Week 3 Responsibilities For All
This week was busy. I worked towards getting my CompTIA Security+ certification, specifically studying for the SY0-701 exam. I continued to maintain our documentation we are required to have for certification and an efficient workflow; this includes a full inventory of our lab. I continued to read documents, such as the Intel® 64 and IA-32 Architectures Software Developer’s Manual and the PCI Express® 2.0 Base Specification. These documents are helpful to me for any kind of product development work I may be doing. In addition to the technical documents, I have also been keeping up with documents that outline our requirements to hold certifications. This has involved reading a lot of non-technical documents, which are also in excess of 1000 pages. All this documentation shares the responsibility of keeping everyone organized.
Any company takes on responsibilities when they sell a product or service. The OSI Shared Responsibility Model is a document that breaks down where security-related responsibilities fall. The document defines different types of services and breaks down what the client and provider are responsible for in each of the service models. Understanding the OSI model is crucial for cybersecurity as cloud services become a go-to solution for many companies. Take for example, a company which provides infrastructure as a service (IaaS). One such company would be Amazon Web Services (AWS). A small company wishing to launch a product or service of their own may want to avoid buying and maintaining a datacenter (this is a massive undertaking, especially for a small company). In order to avoid such a large cost, they use AWS. The advantage of AWS in this case is that the small company is not paying for the network, the servers, the physical hardware, or the virtualization platform. The company in this example needs to decide which operating system, software, and data (or how the data is stored) will be used to provide the product/service. In simplified terms, AWS provides computers for the company to use, while the company decides how they will set up and use the computers. AWS and the example company are responsible for the security of each part they maintain. This means AWS needs to ensure no one has physical access to the servers, making sure the network the servers are on is secure. The company is then responsible for ensuring that any important data is not publicly accessible, that there are no insecure applications installed, and that the operating system is secured.
Fun fact: Ensuring an operating system is secured is a multi-step process which starts with configuring the device in a process known as system hardening. Once a system has been hardened, it must be maintained with updates or security patches. The ongoing nature of updates/patches is a result of the constant developments in the tug of war-esq relationship between “hackers” and security teams.