Threat & Vulnerability Management
Compliance Testing
Databases
Vulnerability Management
Servers
Network
Penetration Testing
Internal
Infrastructure
Application
DB
Threat Management
External
Source Code Scanning
Risk Taxonomy
Figure 4: Impacted capabilities in the Threat and Vulnerability Management
high-level capability
•
Not applicable capabilities: In the SRM domain’s Infrastructure Protection
Services high-level capability, we identified as “not applicable”the Server mid-
level capability and Behavioral Malware Protection low-level capabilities. All these
low security capabilities–HIPS/HIDS, Antivirus, File Integrity Monitoring, Sensitive
File Protection, Whitelisting and Host Firewalls – are “not applicable” controls. In
other words, these capabilities are not the customer’s responsibility, and are
taken care off by the FaaS provider. We grayed those out in our SRA, as shown in
Figure 5.
Infrastructure
Protection
This example is mapped
directly from
the new Services
shared responsibility model,
shown in Figure
1,
where
the
platform
responsibility
has been transferred
from
Server
Authentication
Services
the Behavioral
customer
to the FaaS provider.
Anti-Virus, Anti-
Maleware Prevention
HIPS/HIDS Host Firewall
Media Lockdown Hardware-Based
Trusted Assets Behavioral Mal-
ware Prevention
Inventory Control Content Filtering Forencic White
Tools Listing
Spam, Anti-Malware
White Listing
Anti-Virus
Sensitive File Protection
HIPS/HIDS
Host Firewall
Network
Application
Behavioral Malware Prevention
Firewall Content Filtering DPI
NIPS/NIDS Wireless
Protection Link Layer
Network Security
XML Appliance
Secure Messaging
Appliance
Firewall
Real Time
Filtering
Secure Collaboration
Back Listing Filtering
Figure 5: Not applicable capabilities in the Infrastructure Protection Services domain
24 | THE DOPPLER |
FALL 2019