Shared Security Roles and Responsibilities

Preamble

QXTN IaaS (infrastructure as a Service) and PaaS (Platform as a Service) security is by a shared responsibility model with QXTN and the customer (or customer’s IT agent) dividing security roles between the parties in an agreed and documented manner.

The security responsibilities matrix should be recorded in business documentation for reference purposes, however all monthly QXTN invoices will list any non-default responsibilities that QXTN has agreed to manage.

QXTN Responsibilities

QXTN is responsible for protecting  the infrastructure that runs the IaaS and PaaS services such as network equipment, firewalls, servers and storage services.

The customer can request a shared management of the IaaS and PaaS hosted servers and devices, however this management is usually performed by the customer and/or their IT agent or company. Should the shared management option be selected by the customer, this will be clearly signposted by an agreed responsibility matrix and associated line items within the monthly invoice from QXTN.

QXTN reserves the management of the firewall as a QXTN responsibility. Change management and requests are by helpdesk ticket.

QXTN maintains a configuration management archival system for all network devices and servers supporting the QXTN infrastructure.

Customer Responsibilities

The customer or customer’s IT agent is responsible for the configuration, maintenance and upkeep of the IaaS and PaaS hosted server’s OS, patching, upgrades and revision changes. The customer is responsible for security configuration and upkeep and the installation and maintenance of any on-server anti-virus, anti-malware and intrusion prevention systems required as well as any required access control mechanisms and identity management systems. Client or server side encryption and network information protection is also the responsibility of the client.

QXTN can assist customers with the supply and maintenance of WAN endpoint routers, however all responsibility for the network ends at the WAN endpoint router. If the WAN endpoint router is managed by QXTN, this will be indicated by a line item on the monthly invoice. QXTN does not offer shared responsibility for these devices.

Finally, the customer is responsible for ensuring

  1. the VMware Tools or appropriate software equivalent is maintained on all servers,
  2. the QXTN Best Practices document recommendations are followed for the relevant OS,
  3. the QXTN monitoring agent is running and accessible by the QXTN monitoring systems,
  4. and the “qxtnmanage” user is configured and appropriately privileged unless otherwise agreed in writing.

Requesting changes to QXTN Managed IaaS and PaaS Services

All requests for changes to IaaS and PaaS devices will be emailed to helpdesk@qxtn.net, with a follow-up phone call should the request be an emergency.

Terminology and More Information References

IaaS and PaaS – Infrastructure as a Service and Platform as a Service – see https://searchcloudcomputing.techtarget.com/definition/Infrastructure-as-a-Service-IaaS and https://searchcloudcomputing.techtarget.com/definition/Platform-as-a-Service-PaaS

WAN Endpoint Router – the router connected between the NBN or Fibre optic link back to the datacentre and the client network at the site.

Emergency situation – any situation that prevents your entire site or oganisation from accessing the IaaS or PaaS services which involves a QXTN managed service such as the NBN or Fibre Optic link, a QXTN managed WAN Endpoint Router, server, firewall or other device.

Security Responsibilities Matrix

Item Managed By Customer Option QXTN Option  
WAN Router QXTN Read-only access
Internet Firewall QXTN Read-only access
VM OS Patching/Updates Customer For-fee service
VM Software/Updates Customer For-fee service
VM Firewall Customer For-fee service
VM Monitoring QXTN Read-only access
iaaS Network QXTN
VM OS and Software maint. Customer For-fee service
IDS/IPS QXTN For fee option
Branch Site Network Customer For-fee service
VM Backups By negotiation For fee option

Leave a Reply