Cloud Security and Governance by Sumner Blount & Rob Zanella

Author:Sumner Blount & Rob Zanella [Blount, Sumner]
Language: eng
Format: azw3, mobi, pdf
ISBN: 9781849280983
Publisher: IT Governance Publishing
Published: 2016-06-15T00:00:00+00:00

Some of the most important issues of Cloud security include the following:

Data protection and privacy

As stated earlier, the protection and privacy of corporate data is typically the biggest inhibitor to the adoption of Cloud Computing. In fact, a customer’s data often represents the “family jewels,” and the loss or exposure of that data could be catastrophic.

Although data protection is strongly related to other areas of security (e.g. identity and access management), there are some key areas of data protection that need specific analysis:

Segregation of data: How is your data segregated from the data of other customers? Are the mechanisms to isolate customers’ data sufficient? In a virtualized environment, for example, virtual instances can be “hardened,” so that client data is securely segregated. A detailed analysis of the infrastructure and architecture is needed to validate that you are protected. In general, you can choose to avoid co-locating your data with that of any other Cloud client, but it might increase your cost.

Location of data: Your information will reside on one or more physical machines, and may be moved around on occasion. Determine if the possible location of your data will meet your specific business, regulatory and security needs. Also, how much control do you have over its location? In addition, its physical location may subject you to legal mandates of the country where it is located, which might be onerous. The Data Protection Directive implemented by the European Commission in 1995 (EU Council Directive 95/46) strives to protect the privacy of individuals. As part of the directive, personal data may only be transferred to countries outside the EU if that country provides an adequate level of protection. The Safe Harbor Principles were created in a negotiation between US representatives and specific members of the EU. These principles guide how personal data is to be handled. Violations of these principles can have far-reaching consequences. For example, a US-based company that uses an EU-based Cloud provider would be subject to EU Privacy Laws. These are complex areas that need detailed legal and regulatory analysis and specification within the provider’s Terms of Service.

Protection of data at rest: What are the encryption mechanisms? Are they sufficient? How are encryption keys managed? What are the authentication and authorization mechanisms used to protect data, and are they appropriate, given the value of your data? Are users given only the minimum access rights necessary for their job function, and can you review their access privilege reports? Finally, how can the provider prove to you that no breach of your data has occurred?

Protection of in-transit data: How is data moved around? If it is moved, are you aware of it, and would it impact on you? How is it transmitted from you to the provider? Is it encrypted?

Physical back-up of data: Is your data stored offline in archival storage? If so, review the procedures for when and how it is archived, as well as the security policies of the off-premise storage facility.

Data leak prevention: How can you be assured

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.