Guide For Companies On Cloud Computing: Security and Privacy Implications

Guide for companies: security and privacy of cloud computing
INFORMATION SECURITY OBSERVATORY
Edition: October 2011
The "Guide for companies: security and privacy of cloud computing" has been developed by the team of the Information Security Observatory of INTECO: Pablo Prez San-Jos (management) Cristina Gutirrez Borge (coordination) Eduardo lvarez Alonso Susana de la Fuente Rodrguez Laura Garca Prez
The present publication belongs to the National Institute of Communication Technologies (INTECO) and is licensed under Creative Commons Attribution-NonCommercial 3.0 Spain, and therefore you may copy, distribute and transmit this work under the following conditions: Attribution: The content of this report may be reproduced in full or partially by third parties, citing its source and making express reference both to INTECO and to its website: www.inteco.es. Such attribution may in no case suggest that INTECO supports said third party or endorses the use that it makes of his work. NonCommercial Use: The original material and the works derived may be distributed, copied and displayed as long as its use is not for commercial purposes.
For any reuse or distribution, you must make clear the license terms of this work. Some of these conditions may not apply if permission is obtained from INTECO as owner of the copyright. Nothing in this license diminishes or restricts the moral rights of INTECO. http://creativecommons.org/licenses/by-nc/3.0/es/ The present document complies with the accessibility conditions of PDF (Portable Document Format). It is a structured and labelled document, provided with alternatives to all non-textual elements, markup language and appropriate reading order. For more information on the creation of accessible PDF documents you can consult the guide available in the section Accessibility > Training > Manuals and Guides on the website http://www.inteco.es
The National Institute of Communication Technologies (INTECO) (http://www.inteco.es), public corporation attached to the Ministry of Industry, Trade and Tourism through the State Department for Telecommunications and for the Information Society, is a platform for developing the Knowledge Society through projects in the field of innovation and technology. The mission of INTECO is to provide value and innovation to individuals, SMEs, Public Authorities and the information technology sector by developing projects which contribute towards increasing confidence in our countrys Information Society services, while also promoting an international course of participation. To this end, INTECO will develop actions in the following areas: Security, Accessibility, ICT Quality and Training.
The Information Security Observatory (http://observatorio.inteco.es) falls within INTECOs strategic course of action concerning Technological Security, and is a national and international icon in serving Spanish citizens, companies and authorities in order to describe, analyse, assess and spread the Information Societys culture of security and trust.
INTECO would like to thank the collaboration of the Spanish Association of Privacy Professionals (APEP) (http://www.apep.es) in the preparation of this guide, especially its president Ricard Martnez for his personal contribution:
I
NDICE
ndex
1 INTRODUCTION TO CLOUD COMPUTING ........................................... 6

1.1 CLOUD COMPUTING AS EVOLUTION OF TECHNOLOGY .............................. 6 1.2 THE PLACE OF CLOUD COMPUTING IN IT DEVELOPMENT .......................... 8 1.3 SERVICE LEVELS .............................................................................................. 8 1.4 SERVICE DEPLOYMENT MODELS ................................................................. 10 1.5 TYPE OF PROVIDERS ..................................................................................... 11
2 MAIN FEATURES OF CLOUD COMPUTING ....................................... 12

2.1 UBIQUITOUS ACCESS TO DATA .................................................................... 12 2.2 ECONOMIC ASPECTS ..................................................................................... 13 2.3 SCALABILITY AND FLEXIBILITY .................................................................... 13 2.4 RELOCATION OF DATA AND PROCESSES ................................................... 14 2.5 DEPENDENCE ON THIRD PARTIES ............................................................... 14
3 LEGAL FRAMEWORK .......................................................................... 15

3.1 REGULATION OF THE LOPD .......................................................................... 15 3.2 REGULATION OF THE LSSI ............................................................................ 21 3.3 REGULATION OF THE PENAL CODE ............................................................. 21 3.4 THE LEGAL SYSTEM OF DESTINATION COUNTRIES .................................. 22
4 RISKS OF CLOUD COMPUTING .......................................................... 23

4.1 ABUSE AND MALICIOUS USE ........................................................................ 23 4.2 INTERNAL INFORMATION LEAKS.................................................................. 23 4.3 INSECURE APIS ............................................................................................... 23 4.4 IDENTITY FRAUD ............................................................................................. 24 4.5 RISK PROFILE IGNORANCE ........................................................................... 24
Guide for companies: security and privacy of cloud computing Information Security Observatory
Page 4 of 42
5 SECURITY IN THE CLOUD ................................................................... 26

5.1 SECURITY ON THE PART OF THE CLOUD COMPUTING PROVIDER .......... 26 5.2 SECURITY ON THE PART OF THE CLIENT .................................................... 28
6 PRIVACY IN THE CLOUD ..................................................................... 31

6.1 DATA PROTECTION ........................................................................................ 31 6.2 INTEGRITY ....................................................................................................... 32 6.3 ACCESS CONTROL ......................................................................................... 33 6.4 LOSS PREVENTION......................................................................................... 34
7 STEPS FOR ENTERING THE CLOUD.................................................. 36

7.1 ANALYSIS OF NEEDS AND OPPORTUNITIES ............................................... 36 7.2 OFFER OF SERVICES IN THE CLOUD ........................................................... 38 7.3 LIABILITY AND TERMS OF USE ..................................................................... 38 7.4 USE OF MIGRATION MECHANISMS ............................................................... 40
Page 5 of 42
1.
1
Introduction to cloud computing
INTRODUCTION TO CLOUD COMPUTING
In recent years organisations attend with anticipation the emergence and development of cloud computing or paradigm of computing in the cloud (also called "the cloud"), according to which, all information resources can be stored on third party servers and accessible through the Internet. Providers have data processing centres to serve multiple users. In exchange, the customers receive a flexible support to the needs and peculiarities of their activity at any given time. This model offers great possibilities for companies and entities, both in terms of investment and economies of scale, relocation and access to information from anywhere, etc. While there is no conclusive data on the adoption of the cloud in Spain, a series of factors 1 have been identified that may favour its expansion in the public and private sectors: development of the ICT sector, business network dominated by the SME, geographical layout of the population and potential of the public sector, amongst others. The present document offers an approximation to the cloud computing model for all kinds of organisation, looking closely at the main implications as regards security and privacy, the keys to ensuring success in the use of services in the cloud. Throughout the present guide, the reader will find the names entity, company, organisation, client, contractor, or user according to the role they take in the specific situation under discussion in each section.
1.1
CLOUD COMPUTING AS EVOLUTION OF TECHNOLOGY
Cloud computing, or computing "in the cloud", is a technology proposal or model that enables the provision of computer services through the Internet in which the resources, software and data are provided on demand. The objective of this new model is that the company or end user does not have to worry about the technical details and they can use any application with their web browser. Cloud computing is the sum of the evolution of several technologies:
Bankinter Foundation for Innovation (2010).Cloud Computing. La tercera ola de las Tecnologas de la Informacin (The third wave of Information Technologies).
Page 6 of 42
Increase in processing capacity. Since the origin of computing, the computation capacity of personal computers has been increasing dramatically. Internet Connection. The Net has become an almost indispensible tool in people's everyday lives. Its evolution involves an increase in the connection speed and in the number of connections in homes and in the workplace.
Mobile devices. The miniaturisation of computer components has allowed the emergence of mobile devices that enable permanent connection to the Internet. Nowadays, a business must be able to connect to the resources of the company, both from desktop computers and from mobile devices, converting ubiquity and mobility into highly important requirements.
As regards the history of computing in the cloud, the following events stand out: In 1961, John McCarthy suggested that the advances in computing and communications would lead to "computation may someday be organized as a public utility", just like the business model for water or electricity. At the end of the 90s, Amazon technicians realised that they had a large computer infrastructure but that they were only using 10-15% of its capacity. They saw the possibilities of offering these services to users and in 2006 introduced Amazon 2 Web Services2. During the years 2007 and 2008, large companies such as Google and IBM joined forces with North American universities to begin large-scale research on cloud computing. As a result of this research, in January 2009 Eucalyptus emerged, an open source platform that allowed the creation of systems in the cloud compatible with Amazon Web Services.
