A pharmaceutical company recently experienced a security breach within its customer-facing web portal. The attackers performed a SQL injection attack and exported tables from the company's managed database, exposing customer information.
The company hosts the application with a CSP utilizing the IaaS model. Which of the following parties is ultimately responsible for the breach?
In an Infrastructure as a Service (IaaS) model, the cloud service provider (CSP) is responsible for managing the underlying infrastructure, such as servers, storage, and networking. However, the customer, in this case, the pharmaceutical company, is responsible for managing everything that runs on that infrastructure, including the operating systems, applications, and data. Since the security breach was due to a SQL injection attack on the customer-facing web portal, the pharmaceutical company is ultimately responsible for securing its application and ensuring it is protected against such vulnerabilities.
If it's using IaaC, the company is managing their systems including the web portal. Why the CSP is responsible???
IaaS = Infrastructure as a Service. So the CSP provided the hardware. What the pharmaceutical company puts on that hardware is their business. The fact it was breached via SQL injection, i.e. software coding, means it's the web application was the point of ingress. Therefore, it's the onus of the Pharma company.
The company is managing the DB.
IaaS means that the responsibility is passed onto the costumer this case the Pharma Company. Scenario also only indicates that the database is managed by the company but doesn't explain who controls the web page. When sql injection happens is due to poorly coded user interface in the web and not the database manager. I will say that the one at fault is the Web developer there fore they are responsible. I could also make the case that the company is responsible for hiring a bad Web developer. Can't decide if A or C
I believe the pharmaceutical company is responsible for their own data in a IaaS model. https://www.techtarget.com/searchcloudcomputing/feature/The-cloud-shared-responsibility-model-for-IaaS-PaaS-and-SaaS https://www.techtarget.com/searchcloudcomputing/feature/The-cloud-shared-responsibility-model-for-IaaS-PaaS-and-SaaS
I agree. A is the correct answer.
In the Shared Responsibility model, this would fall under the company's responsibility.
In the IaaS model, while the CSP ensures the infrastructure's security, the pharmaceutical company is responsible for securing its application, including protecting against SQL injection attacks
In the IaaS model, while the CSP ensures the infrastructure's security, the pharmaceutical company is responsible for securing its application, including protecting against SQL injection attacks
Customer Responsibilities: Application Security: The pharmaceutical company is responsible for securing its customer-facing web portal and the application code. This includes protecting against common vulnerabilities like SQL injection through proper input validation, parameterized queries, and other secure coding practices. Data Security: The security of customer information stored in the database is the responsibility of the customer. This includes implementing proper access controls, encryption, and ensuring data is not exposed due to vulnerabilities like SQL injection.
The data owner is responsible for the data. Also even more responsible than normal because the CSP only provides Infrastructure. All patching of systems and security is supposed to be conducted by the customer in a IaaS. Source: Verifying each answer against Chat GPT, my experience, other test banks, a written book, and weighing in the discussion from all users to create a 100% accurate guide for myself before I take the exam. (It isn't easy because of the time needed, but it is doing my diligence)