![]() Therefore, leveraging a PaaS will leave significantly less controls for the inheriting CSP to implement. Depending upon which model they choose, their responsibility and the scope will vary significantly. A control responsibility starts where the underlying provider’s responsibility ends. SaaS providers can choose to leverage either an infrastructure as a service (IaaS) or platform as a service (PaaS) model, which will ultimately drive the responsibility model and the scope of controls. According to the FedRAMP PMO, “Defining the authorization boundary is by far the hardest non-technical component of a security package.” Even though cloud computing is not a new concept, understanding cloud dependencies and the shared responsibility model can be challenging.įor example, a software as a service (SaaS) provider can leverage different configuration models to design its cloud stack. When it comes to cloud environments, determining the authorization boundary is a complex task. Authorization boundaries allow you to establish the scope of protection for information systems, including people, processes, and technologies. What is the difference between a system boundary and an authorization boundary? A system boundary is simply the security parameter around what you are protecting, while an authorization boundary is the system boundary for which you are looking to achieve an ATO. ![]() While some system owners might have flexibility in defining what constitutes their information system, others, like cloud service providers (CSPs) looking to achieve FedRAMP authorization to operate (ATO), will have a prescribed path to follow. Regardless of the compliance regimen you are using, laying out a system boundary is the first step to determine what needs protection. ![]() Establishing a system boundary is the single most important step when categorizing and securing a system.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |