To steer clear from the internet in these days is almost impossible unless you have made a clear and conscious decision to abandon modern society and live free like like the Pokot nomads in Wes Pokot. Since the later is not only a way of life trapped in a castaway circumstance, we tend to educate ourselves about the dangers of the internet, especially in terms of parental control and child’s exposure to unwanted content.
In simple terms, we should divide certain aspects and impact of internet in modern day household to cyber safety and security, although before we even consider that, we should look at the ways to stay informed what are children drawn to on the internet, how to control or limit visitation to sites that are not appropriate for their age and upbringing or should we just resort to confidence in our superb parenting skills, hoping that would be enough? Absolutely NO!
The Cobb Schools Instructional Technology team created a Student Online Safety resource with a list of best practices for online safety.
- Discuss online safety with your children. (Disclosing personal information, what to do if inappropriate information pops up, “online friends”, evaluating reliable resources, etc.) 10 Tips for Parents
- Place computers in a common area of the house. Keeping Children Safe Online Keeping Children Safe Online
- Spend time online with your children and know who they are talking with online. Parent Guide
- Set reasonable time and usage limits. (Set Rules, stick to them, take breaks, go outside) Net Safety
- Never let children upload/download software, photos, apps without parental consent. Block Web Content Protect Young Eyes
- Know your children’s passwords. Password Template Password Keeper
- Use parental blocks when possible. Parental Blocks
Top 10 Cyber Safety Tips for Parents
#1 Be Informed, Up-to-Date, and Alert
Off course first and foremost we assume and we have to assume that the situation at home is stable, secure and has such quality that parents have the time to discuss and relate their views and concerns when it comes to the internet. They should be more than merely curious but also approach with caution as the “wrong attitude” can shut their kids off and thus make the most important information kept without full disclosure and that information is about what kids like to do online. Gaming, general searches, and many other things that fall under the umbrella of digital footprint should, and must be, part of this discussion.
We can also learn something from the general attitude of the great Steve Jobs, in terms of his first general rule when it comes to his own household – no computers, laptops and mobile telephones were allowed in his home thus he had found a fairly easy solution to one of the most important aspects when it comes to childe cyber security for parents – be aware how much time they spend online and how!
It is very difficult, sometimes even impossible, for parents to keep up as there are instances where parents have little or no understanding of what their kids are doing online, and even if they did, they don’t have the time to educate, listen and point them in the right direction. They merely rely on an off chance it will all be all right. Often it does not unfold that way especially in the situation where parents are under the impression that they have sufficient control over the use of filtering software and the possibility to block certain websites. The truth of the matter is quite different simply because there is so much information out there, thus, is it safe to assume, some if not all, will most definitely be getting around the simple and not appropriate and certainly not sufficient approach to parental controls.
Summing up the first point is easy to understand and can also be fun to implement. Stay connected to your kids, talk to them, learn from them and keep abreast of updates, be open to their questions and invest in that bond which is most likely to be your best tool to keep them safe and sound on and offline.
#2 Know the Tools, Risks, Rules, and Approach
There is no way around it, get early into the game, that way you will never be late with a reaction.
It is everywhere, in schools, at home, on phones, cafés, birthdays, theatre thus there should be no surprise that kids learn faster than their parents. It doesn’t matter whether the internet is used for research projects at school, in communication with the teachers and also other kids, school reports, communicate with teachers and other kids, and play interactive games.
Being surrounded with it comes at a cost which is in most cases unwanted content that they have come across by being curious and clicking on a pop-up or sidebar of YouTube videos. It also comes in more difficult scenarios like cyber-bullying, and just like any other jungle out there – online predators. Because of this, both you and your children should be aware of the significance of anonymity online. Not using your real name, and only connecting through a VPN connection will ensure that no predator would be able to pinpoint and dox (term for disclosing private information) your children and do them any harm. With Le VPN you will be able to appear like you are from another country, diminishing the chance for your child to be attacked by malicious software or spyware.
Online predators are known for impersonating a different person or a child even using software and websites where kids interact, predators may pose as a child or teen looking to make a new friend. Their scam is to get as much information from a child as they possibly can (personal information, address and phone number etc..) and that’s why our first point is of paramount importance – Parents have to be informed and stay informed in terms of what their kids see and hear on the Internet, who they meet, and what they share about themselves. Use that privilege and that wonderful bond and talk free with them but never you’re your gaze from their activities.
*Children’s Online Privacy Protection Act – Internet Safety Laws
Derived, rendered and regulated on a federal level, (COPPA) assists in the protection of children under the age of thirteen is basically when we break it down a safeguard for a parent that pertains to protection of children’s personal information which cannot be obtained without parent’s awareness and consent.
COPPA requires websites to explain their privacy policies and get parental consent before collection and/or use of a child’s personal information, (name, address, phone number, social security number, etc..) but what it also does revolves around prohibition that acts as another safeguard.
This prohibition prevents a site to collect more information than necessary in situations where a child needs to provide more personal information than necessary to play a game or enter a contest.
#3 Use Online Protection Tools
The use of online tools allows parents to have a certain degree of control of kids’ access to inappropriate adult material and helps protect their children from the Internet predators. One of the basic tools is related to Internet service providers (ISPs) that provide parent-control options. What is also available for parents is programs and/or specifically designed software that helps block access to sites and restricts personal information from being sent online. Others tend to resort to the use of programming possibilities in order to monitor and track online activity.
It is never too much to repeat and continuously point out the necessity of going back to the very basics, which entails being involved in your children’s online activities.
Never share basic personal information (address, phone number or school name or location);
Resort to the use of only a screen name and never share passwords;
Never consent or promise to meet in person with anyone you have met online without parent knowledge, approval and/or supervision.
Never respond to a threatening email, message, post, or text.
Always consort and fully inform a parent or any other close relative or trusted adult about any and all communication or conversation that was scary or hurtful.
Few very useful cyber safety tips pertaining to parental control and supervision:
- Investing your time together online will give incentive to your children to turn to you for any question and dilemmas but more importantly educate them in terms of appropriate online behavior;
- Positioning and choice of location might not sound relevant but are common sense and logic would suggest otherwise – while keeping the computer in a common area (where you can watch and monitor its use) you have full awareness of the time your child spends on the computer and also about his interest and choices he makes online in terms of content thus – no, the computer should not be positioned in individual bedrooms. Also worth mentioning with respect to any other device that has internet access (excluding laptop computer or a desktop computer) are portable devices like tablets and smartphones – be close enough to have the possibility to monitor the content on it visually;
- Use bookmarks to allow your children to have easy access to favorite sites;
- If they frequent gaming sites or sometimes certain educational websites, disable purchases and often check your credit card and phone bills for any unknown account charges.
- Also suggest, ask and educate yourself what options and solutions are being offered by the school, after-school care, friends’ homes, or any other location where your children have access to the internet without your supervision;
- Be alert and observe and listen to any signs or initiate your children in terms of discussion and reporting of uncomfortable online exchanges or fright from what they have seen or heard online;
- Be vigilant in terms of any signs that would suggest your children are being targeted by an online predator by looking for answers to these types of questions:
- Do they spend long hours online, especially at night?
- Are they receiving phone calls from people you don’t know?
- Whether you have noticed that unsolicited gifts are arriving in the mail?
- Do they often suddenly turn off the computer or the sound when you walk into the room?
- Did you notice a sudden withdrawal from family life and hesitation and/or reluctance to talk about their online activities?
But what do we do when they grow older?
It is true; they often do, so how can we maintain the same level of monitoring and supervision if they are not within our immediate reach.
It also comes naturally with age that they would like and appreciate more privacy but it also is a must to take precautions like a simple discussion in terms of sites and apps they should use in combination with their online experiences.
Alert them if you did not do so beforehand and/or already about the dangers of interaction especially when it comes to people they don’t know and point out the simple fact – nothing is exactly as it appears online – often it is not at all like that and that people online don’t always tell the truth.
Provide them with understanding and a thorough explanation with respect to the use of passwords as a safeguard against identity theft.
#4 Encourage Critical Thinking
If everything was true what we see in virtual World, we would all be flying magicians, World-renowned innovators or even have the possibility to multiply ourselves with respect to how many profiles of ourselves we actually need and can use during the day.
Offer criticism and logic, common sense and respect as a baseline of your talks with your children, but don’t forget caution and safeguards.
Teach them how to recognize and block unwanted contacts that happen by phone, email, text, social networking or online games but also alert them to the fact that they need to comprehend that what they share with the rest of the online World can be seen by others of whom they have not originally thought of or had in mind at all.
On the other hand, when it comes to their digital footprint, it could not only last forever but also if they master it well, this can assist them in the future as it would reflect their skills and creativity.
