Information Technology Reference
In-Depth Information
Cloud Computing” [9]. The different areas are Governance, Compliance, Trust,
Architecture, Identity and Management, Software Isolation, Data Protection,
Availability, and Incident Response.
The Cloud Security Alliance published their security guidance for critical ar-
eas regarding cloud computing with the focus on governing and operating issues
[3]. The governing part includes Governance and Enterprise Risk Management,
Legal Issues, Compliance and Audit, Information Management and Data Secu-
rity, Interoperability and Portability. The operating part includes Traditional
Security, Business Continuity, Disaster Recovery, Data Center Operation, Inci-
dent Response, Application Security, Encryption and Key Management, Identity,
Entitlement, Access Management, Virtualization, and Security as a Service.
The Australian Government provides with their Cloud Computing Security
Considerations [11] a checklist of questions, according to security issues an or-
ganization has to deal with when using cloud computing.
The described approaches enumerate what an organization has to consider in
regard to security and privacy. With our evaluation framework we combine these
approaches and further consider the upcoming EU data protection regulation.
We provide a checklist for general security and privacy considerations as well as
for legal and organizational requirements according to the upcoming EU data
protection regulation.
3.1 Legal and Organizational Requirements
Legal and organizational requirements cover governance, service level agree-
ments, support and information, and compliance.
Governance
includes the accountability, responsibility and transparency of an
organization. To fulfill these requirements certifications and audits are used.
Certifications and audits on which users can rely on are important since users
are not able to get a complete insight of all security relevant issues. Hence, the
provider should provide information about certification such as PCI DSS, ISO
/ IEC 27001, etc. and audit standards like SAS70 Type II. Third party audits
should be a vital part of any assurance program.
Service Level Agreements
are a contract between a provider and a user on the
level of the provided service. SLAs and Terms of Service are essential to a reliable
cloud provider. Service Level Agreements should contain:
-
Adequate system availability (uptime, response time)
-
Credits in case of outages
-
Adequate compensation for a breach
-
Notification in cases of failure or critical situations
Support and Information
should be made available in a transparent and easily
accessible way by the provider. The user should get as much information as
possible. Therefore support and documentation by the provider is necessary.
The following points should be made available:
