How to Share the Security Responsibility Between the CSP and Customer

By Dr. Kai Chen, Chief Security Technology Officer, Consumer BG, Huawei Technologies Co. Ltd.

The behemoths of cloud service providers (CSPs) have released shared security responsibility related papers and articles, explaining their roles and responsibilities in cloud provisioning. Although they share similar concepts, in reality, there are different interpretations and implementations among CSPs.

While there are many cloud security standards to help guide CSPs in fulfilling their security responsibilities, the cloud customers still find it challenging to design, deploy, and operate a secure cloud service. “Guideline on Effectively Managing Security Service in the Cloud” (referred to as the ‘Guideline’) developed by CSA’s Cloud Security Services Management (CSSM) Working Group provides an easy-to-understand guidance for cloud customers. It covers how to design, deploy, and operate a secure cloud service for different cloud service models, namely IaaS, PaaS, and SaaS. Cloud customers can use it to help ensure the secure running of service systems.

In the Guideline, the shared security responsibility figure was developed with reference to Gartner’s shared security responsibility model[1]. It illustrates the security handoff points for IaaS, PaaS, and SaaS cloud models. The handoff point moves up the stack across the models.

[1] Staying Secure in the Cloud Is a Shared Responsibility, Gartner,

Security responsibility division between CSPs and cloud customers in different cloud service models.

While there are differences in the security responsibility across the models, some responsibilities are common to all cloud service models:

CSPs’ Common Security Responsibilities

  • Physical security of the infrastructure, including but not limited to: equipment room location selection; power supply assurance; cooling facilities; protection against fire, water, shock, and theft; and surveillance (for details about the security requirements, see related standards)
  • Security of computing, storage, and network hardware
  • Security of basic networks, such as anti-distributed denial of service and firewalls
  • Cloud storage security, such as backup and recovery
  • Security of cloud infrastructure virtualization, such as tenant resource isolation and virtualization resource management
  • Tenant identity management and access control
  • Secure access to cloud resources by tenant
  • Security management, operating monitoring, and emergency response of infrastructure
  • Formulating and rehearsing service continuity assurance plans and disaster recovery plans for infrastructure

Cloud Customers’ Common Security Responsibilities

  • User identity management and access control of service systems
  • Data security (in the European General Data Protection Regulation (GDPR) mode, cloud customers control the data and should be responsible for data security while CSPs only process the data and should take security responsibilities granted by data controllers.)
  • Security management and control of terminals that access cloud services, including hardware, software, application systems, and device rights

Besides that, the Guideline contains chapters that describe the technical requirements for the security assurance of cloud service systems and provides an implementation guide based on the existing security technologies, products, and services. It also illustrates security assurance technologies, products, and services that CSPs and customers should provide in different cloud service models as mentioned previously.

Security responsibilities between CSPs and cloud customers

Mapping of the Guideline with CCM

To help provide an overview to end users about the similarities and differences between the security recommendations listed in the Guideline and the Cloud Controls Matrix (CCM) controls, the CSSM working group conducted a mapping of CCM version 3.0.1 to the Guideline.

The Mapping of “Guideline on Effectively Managing Security Service in the Cloud” Security Recommendations to CCM was a one-way mapping, using the CCM as base, done in accordance with the Methodology for the Mapping of the Cloud Controls Matrix.

The mapping document is supplemented with a detailed gap analysis report that breaks down the gaps in each CCM domain and provides recommendations to readers.

“This mapping work brings users of the Guideline a step closer to being CCM compliant, beneficial to organizations looking to extrapolate existing security controls to match another framework, standard or best practice,” said Dr. Chen Kai, Chief Security Technology Officer, Consumer BG, Huawei Technologies Co. Ltd., and chair of the CSSM Working Group.

Users of the Guideline will be able to bridge lacking areas with ease based on the gap analysis. By understanding what it takes to go from the Guideline to CCM, the mapping work complements the Guideline to help users achieve holistic security controls.

Download the gap analysis report on mapping to the CSA’s Cloud Controls Matrix(CCM) now.

Learn more about the Cloud Services Management Working Group here.

CCM v3.0.1. Update for AICPA, NIST and FedRAMP Mappings

Victor Chin and Lefteris Skoutaris, Research Analysts, CSA

The CSA Cloud Controls Matrix (CCM) Working Group is glad to announce the new update to the CCM v3.0.1. This minor update will incorporate the following mappings:

A total of four documents will be released. The updated CCM (CCM v3.0.1-03-08-2019) will be released to replace the outdated CCM v3.0.1-12-11-2017. Additionally, three addendums will be released for AICPA TSC 2017, NIST 800-53 R4 Moderate and FedRAMP moderate, separately. The addendums will contain gap analyses and also control mappings. We hope that organizations will find these documents helpful in bridging compliance gaps between the CCM, AICPA TSC 2017, FedRAMP and NIST 800-53 R4 Moderate.

With the release of this update the CCM Working Group will be concluding all CCM v3 work and refocusing our efforts on CCM v4.

The upgrade of CCM v3 to the next version 4 has been made imperative due to the evolution of the cloud security standards, the need for more efficient auditability of the CCM controls and integration into CCM of the security requirements deriving from the new cloud technologies introduced.

In this context, a CCM task force has already been established to take on this challenge and drive CCM v4 development. The CCM v4 working group is comprised of CSA’s community volunteers comprised of industry’s leading experts in the domain of cloud computing and security. This endeavor is supported and supervised by the CCM co-chairs and strategic advisors ( who will ensure that the CCM v4 vision requirements and development plan are successfully implemented.

Some of the core objectives that drive CCM v4 development include:

  • Improving the auditability of the controls
  • Providing additional implementation and assessment guidance to organizations
  • Improve interoperability and compatibility with other standards
  • Ensuring coverage of requirements deriving from new cloud technologies (e.g., microservices, containers) and emerging technologies (e.g., IoT)

CCMv4 development works are expected to be concluded by the end of 2020. Should you be interested in knowing more, or participating and contributing to the development of CCM v4, please join the working group here: