provider, not the customer.
Microsoft’s shared responsibility model for Azure Infrastructure as a Service (IaaS) assigns responsibility for network controls to:
- A) Microsoft only.
- B) The customer only.
- C) Both Microsoft and the customer.
Answer: C) Both Microsoft and the customer.
Explanation: In the case of Azure IaaS, network control responsibilities are shared between the cloud provider and the customer. Microsoft is responsible for the foundational network security while the customer must secure the network configuration.
True or False: The shared responsibility model reduces the customer’s responsibility for security and compliance.
- True
- False
Answer: False
Explanation: The shared responsibility model does not reduce the customer’s responsibility for security and compliance, it divides the responsibility between the customer and the cloud service provider.
In the Microsoft’s shared responsibility model, who is primarily responsible for securing endpoints, account & access management, and data classification and accountability?
- A) Microsoft
- B) The customer
- C) Both the customer and Microsoft
- D) Neither
Answer: B) The customer
Explanation: While Microsoft provides tools and software to aid in these areas, it is ultimately the customer’s responsibility to manage these aspects.
The shared responsibility model is applicable for which of the following cloud service models?
- A) Infrastructure as a Service (IaaS)
- B) Platform as a Service (PaaS)
- C) Software as a Service (SaaS)
- D) All of the above
Answer: D) All of the above
Explanation: The shared responsibility model applies to all cloud service models including IaaS, PaaS, and SaaS.
True or False: In the Shared Responsibility Model, the cloud service provider is responsible for maintaining the customer’s data security.
- True
- False
Answer: False
Explanation: The cloud service provider is responsible for the security of the cloud infrastructure, but responsibility for the security of the data within the cloud rests with the customer.
Who is primarily responsible for the File and Network Share Permissions under the shared responsibility model?
- A) The customer only.
- B) Microsoft only.
- C) Both Microsoft and the customer.
- D) Neither Microsoft nor the customer.
Answer: A) The customer only.
Explanation: File and Network Share Permissions are a part of client-side data security, which is under the customer’s responsibility in the shared responsibility model.
Interview Questions
What is Azure Network Security Groups (NSG)?
Azure Network Security Groups (NSG) is a feature that provides security for an Azure virtual network and its resources by allowing or denying network traffic based on specified rules.
Where can you assign an NSG?
An NSG can be assigned to subnet levels or network interfaces associated with VMs.
What are the two types of rules in Azure NSGs?
The two types of rules in Azure NSGs are inbound rules and outbound rules.
What is an Inbound rule in Azure NSGs?
An inbound rule in Azure NSGs controls the inbound network traffic going to resources in the Azure Virtual Network.
What is an Outbound rule in Azure NSGs?
Outbound rule in Azure NSGs controls the outbound network traffic leaving the resources in the Azure Virtual Network.
Can each NSG have multiple access control rules?
Yes, each NSG can contain multiple access control rules that allow or deny traffic to and from resources.
What is the maximum number of NSG rules allowed per network security group?
A Network Security Group can contain as many as 1000 rules, but Microsoft recommends no more than 400 for performance reasons.
Are NSG rules stateful or stateless?
NSG rules are stateful, meaning if you establish a connection, the response traffic is automatically allowed, despite any rules stating otherwise.
How are multiple NSG applied to traffic?
When multiple NSGs apply to traffic, the rules are applied based on their priority. Lower numbers have higher priority.
What happens if no NSG rules apply to the network traffic?
If no rules apply to the network traffic, it will be denied by default.
Can you control network traffic to resources in a virtual network using an NSG?
Yes, you can control network traffic to resources in a virtual network using an NSG.
Do NSGs log network traffic?
NSGs themselves do not log network traffic, but they can be configured to send log information to Azure Monitor Logs for analysis and auditing.
What is the last rule in the outbound rules?
The last rule in outbound rules is the default rule, which denies all outbound traffic if it doesn’t match any other outbound rules.
Can NSGs be associated with VMs and subnets concurrently?
Yes, NSGs can be associated with VMs and subnets concurrently. The rules of the NSGs associated at both the levels are applied to the traffic.
What is the use of service tags in NSG?
Service tags simplify security for Azure resources and reduce the number of rules you create. A service tag represents a group of IP address prefixes from a given Azure service.
extutorials.com