#5 Set Up Your Internet for Safe Use
We have already mentioned the use of filters and monitoring the use of internet but what you could also consider applying is to enable Google Safe Search on all the devices your household uses.
As far as what you can do within the browser itself is to enable parental controls on streaming services such as YouTube, Netflix and AppleTV but also install software that filters content or lets you choose what times devices can be used/not used as that would address the initially mentioned Steve Jobs attitude in terms of limited time spent in virtual world.
Use the options already installed like search history in their browser, know their email addresses and passwords so you can monitor activity. Many devices use cloud storage like Google Drive or Apple iCloud, to store data such as documents, photos or videos. Access to which can also be controlled.
Last but not least, educate them about GPS and checking-in functions as it identifies the location of your child when they are outside and those could be limited or permanently disabled.
#6 Learn about Social Networks
Of course, it’s out there, and it’s huge – Instagram, Twitter, Facebook, and so many others with a similar function – to connect with other people.
Yes, it’s true having friends and connecting with others is very important to children and young people. They use it in so many ways these days whether to maintain contact with family, promote their Instagram, use WhatsApp, Snapchat or Viber to talk to friends. Surely apps that involve messaging between individuals are numerous but pose a certain degree of danger especially in situations where children are messaging people they don’t know and trust in real life.
Again, use common sense, logic, inform and educate them about the fact that messages and photos shared can be viewed and obtained by others. Teach them to use and set privacy settings to ensure that their profile is only seen by people they know, and check these settings often.
Teach them how to report abuse or inappropriate content to the social networking service or other agency especially when it comes to inappropriate content. Make sure children and young people understand the risks of sending or forwarding sexual texts, images or videos (sexting) and the harm this can cause to themselves and others.
The truth is that they need to know. They need to know your views on things and your perspective and also rationale behind it. It will make them safe and it will make parents rest assured their child is well informed as they have no control over what happens to the image or who sees it, even if they only send it to a friend. Sending sexual images of themselves or others under 18 years could also be classed as possessing and distributing child pornography. This can have serious consequences.
#7 Understand Games and Apps
Games and apps are initially designed to be educational tools that build skills and a sense of achievement, as well as being lots of fun. They can be downloaded from the internet and many are free. Even young children can spend a lot of time playing them.
The best apps are those where children can experiment and try out their own ideas, creating drawings or music. Some apps are less educational but are not much more than repetitive activities. Free apps often have a lot of advertising and in-app purchasing. These can be real purchases and cause ‘’bill-shock’’ for parents. It is also hard for young children to tell the difference between advertising and the game.
One of the first things a parent should do is make sure there is no inappropriate content, violence, sexual images, coarse language or gambling.
Most parents would never encourage their children to gamble. However, simulated gambling may be embedded in children’s games without parents even beginning to realize it.
Exposure to simulated gambling at a young age can make it more likely that children will gamble when older. They can think that gambling is based on skills rather than chance. They often believe the more they play – the better they will get, just as they do in other games. This is reinforced when games make it easier to win than in real-life gambling.
What can be done about it is again education, discussion, use of common sense and logic and always investing time in explaining things to them. Help them recognize gambling and understand how it works but also avoid gambling in front of children and not engage in gambling activity as a family.
#8 Understand Online Violence
Parents should nurture the bond with their children and always lead by example which includes not playing violent games in front of children. Children are quick to spot double standards. You may need to be firm when limiting violent games as some children like these the most.
While a connection between playing violent games and being violent is proven to be false, the graphic nature and adult themes might still create an emotional response with your child, inducing nightmares, fears, and anxiety.
Young people often enjoy multi-player online games. They can play with friends and meet new people with similar interests anywhere in the world. In those instances, parents should remind their children to be cautious about sharing personal information, monitor when they play. Some games happen in different time zones, which can mean young people are playing when they should be sleeping.
When children and young people spend a lot of time playing games they spend less time doing slower, more demanding tasks like reading or doing homework.
#9 Trust, Invest Time, Monitor, and Educate
Rather than sounding like a broken record, try to sense when it’s a good time to approach and talk to your children. The result will be rewarding in a form of assurance that they would not make an uninformed decision that might impact their life or your own.
Cyber Safety Advice Checklist for Your Children:
- Avoid posting personal information.
- Once you post something, it’s no longer yours and other people can see it.
- Keep your privacy setting tight and updated.
- Never share passwords with friends or strangers.
- Only add people to your networks that you already know.
- Don’t meet people in person that you met online.