In conclusion, advances in the three areas mentioned above (processing capacity, Internet connection and mobile devices) together with important investments made by the large companies who dominate the world technology scene have brought about the rapid evolution and introduction of cloud computing. Up to such a point that many users already enjoy services in the cloud without even realising it.
Amazon Web Services (AWS) http://aws.amazon.com/
Page 7 of 42
1.2
THE PLACE OF CLOUD COMPUTING IN IT DEVELOPMENT
The evolution of information technology in recent years can be simplified in the following milestones: Mainframes. At the start of the 60s, computers were very expensive devices, difficult to maintain and to use. Companies had large computers, known as mainframes, to do the most critical and complicated tasks. Generally, these were not connected to the Net and were used for handling large quantities of data such as censuses or economic transactions. Client-server architecture. Between the 70s and 80s, the use of personal computers in the workplace was generalised, less expensive and powerful, but allowed the performance of basic tasks. In addition they had a set number of more powerful computers that were entrusted with keeping the most sensitive data as well as the applications that needed more resources. These computers with greater processing capacities were called servers, while the machines with more limited resources at each workstation were called clients. Client-server architecture was born. Collaborative and distributed architectures. The complexity of computer applications has been increasing over time, which has required the creation of more complex systems to efficiently solve all of the new needs. For example, grid computing uses a variable number of computers working collaboratively to solve complex problems for those that individually do not have enough resources. On the other hand, the architecture peer-to-peer or p2p is a distributed architecture in which all the nodes are both consumers and suppliers of information. These architectures are widely used today.
The cloud computing model does not substitute the above architectures, but it manages to radically change the way in which computer applications are used and understood, thanks to the fact that it allows you to maximise the strengths of the Internet, mobile devices and personal computers. 1.3 SERVICE LEVELS
To understand the functioning of cloud computing it is essential to understand the three levels at which the service may be provided. 1 Infrastructure as a Service (IaaS). This is the highest service level. It is responsible for delivering a complete processing infrastructure to the user on demand. The user has one or various virtual machines in the cloud with which, for example, it can increase the size of the hard disk in a few minutes, obtain greater processing or
Page 8 of 42
router 3 capacity and only pay for the resources that he uses. This level can be seen as an evolution of the Virtual Private Servers currently offered by hosting 4 companies. 2 Platform as a Service (PaaS). This is an intermediate level, responsible for delivering a complete processing platform to the user, fully functional and without having to buy and maintain the hardware and software. For example, a web developer needs a web server that serves their pages, a database server and an operating system. This level is responsible for providing all these services. Software as a Service (SaaS). This level is responsible for delivering software as a service through the Internet whenever the user demands it. This is the lowest level that allows access to the application using a web browser, without requiring the installation of additional programs on the computer or mobile telephone. Office automation suites which can be accessed online are a good example of this level.
Illustration 1:Examples of services delivered at each level of cloud computing
3 4
Router: Device that distributes traffic between networks.
Hosting: Service offered by companies consisting of providing accommodation within their servers to the web pages of other companies, with the purpose of storing information, videos, photographs or any type of data that they wish to have accessible on the Net.
Page 9 of 42
1.4
SERVICE DEPLOYMENT MODELS
Cloud computing systems can be grouped into the following main categories: Public clouds are those in which all of the control of the resources, processes and data is in the hands of third parties. Multiple users can use web services that are processed in the same server; they can share disk space or space on other network infrastructures with other users. Private clouds are those created and administrated by a single entity that decides where and how the processes are executed within the cloud. It is an improvement in terms of security and privacy of the data and processes, as the sensitive data remains on the computer infrastructure of the entity, whereas it controls which user accesses each service of the cloud. However, the entity continues being in charge of purchasing, maintaining and administrating the entire hardware and software infrastructure for the cloud. In hybrid clouds the two models above coexist. For example, a company makes use of one public cloud to maintain its web server while it keeps its database server on its private cloud. In this way, a communication channel is established between the public and private cloud through which the sensitive data remain under strict control whereas the web server is administrated by a third party. This solution reduces the complexity and cost of the private cloud. A fourth service deployment model has become evident, community clouds, which are shared between various organisations that form a community with similar principles (mission, security requirements, policies and regulatory requirements). It may be managed by the community or by a third party. This model can be viewed as a variation in the private cloud model.
