CSP Responsibilities Overview

Overview

Cloud Service Providers (CSPs) have extensive security responsibilities that form the foundation of cloud security. Understanding these responsibilities is essential for both providers implementing ISO 27017 and customers evaluating provider capabilities.

Learning Objectives

By the end of this lesson, you will be able to:

Understand the scope of CSP security responsibilities
Identify key security domains managed by CSPs
Recognize ISO 27017 controls specific to CSPs
Evaluate CSP security postures
Understand CSP compliance and certification requirements

CSP Security Responsibility Scope

Core Responsibility Areas

Cloud Service Providers are fundamentally responsible for security OF the cloud, which includes:

┌─────────────────────────────────────────────┐
│    Cloud Service Provider Responsibilities   │
├─────────────────────────────────────────────┤
│ 1. Physical Infrastructure                  │
│    - Data centers, facilities               │
│    - Power, cooling, physical security      │
├─────────────────────────────────────────────┤
│ 2. Network Infrastructure                   │
│    - Core networking equipment              │
│    - Network security, DDoS protection      │
├─────────────────────────────────────────────┤
│ 3. Virtualization Layer                     │
│    - Hypervisor security                    │
│    - Multi-tenant isolation                 │
├─────────────────────────────────────────────┤
│ 4. Service Availability                     │
│    - SLA compliance                         │
│    - Redundancy and failover                │
├─────────────────────────────────────────────┤
│ 5. Compliance and Certifications            │
│    - Infrastructure certifications          │
│    - Regular audits                         │
└─────────────────────────────────────────────┘

Responsibility by Service Model

Responsibility Area	IaaS CSP	PaaS CSP	SaaS CSP
Physical Security	✓	✓	✓
Network Infrastructure	✓	✓	✓
Virtualization	✓	✓	✓
Operating System	-	✓	✓
Middleware/Runtime	-	✓	✓
Application	-	-	✓
Data Storage Infrastructure	✓	✓	✓
Data Security (implementation)	Capability	Capability	✓

Key CSP Security Domains

Domain 1: Physical and Environmental Security

ISO 27017 Controls:

A.11.1.1 - Physical security perimeter
A.11.1.2 - Physical entry controls
A.11.1.3 - Securing offices, rooms, and facilities
A.11.1.4 - Protecting against external and environmental threats
A.11.1.5 - Working in secure areas
A.11.1.6 - Delivery and loading areas

CSP Responsibilities:

Data Center Security:

Perimeter Security
├─ 24/7 surveillance and monitoring
├─ Biometric access controls
├─ Security guards and patrols
├─ Mantrap entry systems
└─ Intrusion detection systems

Environmental Controls
├─ Redundant power systems (UPS, generators)
├─ Climate control (cooling, humidity)
├─ Fire suppression systems
├─ Flood detection and prevention
└─ Earthquake and disaster resilience

Best Practices:

Multiple security layers (defense in depth)
Visitor logging and escort requirements
Regular security audits
Documented access procedures
Emergency response plans

Domain 2: Infrastructure Security

ISO 27017 Controls:

A.12.1.1 - Operating procedures and responsibilities
A.12.1.3 - Capacity management
A.12.4.1 - Event logging
A.12.6.1 - Management of technical vulnerabilities
A.13.1.1 - Network controls

CSP Responsibilities:

Compute Infrastructure:

Server hardware security and maintenance
Hypervisor security and isolation
Resource allocation and management
Hardware decommissioning and sanitization

Storage Infrastructure:

Storage array security
Data replication and redundancy
Media encryption capabilities
Secure data deletion

Network Infrastructure:

Core router and switch security
Network segmentation
DDoS protection
Bandwidth management

Implementation Example:

Infrastructure Security Stack

┌──────────────────────────────────────┐
│   Network Layer                      │
│   - DDoS mitigation (up to XTB/s)   │
│   - Packet inspection                │
│   - Geographic routing               │
├──────────────────────────────────────┤
│   Compute Layer                      │
│   - Hypervisor hardening             │
│   - VM isolation                     │
│   - Resource quotas                  │
├──────────────────────────────────────┤
│   Storage Layer                      │
│   - At-rest encryption (AES-256)     │
│   - Redundant storage (3+ copies)    │
│   - Secure deletion                  │
└──────────────────────────────────────┘

Domain 3: Service Availability and Continuity

ISO 27017 Controls:

A.17.1.1 - Planning information security continuity
A.17.1.2 - Implementing information security continuity
A.17.2.1 - Availability of information processing facilities

CSP Responsibilities:

High Availability:

Redundant systems and components
Automated failover mechanisms
Load balancing
Geographic distribution

SLA Management:

Service Tier	Uptime SLA	Downtime/Month	Compensation
Basic	99.0%	7.2 hours	None
Standard	99.9%	43 minutes	Service credits
Premium	99.95%	22 minutes	Service credits + support
Enterprise	99.99%	4.3 minutes	Full credits + support

Business Continuity:

Regular backup systems
Disaster recovery sites
Tested recovery procedures
Communication plans
Incident management

Domain 4: Data Protection Capabilities

ISO 27017 Controls:

A.10.1.1 - Policy on use of cryptographic controls
A.10.1.2 - Key management
CLD.6.3.2 - Protection of virtual machine images
CLD.8.1.5 - Removal/return of cloud service customer assets

CSP Responsibilities:

Encryption Services:

Encryption as a Service

Data at Rest
├─ Provider-managed encryption (default)
│  └─ Keys managed by CSP in HSM
├─ Customer-managed keys (BYOK)
│  └─ Customer controls key lifecycle
└─ Client-side encryption
   └─ CSP never sees keys or unencrypted data

Data in Transit
├─ TLS 1.2/1.3 for API access
├─ VPN for private connectivity
└─ Encrypted replication between regions

Key Management:

Hardware Security Module (HSM) usage
Key rotation capabilities
Key lifecycle management
Audit logging of key usage

Data Isolation:

Logical separation between tenants
Encrypted data stores per tenant
Isolated backup and recovery
Secure multi-tenant databases

Domain 5: Access Control and Identity Management

ISO 27017 Controls:

A.9.1.2 - Access to networks and network services
A.9.2.1 - User registration and deregistration
A.9.4.1 - Information access restriction
CLD.13.1.4 - Securing cloud service user management interfaces

CSP Responsibilities:

Platform Access Control:

Administrative access management
Role-based access control (RBAC)
Multi-factor authentication (MFA)
Privileged access management (PAM)
Just-in-time access provisioning

Customer Authentication Services:

Service	Description	Use Case
Basic Auth	Username/password	Development, testing
API Keys	Token-based authentication	Programmatic access
OAuth 2.0	Delegated authorization	Third-party integration
SAML/SSO	Federated identity	Enterprise integration
MFA	Multi-factor authentication	Enhanced security

Identity Federation:

Support for enterprise identity providers
SAML 2.0 / OpenID Connect
Active Directory integration
Automated provisioning (SCIM)

Domain 6: Security Monitoring and Logging

ISO 27017 Controls:

A.12.4.1 - Event logging
A.12.4.2 - Protection of log information
A.12.4.3 - Administrator and operator logs
CLD.12.4.5 - Monitoring of cloud services

CSP Responsibilities:

Infrastructure Monitoring:

Security event monitoring
Intrusion detection/prevention
Anomaly detection
Threat intelligence integration

Log Management:

Logging Architecture

┌────────────────────────────────────────┐
│  Infrastructure Logs (CSP-owned)       │
│  - Physical access logs                │
│  - Network flow logs                   │
│  - Hypervisor logs                     │
│  - System security logs                │
└────────────┬───────────────────────────┘
             │
             ▼
    ┌────────────────────┐
    │  Log Aggregation   │
    │  - Centralized     │
    │  - Encrypted       │
    │  - Retention policy│
    └────────┬───────────┘
             │
             ▼
    ┌────────────────────┐
    │   Analysis & SIEM  │
    │  - Threat detection│
    │  - Compliance      │
    │  - Alerting        │
    └────────────────────┘

Customer-Accessible Logs:

API access logs
Resource access logs
Configuration changes
Authentication events
Security findings

Domain 7: Incident Management

ISO 27017 Controls:

A.16.1.1 - Responsibilities and procedures
A.16.1.2 - Reporting information security events
A.16.1.3 - Reporting information security weaknesses
A.16.1.4 - Assessment of and decision on information security events

CSP Responsibilities:

Incident Response Structure:

Incident Response Team

├─ Security Operations Center (SOC)
│  ├─ 24/7 monitoring
│  ├─ First response
│  └─ Escalation
│
├─ Incident Response Team
│  ├─ Investigation
│  ├─ Containment
│  └─ Remediation
│
├─ Customer Communication
│  ├─ Incident notification
│  ├─ Status updates
│  └─ Post-incident reports
│
└─ Management
   ├─ Executive escalation
   ├─ Legal coordination
   └─ Regulatory reporting

Incident Classification:

Severity	Definition	Response Time	Customer Notification
Critical	Data breach, major outage	< 15 minutes	Immediate
High	Security compromise, degraded service	< 1 hour	Within 4 hours
Medium	Isolated issues, minor security events	< 4 hours	Within 24 hours
Low	Informational, no impact	< 24 hours	As appropriate

Domain 8: Compliance and Certifications

ISO 27017 Controls:

A.18.1.1 - Identification of applicable legislation
A.18.1.3 - Protection of records
A.18.1.5 - Regulation of cryptographic controls

CSP Responsibilities:

Compliance Program:

Maintain relevant certifications
Regular third-party audits
Compliance reporting to customers
Regulatory liaison
Documentation maintenance

Common Certifications:

Certification	Focus	Relevance
ISO 27001	ISMS	Baseline security
SOC 2 Type II	Security controls over time	US customer requirements
PCI DSS	Payment card data	Payment processing
FedRAMP	Federal government cloud	US government contracts
HIPAA	Healthcare data	Healthcare sector
GDPR	Data protection	EU operations

Compliance Inheritance:

Customers can inherit certain compliance controls from CSP certifications:

Infrastructure Controls (Inherited)
├─ Physical security (CSP certified)
├─ Data center controls (CSP certified)
├─ Network security baseline (CSP certified)
└─ Incident response framework (CSP certified)

Shared Controls (Partially Inherited)
├─ Encryption (CSP provides capability)
├─ Access control (CSP provides mechanisms)
├─ Logging (CSP provides infrastructure)
└─ Backup (CSP provides service)

Customer Controls (Not Inherited)
├─ Data classification
├─ Access policy definition
├─ Application security
└─ User training

CSP Security Documentation

Required Documentation

For Customers:

Security Whitepaper
- Architecture overview
- Security controls summary
- Compliance certifications
- Shared responsibility model
Service Level Agreement (SLA)
- Availability commitments
- Performance guarantees
- Incident response times
- Compensation terms
Data Processing Agreement (DPA)
- Data handling commitments
- Subprocessor disclosure
- Data location specifications
- Customer rights
Compliance Reports
- SOC 2 reports
- ISO 27001 certificates
- Penetration test summaries
- Attestation letters

For Auditors:

Policies and Procedures
- Security policies
- Operational procedures
- Change management
- Incident response plans
Control Evidence
- Control descriptions
- Testing results
- Audit logs
- Compliance matrices

Evaluating CSP Security

Evaluation Framework

Pre-Selection Assessment:

Category	Evaluation Criteria	Evidence Required
Security Controls	ISO 27017 alignment	Security documentation
Certifications	Relevant certifications	Certificates, reports
Incident History	Past incidents, response	Public disclosures, references
Financial Stability	Business viability	Financial reports
Transparency	Documentation quality	Whitepapers, support responsiveness

Due Diligence Checklist:

Review security certifications (ISO 27001, SOC 2)
Obtain and review SOC 2 Type II report
Verify data center locations
Understand subprocessor arrangements
Review SLA terms and commitments
Assess incident notification procedures
Verify encryption capabilities
Confirm audit rights
Review exit and data portability provisions
Check customer references

Security Questionnaire:

Sample critical questions for CSPs:

What certifications do you maintain? (ISO 27001, SOC 2, etc.)
How is customer data logically segregated?
What encryption is applied to data at rest and in transit?
Can customers manage their own encryption keys?
What is your incident notification timeline?
Where are data centers located?
Who are your subprocessors and where are they located?
What audit rights do customers have?
How is data deleted upon contract termination?
What is your uptime SLA and compensation policy?

CSP Security Best Practices

1. Defense in Depth

Implement multiple security layers:

┌──────────────────────────────────────┐
│ Layer 7: Governance & Compliance     │
├──────────────────────────────────────┤
│ Layer 6: Application Security        │
├──────────────────────────────────────┤
│ Layer 5: Data Security               │
├──────────────────────────────────────┤
│ Layer 4: Identity & Access           │
├──────────────────────────────────────┤
│ Layer 3: Network Security            │
├──────────────────────────────────────┤
│ Layer 2: Infrastructure Security     │
├──────────────────────────────────────┤
│ Layer 1: Physical Security           │
└──────────────────────────────────────┘

2. Zero Trust Architecture

Never trust, always verify
Microsegmentation
Least privilege access
Continuous monitoring
Strong authentication

3. Automation and Orchestration

Automated security testing
Configuration management
Vulnerability scanning
Patch management
Incident response automation

4. Transparency and Communication

Clear documentation
Regular security updates
Proactive communication
Customer portal access
Responsive support

Key Takeaways

CSPs are responsible for security OF the cloud - infrastructure, physical security, and service availability
Responsibilities increase with service model - SaaS providers manage more than IaaS providers
Physical and infrastructure security are fundamental CSP responsibilities
Compliance and certifications demonstrate CSP security commitment
Documentation and transparency enable customer due diligence
Incident management requires defined procedures and customer notification
Monitoring and logging provide visibility into security posture
Customer evaluation should be comprehensive and ongoing

Preparation for Next Lesson

The next lesson covers Infrastructure Security in detail, including:

Data center security controls
Network infrastructure protection
Compute and storage security
Hardware lifecycle management

Self-Assessment Questions

What is the fundamental security responsibility of a CSP?
Name three physical security controls CSPs should implement.
What is the purpose of a SOC 2 Type II report?
Who is responsible for hypervisor security in IaaS?
What should be included in an SLA?
How does CSP responsibility differ between IaaS and SaaS?
What is defense in depth?
Why are certifications important for CSPs?
What is the purpose of a Data Processing Agreement?
Name three questions customers should ask when evaluating CSPs.

This lesson has provided an overview of CSP security responsibilities. Understanding these responsibilities is crucial for both providers implementing controls and customers evaluating provider capabilities.