Page 1422 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1422

but purchased from vendors. Some of this software is purchased to run

               on servers managed by the organization, either on premises or in an
               infrastructure as a service (IaaS) environment. Other software is
               purchased and delivered over the internet through web browsers, in a
               software as a service (SaaS) approach. Most organizations use a
               combination of these approaches depending on business needs and
               software availability.

               For example, organizations may approach email service in two ways.

               They might purchase physical or virtual servers and then install email
               software on them, such as Microsoft Exchange. In that case, the
               organization purchases Exchange licenses from Microsoft and then
               installs, configures, and manages the email environment.

               As an alternative, the organization might choose to outsource email
               entirely to Google, Microsoft, or another vendor. Users then access
               email through their web browsers or other tools, interacting directly

               with the email servers managed by the vendor. In this case, the
               organization is only responsible for creating accounts and managing
               some application-level settings.

               In either case, security is of paramount concern. When the
               organization purchases and configures software itself, security
               professionals must understand the proper configuration of that
               software to meet security objectives. They also must remain vigilant

               about security bulletins and patches that correct newly discovered
               vulnerabilities. Failure to meet these obligations may result in an
               insecure environment.

               In the case of SaaS environments, most security responsibility rests
               with the vendor, but the organization’s security staff isn’t off the hook.
               Although they might not be responsible for as much configuration,
               they now take on responsibility for monitoring the vendor’s security.

               This may include audits, assessments, vulnerability scans, and other
               measures designed to verify that the vendor maintains proper
               controls. The organization may also retain full or partial responsibility
               for legal compliance obligations, depending upon the nature of the
               regulation and the agreement that is in place with the service provider.
   1417   1418   1419   1420   1421   1422   1423   1424   1425   1426   1427