Module 3: Cloud Service Customer Controls

Customer Responsibilities Overview

15 min
+50 XP

Customer Responsibilities Overview

Overview

Cloud Service Customers (CSCs) have critical security responsibilities that complement CSP controls, ensuring comprehensive cloud security.

Learning Objectives

  • Understand CSC security responsibilities
  • Identify customer-managed controls
  • Recognize shared responsibilities
  • Implement customer security framework
  • Apply ISO 27017 customer guidance

CSC Security Responsibility Scope

Core Responsibility Areas

Cloud Service Customer Responsibilities

┌─────────────────────────────────────┐
│ 1. Data Governance                  │
│    - Data classification            │
│    - Data handling policies         │
├─────────────────────────────────────┤
│ 2. Access Management                │
│    - User provisioning              │
│    - Access policies                │
├─────────────────────────────────────┤
│ 3. Application Security             │
│    - Secure development             │
│    - Vulnerability management       │
├─────────────────────────────────────┤
│ 4. Configuration Management         │
│    - Security settings              │
│    - Compliance configuration       │
├─────────────────────────────────────┤
│ 5. Monitoring and Logging           │
│    - Activity monitoring            │
│    - Security event detection       │
└─────────────────────────────────────┘

Responsibility by Service Model

ResponsibilityIaaS CSCPaaS CSCSaaS CSC
Data
ApplicationsConfig only
Runtime/MiddlewareConfig-
Operating System--
Access Control
Encryption Configuration
MonitoringConfig/Review
Compliance

Key Customer Domains

Domain 1: Data Governance

ISO 27017 Controls:

  • A.8.1.1 - Inventory of assets
  • A.8.2.1 - Classification of information
  • A.8.2.3 - Handling of assets

CSC Responsibilities:

  • Identify all data in cloud
  • Classify by sensitivity
  • Define handling requirements
  • Implement data lifecycle policies
  • Monitor data usage

Domain 2: Access Control

ISO 27017 Controls:

  • A.9.1.1 - Access control policy
  • A.9.2.1 - User registration/deregistration
  • A.9.2.2 - User access provisioning
  • A.9.4.1 - Information access restriction

CSC Responsibilities:

  • Define access policies
  • Provision/deprovision users
  • Implement least privilege
  • Conduct access reviews
  • Enable MFA

Domain 3: Application Security (IaaS/PaaS)

ISO 27017 Controls:

  • A.14.1.1 - Security requirements analysis
  • A.14.2.1 - Secure development policy
  • A.14.2.5 - Secure system engineering
  • A.14.2.8 - System security testing

CSC Responsibilities:

  • Secure coding practices
  • Vulnerability scanning
  • Security testing
  • Dependency management
  • Code reviews

Domain 4: Configuration Management

ISO 27017 Controls:

  • A.12.1.2 - Change management
  • A.12.6.2 - Restrictions on software installation
  • CLD.12.1.5 - Administrative operations

CSC Responsibilities:

  • Security configuration baselines
  • Configuration monitoring
  • Change control
  • Compliance validation
  • Documentation

Domain 5: Monitoring

CLD.12.4.5 - Monitoring of Cloud Services

  • CLD.9.5.1 - Cloud service customer monitoring

CSC Responsibilities:

  • Enable logging
  • Monitor access patterns
  • Detect anomalies
  • Review security events
  • Incident response

Customer Security Framework

┌──────────────────────────────────────┐
│         Governance Layer             │
│  - Policies                          │
│  - Risk management                   │
│  - Compliance                        │
├──────────────────────────────────────┤
│         Technical Controls           │
│  - Access control                    │
│  - Encryption                        │
│  - Security monitoring               │
├──────────────────────────────────────┤
│         Operational Controls         │
│  - User training                     │
│  - Incident response                 │
│  - Change management                 │
└──────────────────────────────────────┘

Key Takeaways

  1. Customers are always responsible for data
  2. Responsibilities vary by service model
  3. Configuration is critical for security
  4. Monitoring provides visibility
  5. Documentation is essential

Self-Assessment

  1. What are customers always responsible for?
  2. How do responsibilities differ between IaaS and SaaS?
  3. What is data classification?
  4. Why is monitoring important for customers?
  5. What controls should customers implement?

Complete this lesson

Earn +50 XP and progress to the next lesson

Previous

CSP Controls Checklist

Next

Cloud Service Selection