Show Menu

Cybersecurity PSaaS Roles & Responsibilities Cheat Sheet (DRAFT) by [deleted]

Cybersecurity PSaaS Roles & Responsibilities

This is a draft cheat sheet. It is a work in progress and is not finished yet.

Introd­uction: Complex Deploy­ments

Cybers­ecurity respon­sib­ilities for more complex PSaaS deploy­ments are simply extended across the vendors and cloud infras­tru­cture providers involved. It is possible, for example, to have two or three PSaaS vendors — for example, one each for access control, video manage­ment, video analytics and visitor manage­ment.

Each PSaaS vendor may have a different cloud infras­tru­cture provider. There may be both cloud-­level integr­ations and on-pre­mises integr­ations between the various PSaaS offerings. All of the cybers­ecurity issues must be identified and the respon­sib­ilities accounted for to ensure that there are no gaps in cybers­ecurity protec­tion. This should be reflected in the docume­ntation of the various product and service offerings.

Assurance of continuous confor­mance to cybers­ecurity requir­ements should be provided by the chain of Service Level Agreements from cloud infras­tru­cture provider, to PSaaS vendor, to security systems integr­ator, to cloud service customer.

Whether the picture is simple or complex, it is important to ensure the cybers­ecurity of a PSaaS offering by determ­ining, fully agreeing on, docume­nting, and verifying who is respon­sible for what, and how those respon­sib­ilities will be lived up to.

PSaaS Security Roles

Security Respon­sib­ili­ties
Cloud Service Customer
Utilizes the PSaaS offering for security operations and invest­iga­tions, and uses the busine­ss-­related video analytics data for business planning and decisi­on-­making.
Identifying and/or specifying cybers­ecurity requir­ements of data that will reside in the cloud. That includes the classi­fic­ation of the data (confi­den­tial, private, etc.) as well as any regulatory requir­ements such as country residency (data must be stored within that country). Classi­fic­ation and residency requir­ements determine the encryption requir­ements and backup data location options
Approving the cybers­ecurity profile of the cloud service, including its on-pre­mises equipment
Stringent management of user logons creden­tials to the SaaS applic­ation and on-pre­mises security systems equipment, unless integrator provides user logon credential management as a service
Regularly review­ing­/au­diting system and device access records and user access privilege assign­ments, and for timely performing or initiating termin­ation of access privileges when appropriate
Network security for the on-pre­mises equipment, if the on-pre­mises equipment resides or connects to the Internet via on the corporate network
Security Systems Integrator
Installs & maintains the PSaaS on-pre­mises equipment.
Verifying the status of cybers­ecurity controls for the PSaaS offering and any cloud-­based integr­ations involved
Accurately informing the customer of the cybers­ecurity profile of the cloud service
Cyber-secure config­uration of the on-pre­mises equipment
Stringent management of service technician logon creden­tials for accessing on-pre­mises equipment and the cloud service
PSaaS Vendor
Provides the SaaS Applic­ation and provides or specifies the on-pre­mises equipment that the Security Systems Integrator resells.
The cybers­ecurity of the SaaS applic­ation and any cloud-­based integr­ations to it
Cyber secure config­uration capabi­lities for any on-pre­mises equipment provided or specified
System hardening guidance
Vulnerability policy and method for integr­ators and their customers to report cyber vulner­abi­lities
Cloud Infras­tru­cture Provider
Provides the Platform as a Service (PaaS) infras­tru­cture on which a SaaS applic­ation runs (such a Microsoft Azure or Amazon AWS)
Computer and network security of the cloud infras­tru­cture provided
No respon­sib­ility for SaaS applic­ation security
No respon­sib­ility for on-pre­mises equipment