- Inform your parents or guardian about anyone that suggested a meeting.
- Not everyone is honest, so they may not be who they say they are.
- Respect other people even if you disagree with their opinions.
- Always be polite.
- Only use the internet when you are around trusted adults.
- If you see something online that makes you feel unsafe, uncomfortable, scared or worried, leave the site instantly and shut down the device and talk to a trusted adult immediately.
#10 Practice What You Preach
Parents often see their children the same way as when they were born, helpless bundles, which will never understand on their own. This is very far from the truth.
Children understand as much, and in this case sometimes more, than adults. They will see that you are using your real name on social media, that you are playing games, and that you are not careful with your private information and IP. This will make them lose confidence in you and stop listening.
If you have chosen to use a VPN provider for your child’s device, use it on your own too. Le VPN offers 5 simultaneous connections on multiple devices, and it will make you safer. Having sincere discussions with your children about safety, security, and prudence is something that you can do even with a very young child, as they will appreciate you talking to them like an equal.
The internet is a marvelous place, and your children will enjoy both the risks and the benefits of it sooner or later. Starting off early and teaching both yourself and your children about the internet will make all of you more aware of the risks and more knowledgeable on the ways you can use the benefits.
Using a VPN provider, such as Le VPN, will provide you with anonymity, but that is just the first step. Similar to traveling the world, you need to know the rules and the tools, as to make your stay as good as digitally possible.
A quick summary of Active Directory to get us started. Active Directory is a Microsoft product which runs several services on a Windows server to manage user permissions and access to networked resources. It stores data as objects – which can be users, groups, applications or devices. These are further defined as either resources – such as printers or computers, or security principals – such as users or groups.
From the above, you will understand just how important it is to secure your Active Directory properly. This can be done in a number of ways including hardening, auditing and detection rules.
The first step you should take is hardening your active directory against known attacks and following best practices. There are a lot of great articles out there to follow, starting with the official guide from Microsoft, found here. This contains important topics such as reducing the attack surface, audit policy recommendations and implementing least privilege administrative models.
Next up, activedirectorypro, which details 25 best practices to follow to secure your Active Directory. This contains tips on securing domain admins, local administrators, audit policies, monitoring AD for compromise, password policies, vulnerability scanning and much more.
Finally in terms of long read best practices articles, “The Ultimate Guide to Active Directory Best Practices” from DNSstuff. Like the previous two articles, this covers all important steps to secure your Active Directory.
Domain trusts are an important part of Active Directory security which most not be ignored. Here are some useful articles to understand domain trusts and ensure proper security processes are followed.
- Active Directory Trusts
- Top Ten Issues with Active Directory Trusts and Corporate Mergers
- Fundamentals of Active Directory Trust Relationships
Sven also mentions the importance of securely setting up domain trusts. Along with this, he mentions upgrading DC’s to at least 2016. See this article which details the process of upgrading your DC’s to 2016 along with understanding functional levels. Also see the second comment which details further tips to securely use and set up your domain controllers.
Even though Active Directory is the main focus, ensure you do not forget about any *nix systems connected to your active directories. Dependent on the connected systems, ensure they are also configured securely using best practices.
The main point I would like to concentrate on is securing privileged access. Incorrectly setup access is one of the main causes of issues and the article provided by Nathan is great to resolve these. Check the article regarding securing privileged access out here. Also don’t forget to checkout PingCastle and Bloodhound tools.
Once you believe you have followed the best practices and hardening, the next step is auditing your environment to see where your Active Directory is still vulnerable.
You should use tools such as BloodHound and PingCastle to audit your Active Directory environment.
Lets start with BloodHound, this article from ZephrFish details well what BloodHound is, what it is used for; and how to use it.
These tools will allow you to find the existing issues in your environment. Take these issues and go back to the start of this post and see the best practices guide to resolve them. Once you are happy that your Active Directory is set up securely, the next step is monitoring rules to detect when malicious actors are attempting to attack your environment.
Once your Active Directory environment has been set up securely and audited, the next step is setting up monitoring rules using a SIEM. To learn more about SIEM, check out my “Learn SIEM for free” article.
As always, there are a large amount of rules in the Sigma repository which we can use to monitor Active Directory. The rules can be found in this directory. Please check the log source > definition under each rule which details the audit / log requirements for each rule.
There were also a couple useful comments regarding detection rules.
