Threat & Vulnerability Management
Compliance Testing
Databases
Vulnerability Management
Servers
Network
Penetration Testing
Internal
Infrastructure
Application
DB
Threat Management
External
Source Code Scanning
Risk Taxonomy
Figure 4: Impacted capabilities in the Threat and Vulnerability Management
high-level capability
•
Not applicable capabilities: In the SRM domain’s the Infrastructure Protec-
tion Services high-level capability, we identified as “not applicable” the Server
mid-level capability and Behavioral Malware Protection low-level capabilities. All
these low security capabilities — HIPS/HIDS, Antivirus, File Integrity Monitoring,
Sensitive File Protection, Whitelisting and Host Firewalls — are “not applicable”
controls. In other words, these capabilities are not the customer’s responsibility
and are taken care of by the FaaS provider. We grayed those out in our SRA, as
shown in Figure 5.
Infrastructure
Protection
This example is mapped
directly from
the new Services
shared responsibility model,
shown in Figure
has been transferred
from
Server 1, where the platform responsibility
Authentication
Services
the Behavioral
customer
to
the
FaaS
provider.
Anti-Virus, Anti-
Maleware Prevention
HIPS/HIDS Host Firewall
Media Lockdown Hardware-Based
Trusted Assets Behavioral Mal-
ware Prevention
Inventory Control Content Filtering Forencic White
Tools Listing
Spam, Anti-Malware
White Listing
Sensitive File Protection
HIPS/HIDS
Anti-Virus
Host Firewall
Network
Application
Behavioral Malware Prevention
Firewall Content Filtering DPI
NIPS/NIDS Wireless
Protection Link Layer
Network Security
XML Appliance
Secure Messaging
Appliance
Firewall
Real Time
Filtering
Secure Collaboration
Back Listing Filtering
Figure 5: Not applicable capabilities in the Infrastructure Protection Services domain
80 | THE DOPPLER |
SUMMER 2019