Cloud Security and Privacy in the Light of the 2012 EU Data Protection Regulation - Cloud Computing

Information Technology Reference

In-Depth Information

- Quantity. Organizations should provide information about how many data

centers are used to store and process data.

- Physical Security. Information about the physical provisions to secure the

data centers should exist.

- Data Backup and Data Redundancy. It should be possible to backup and

store data in several locations. The user should get information regarding

backup procedures.

- Information about the location of the data centers should be provided. In the

best case the user can choose where the data will be stored and processed.

- Data loss. The case of data loss should be stated in a contract, SLA or terms

of service.

- Data isolation. Due to multi-tenancy and his complexity it is important how

data will be isolated.

Data Security

- Data sanitization techniques should be implemented.

- Auditing and Certifications should be verifiable.

- Data Encryption, Key Management. Techniques like PKI, PKCS, KEYPROV

(CT-KIP, DSKPP) or EKMI should be implemented.

- Data/Vendor Lock-in. Exit strategies and other options should be stated in

a contract.

- Data ownership. It should be clear who possesses the data and who is re-

sponsible for it.

- Identity and Key Management. Evidence for the access and authentication

is necessary.

- Implementation of incident response strategies.

- Monitoring of data security.

- Implementation of network security strategies.

3.4 Data Protection According to the Upcoming EU Data

Protection Regulation

Important to mention for the security of data is again Article 26 which states

that a controller has to choose a processor providing sucient guarantees about

the implementation of all technical measures so that the processing will comply

with the EU data protection regulation. The processing shall be governed by

a contract. In other words the controller has to protect himself legally with a

contract otherwise he may be responsible for data breaches.

Data Loss / Data Breach: According to Article 30 ”Security of processing”;

controller and processor have to ensure with appropriate technical measures an

adequate level of security. Both shall take these measures to protect personal

data against unlawful or accidental destruction or accidental loss and have to

prevent unlawful forms of processing. In particular any unauthorized disclosure,

dissemination, access or alteration of personal data.

Search WWH ::

Custom Search

Home