UltimateWindowsSecurity have a fantastic list of Windows Security Event’s. They have lots of useful information around WSEL and examples which help you understand them better. Larry is also working on a list of rules which you can check out here.
Sysmon allows for a much more detailed monitoring of events and should always be deployed on domain controllers. See the guide from Microsoft here which explains what Sysmon is, what it can be used for and how to set it up. Once setup, Sysmon logs can be sent to a central SIEM for more accurate monitoring of events. The SIGMA repository above has some rules which require Sysmon. For a more in depth look into Sysmon, check out this guide from Varonis.
At this point you will now have your Active Directory set up securely, audited and well monitored. I hope you have found this article useful and learned something from it. I’d like to thank everyone again who replied to the thread with useful resources, points and articles of their own.
What Is Threat Modeling?
Threat modeling is a proactive approach to identifying entry points to enumerate threats and building security measures to prevent security breaches in applications and computer and network systems. It’s an engineering technique you can use to help you identify threats, attacks, vulnerabilities, and countermeasures that could affect your application and systems. You can use threat modeling to shape your application’s and system’s design and improve security.
Threat modeling provides a good foundation for the specification of security requirements during application development. When applied during the early phases of software development, threat modeling empowers developers in several ways. These range from verifying application architecture, identifying and evaluating threats, designing countermeasures, to penetration testing based on a threat model. There is however paucity of established techniques and tools for threat modeling and analysis.
What Most Threat Models Include
Due to the uniqueness in nature, most threat models do not look the same but generally include the following basics:
- A description of the threat
- A list of assumptions regarding the function of the software or organization that can be reviewed in the future
- Actions for each vulnerability
- How to review and verify the vulnerabilities are being watched and are secure
Why is threat modeling necessary?
As organizations become more digital and cloud-based, IT systems face increased risk and vulnerability. Growing use of mobile and Internet of Things (IoT) devices also expands the threat landscape. And while hacking and distributed-denial-of-service (DDoS) attacks repeatedly make headlines, threats can also come from within–from employees trying to steal or manipulate data, for example.
Smaller enterprises are not immune to attacks either–in fact they may be more at risk because they don’t have adequate cybersecurity measures in place. Malicious hackers and other bad actors make risk assessments of their own and look for easy targets.
Threat Modeling Methodologies
OCTAVE (Practice Focused)
The Operationally Critical Threat, Asset, and Vulnerability Evaluation methodology was one of the first created specifically for cybersecurity threat modeling. Developed at Carnegie Mellon University’s Software Engineering Institute (SEI) in collaboration with CERT, OCTAVE threat modeling methodology is heavy-weighted and focused on assessing organizational (non-technical) risks that may result from breached data assets.
Using this threat modeling methodology, an organization’s information assets are identified and the datasets they contain receive attributes based on the type of data stored. The intent is to eliminate confusion about the scope of a threat model and reduce excessive documentation for assets that are either poorly defined or are outside the purview of the project.
Though OCTAVE threat modeling provides a robust, asset-centric view, and organizational risk awareness, the documentation can become voluminous. OCTAVE lacks scalability – as technological systems add users, applications, and functionality, a manual process can quickly become unmanageable.
This method is most useful when creating a risk-aware corporate culture. The method is highly customizable to an organization’s specific security objectives and risk environment.
Trike Threat Modeling (Acceptable Risk Focused)
Trike threat modeling is a unique, open source threat modeling process focused on satisfying the security auditing process from a cyber risk management perspective. It provides a risk-based approach with unique implementation, and risk modeling process. The foundation of the Trike threat modeling methodology is a “requirements model.” The requirements model ensures the assigned level of risk for each asset is “acceptable” to the various stakeholders.
With the requirements model in place, the next step in Trike threat modeling is to create a data flow diagram (DFD). System engineers created data flow diagrams in the 1970s to communicate how a system moves, stores and manipulates data. Traditionally they contained only four elements: data stores, processes, data flows, and interactors.
The concept of trust boundaries was added in the early 2000s to adopt data flow diagrams to threat modeling. In the Trike threat modeling methodology, DFDs are used to illustrate data flow in an implementation model and the actions users can perform in within a system state.
The implementation model is then analyzed to produce a Trike threat model. As threats are enumerated, appropriate risk values are assigned to them from which the user then creates attack graphs. Users then assign mitigating controls as required to address prioritized threats and the associated risks. Finally, users develop a risk model from the completed threat model based on assets, roles, actions and threat exposure.
However, because Trike threat modeling requires a person to hold a view of the entire system to conduct an attack surface analysis, it can be challenging to scale to larger systems.
P.A.S.T.A. Threat Modeling (Attacker Focused)
The Process for Attack Simulation and Threat Analysis is a relatively new application threat modeling methodology. PASTA threat modeling provides a seven-step process for risk analysis which is platform insensitive. The goal of the PASTA methodology is to align business objectives with technical requirements while taking into account business impact analysis and compliance requirements. The output provides threat management, enumeration, and scoring.
The PASTA threat modeling methodology combines an attacker-centric perspective on potential threats with risk and impact analysis. The outputs are asset-centric. Also, the risk and business impact analysis of the method elevates threat modeling from a “software development only” exercise to a strategic business exercise by involving key decision makers in the process.
PASTA threat modeling works best for organizations that wish to align threat modeling with strategic objectives because it incorporates business impact analysis as an integral part of the process and expands cybersecurity responsibilities beyond the IT department.
This alignment can sometimes be a weakness of the PASTA threat modeling methodologies. Depending on the technological literacy of key stakeholders throughout the organization, adopting the PASTA methodology can require many additional hours of training and education.
STRIDE Threat Modeling (Developer Focused)
STRIDE stands for Spoofing Tampering Repudiation Information Message Disclosure Denial of Service and Elevation of Privilege. Microsoft’s threat modeling methodology – commonly referred to as STRIDE – aligns with their Trustworthy Computing directive of January 2002. The primary focus of that directive is to help ensure that Microsoft’s Windows software developers think about security during the design phase.
The STRIDE threat modeling goal is to get an application to meet the security properties of Confidentiality, Integrity, and Availability (CIA), along with Authorization, Authentication, and Non-Repudiation. Once the security subject matter experts construct the data flow diagram-based threat model, system engineers or other subject matter experts check the application against the STRIDE threat model classification scheme.
This methodology is both well documented and well known owing to Microsoft’s significant influence in the software industry and their offering of Microsoft TMT.
VAST Threat Modeling (Enterprise Focused)
The Visual, Agile, and Simple Threat modeling (VAST) methodology was conceived after reviewing the shortcomings and implementation challenges inherent in the other threat modeling methodologies. The founding principle is that, in order to be effective, threat modeling must scale across the infrastructure and entire DevOps portfolio, integrate seamlessly into an Agile environment and provide actionable, accurate, and consistent outputs for developers, security teams, and senior executives alike.
A fundamental difference of the VAST threat modeling methodology is its practical approach. Recognizing the security concerns of development teams are distinct from those of an infrastructure team, this methodology calls for two types of threat models.
Why you should Threat Model?
Threat Modeling gives a complete picture of the threats and possible attack paths. These attack paths can subsequently be used for instance to create efficient test scenarios, design adjustments or to define additional mitigating measures. Next to the result, the threat modeling workshop is a great way to raise security awareness and collaboration.
This allows you to execute concrete next steps in improving security.
While taking the use of the cloud, we always overlook the issue of security and assume the cloud provider will for sure handle that. However, it is important to understand the security responsibility does not solely lie with the cloud provider. Security is a shared responsibility when using the cloud.
Below I try to outline the different responsibilities in securing the cloud for each of the stakeholders
Designed to provide the highest degree of flexibility and management control to customers, IaaS services also place more security responsibilities on customers. Let’s use Amazon Elastic Compute Cloud (Amazon EC2) as an example.
When customers deploy an instance of Amazon EC2, the customer is the one who manages the guest operating system, any applications they install on these instances and the configuration of provided firewalls on these instances. They are also responsible for overseeing data, classifying assets, and implementing the proper permissions for identity and access management.
While IaaS customers retain a lot of control, they can lean on CSPs to manage security from a physical, infrastructure, network, and virtualization standpoint.
In PaaS, more of the heavy lifting is passed over to CSPs. While customers focus on deploying and managing applications (as well as managing data, assets, and permissions), CSPs take control of operating the underlying infrastructure, including guest operating systems.
From an efficiency standpoint, PaaS offers clear benefits. Without having to worry about patching or other updates to operating systems, security and IT teams recoup time that can be allocated to other pressing matters.
Of the three deployment options, SaaS places the most responsibility on the CSP. With the CSP managing the entire infrastructure as well as the applications, customers are only responsible for managing data, as well as user access/identity permissions. In other words, the service provider will manage and maintain the piece of software—customers just need to decide how they want to use it.