Page 10 of 42
1.5
TYPE OF PROVIDERS
The current scene leads users towards two possible solutions. The first would be to contract cloud hosting and the second would be to use the specific services of cloud computing offered by large companies. 1 Cloud hosting services are similar to the services offered by traditional hosting companies. The main difference is that in a cloud service you pay for what you use and system resources can be increased or reduced in a matter of minutes. In a traditional hosting system you have to know what capacity of processing you are going to need and even what version of operating system you are going to use before contracting the services. 2 Cloud computing services offered by the large companies in the IT sector enable you to obtain greater personalisation in the computing solution contracted. Given this option provides more functionalities it also requires a greater technical knowledge on the part of the contractor to maximise its features. There are tools and functionalities of cloud computing that are offered for free on the Net, such as collaborative pages and platforms in Web 2.0.
Page 11 of 42
2.
2
Main features of cloud computing
MAIN FEATURES OF CLOUD COMPUTING
2.1
UBIQUITOUS ACCESS TO DATA With cloud computing can you work from anywhere?
The main feature of cloud computing is the ubiquitous access (from anywhere) to information. You only need a web browser and Internet connection to enjoy services in the cloud, you do not need to have a specific operating system or install specific software on each client. You can use a laptop, mobile telephone or a games console connected to the Net to access cloud applications at any time. At present, mobile technologies are an important part within the business model of a company. The combination of mobile and fixed devices creates new opportunities in the development of business activities allowing full operational capacity. This feature assumes a great advantage over other technologies, although it is important to point out that there are limitations: it is not possible to use cloud applications without an Internet connection. Also, the quality and speed of the connection must be high to be able to use the service properly. As a general rule, desktop applications (those programs installed on a computer) have a higher performance than web applications because they can make better use of all the computer resources.
Page 12 of 42
2.2
ECONOMIC ASPECTS Is it necessary to make a big investment to introduce the model into the organisation?
When deploying a new service, the IT model based on cloud computing allows for reduced costs compared to the traditional model since the resources that the entity must assign are less, both direct (in terms of hardware, maintenance, staff, etc.) and indirect (facilities, supplies, etc.), in such a way that part of the fixed costs becomes variable. At the same time, entities can contract a service in the cloud for an amount per month and depending on how their needs develop, increase or decrease the processing resources, knowing that they can pay for actual use. 2.3 SCALABILITY AND FLEXIBILITY How much time does it take from the moment you realise you need more resources to the moment they are available?
The ease with which you can add or remove resources also assumes an advantage over the traditional model. Outside the cloud, when a system administrator needs to install an additional hard disk unit, he must choose the product and follow a protocol to carry out the purchase, receive, install and configure the equipment for its setup. If after a time the volume of users drops or system functionalities change, you will not be able to backtrack. Due to the great scalability and flexibility of cloud computing, all service providers offer the possibility of adding or removing resources in a matter of minutes, increasing the storage or the number of processors without affecting the application. You don't have to install anything on the operating system, or configure additional hardware units. In the same way, if after a while you realise that the service in the cloud does not require so much processing capacity, you can reduce the resources adapting them to the volume of work required at any time.
Page 13 of 42
2.4
RELOCATION OF DATA AND PROCESSES Do you know the company where your information is stored?
In a traditional system, the system administrator knows on what machine the data is stored and which server is responsible for each process. The model in the cloud uses different virtual technologies to be able to offer all the functionalities required, therefore control is lost in terms of location. This does not mean that the data or processes are lost on the Internet as the client retains control over who can access or modify this information. The advantage is that you can have both data and processes in the most convenient place for the organisation. For example, you can use multiple copies of a server and distribute them by data process centres in various parts of the world to improve access times for users. Furthermore, it facilitates the maintenance of backup not only of data but the entire server, operating system and programs installed on it. The location of the data can have a significant effect on the legal framework applicable and the contract conditions. In certain cases you may have to comply with the requirements provided for international transfers of personal data. 2.5 DEPENDENCE ON THIRD PARTIES Does the company lose control over its information and processes?
Whether you work in a public cloud or a hybrid cloud, there will be a company contracted to provide the necessary services. The benefits of relying on these companies is that they are in charge of the maintenance of all hardware, specialised areas for the data processing centres, electricity and Internet connectivity, etc. The service providers in the cloud not only host a web server (as happens in traditional hosting), but also all the processes and data that are in the cloud, as well as backups. That is, they share part of the control with the user or organisation. The establishment of an appropriate level of transparency in the market at the time of negotiating the terms and conditions in the contracts is essential to offset the lack of control derived from depending on third parties.
Page 14 of 42
3.
3 LEGAL FRAMEWORK
Legal framework
Cloud computing has its principal foundation in the remote management of information. Organisations transfer a large quantity of information, in some cases sensitive, onto servers belonging to third parties. This involves numerous legal implications, more still in the case where data is hosted on servers in another country, to the extent that two or more jurisdictions converge and the need arises to determine aspects such as the applicable Law, the competent courts or the conditions required so that the transfer of data to the systems of the provider can be viable and in turn authorised by the national authority for data protection. On signing the corresponding contract or terms of use, the client or contractor is tied to accepting a specific jurisdiction. In Europe, the general framework as regards data protection and free movement of the same is set by Directive 95/46/EC, hereinafter the Directive 5. The national transposition operated by each Member State undertakes to take into account the national Law as a guiding criterion. There are also Decisions and Communications from the European Commission and documents adopted by the main players at the European level on the subject, such as the case of the European Network and Information Security Agency (ENISA) 6 from which the fundamental nature of the applicable legal framework is deduced. 3.1 REGULATION OF THE LOPD
Organic Law 15/1999 of 13 December on the Protection of Personal Data (LOPD) regulates the aspects relating to the processing of personal data and the free movement of the data. The Spanish Data Protection Authority (AEPD) 7 is the control body that is responsible for ensuring the compliance of this regulation within the Spanish 8 territory. Firstly, both the service contracting company contracting and the provider must take into account the definition of personal data established in article 3 of the LOPD: personal data is any information concerning an identified or identifiable physical person.
Directive 95/46/EC of the European Parliament and of the Council, of 24 October 1995, on the protection of individuals with regard to the processing of personal data and on the free movement of such data. Source: ENISA (2011).Security and Resilience in Governmental Clouds. More information: https://www.agpd.es/
6 7 8
Other Data Protection Agencies exist autonomously, in the Autonomous Communities of Madrid, Catalonia and in the Basque Country.
Page 15 of 42
If the data with which you are going to work in the cloud belongs to this category, the company that processes it must first comply with the set of obligations included in the LOPD: registration of files, duties related to the collecting of information, the consent and the quality of the data, guarantee of the so-called ARCO rights (Access, Rectification, Cancellation and Opposition) and the adoption of security 9 measures. If the data with which you are going to work in the cloud are not personal data (they are, for example, complex mathematical operations, physics and/or chemistry calculations, etc.) you can proceed without the LOPD indicating any obstacle.
Also, in the case of cloud computing it is essential to revise the conditions of the contract in order to ensure adequate provision of the issues related to the presence of a data processor and/or an international transfer of personal data. 3.1.1 Provision of services by third parties not connected to the controller
In the provision of cloud computing services by third parties not connected to the controlling organisation, what the LOPD and its Implementing Regulation (RDLOPD) 10 call a processing order is created. This is a provision of services in which the data is the object of some type of processing by the lender/provider who becomes the data processor. A data processor is defined as the natural person or legal entity, public or private, or administrative body that, alone or jointly with others, processes personal data on behalf of the data controller, due to the existence of legal relations binding them and delimiting the scope of his action for the provision of a service (Article 5 RDLOPD). The following table lists the basic principles which must be satisfied by the contractual clauses related to access to data by third parties and the security of the data, as well as the figure to whom said clause is addressed.
More information: Spanish Data Protection Authority (2008). Gua del responsable de ficheros.
10
Royal Decree 1720/2007, of 21 December, which approves the Regulation implementing Organic Law 15/1999, of 13 December, on the protection of personal data or RLOPD.
Page 16 of 42
Aspects to consider
Articles involved
Content of contractual clauses

The controller must: Oversee that the processor meets the guarantees for the compliance of the provisions of the RDLOPD. Include a description of the set of instructions that the processor applies for processing the data. Establish the security measures that the data processor is obliged to introduce.
The processor must:
Access to data by third parties
Article 12 LOPD Articles 20, 21 and 22 RDLOPD
Use the data exclusively for the contracted purposes. Otherwise, you become responsible and you must be accountable for the offense committed.
Do not communicate this information to third parties, not even for its conservation. Be authorised by the controller to subcontract11 and comply with all the requirements of the LOPD and RDLOPD on this subject.
Destroy or return the processed information to the controller once the contract is completed. You should comply with the obligation to return by migrating data to a new provider.
The controller must: Article 9 LOPD Title VIII RDLOPD Adopt the technical and organisational necessary to ensure security of the files. Avoid losing information and processing by unauthorised staff. avoid means
Data security
access
or
Establish preventive measures against the various risks to which the data are subject, whether from human action, technology or dependent on the physical or natural environment.
11 Allow subcontracting. It is not considered data communication the access of a third party to data when said access is necessary for the provision of a service to the data controller.
Page 17 of 42
It must be taken into account that the existence of the contract regulated by article 12 of the LOPD excludes the application of the regulation provided for personal data communications and facilitates, therefore, the deployment of services based on cloud computing. The figure of the processor is examined very specifically by Title VIII of RDLOPD. Its article 82 points out the need for measures to be fixed in the contract accurately, taking into account the nature of the provision and if this is developed on the premises of the controller or on those of the processor and the security conditions that affect remote access. The set of security measures provided by the law and its regulation aims to guarantee the integrity and security of the files in the processing centres, premises, equipment and programs and the availability of the information 12.
How do articles 9 and 12 of the LOPD affect cloud computing?
The service provider in the cloud is responsible for maintaining security in its data processing centres. Usually an inspection of its security measures by the client interested in contracting its services will not be possible. On the other hand, except in very specific cases, contracting will be done through general conditions, -that is, using contracts that respond to a general model for a category of clients- and additionally privacy policies may be expected. Therefore it will be essential for the client to make certain that the service provider undertakes to respect and satisfy the obligations contained in the LOPD and the Directive and in particular, in relation to the security of data and access to data by third parties. The difficulty in these cases lies in that in practice you can achieve the result envisaged by legislation by using a method different from the usual. In accordance with the Law, on accepting the terms of use the provider becomes the data processor and can solely process them according to the instructions of the data controller (the client), without applying them or using them for a different purpose to that established, or communicate them to other persons. However, given that in reality the providers of the sector use general conditions it will be necessary to check beforehand that these are adapted to the provisions of the Spanish Law and the degree of regulation of the provider itself to incorporate in turn additional clauses, choosing between those offers that guarantee this compliance.
See the Data Security Guide (2010) and the tool EVALUA of the Spanish Data Protection Agency that enables identification of the set of security measures provided and testing their compliance.
12
Page 18 of 42
On the other hand, the adoption of security measures and the guarantee of confidentiality, integrity and availability of the data not only have a dimension related to regulatory compliance but also to the prestige and reputation of the organisation. When the provider is subject to Spanish Law it must guarantee regulatory compliance, that is the RDLOPD and, in turn, if the client is a public administration the requirements that derive from the National Security 13 and Interoperability 14 Schemes. When the provider is not subject to Spanish regulation, except when it is a country governed by the provisions of article 17 of the Directive, it is advisable to check that the security measures provided by it comply with the principles and objectives of our regulation. 3.1.2 Cross-border data transfer
What should the company do when the data stored in the cloud is located in another country?
Article 33 and Article 34 of Title V of the LOPD on International Movement of Data and the RDLOPD respond to this question. The cloud computing market is global, since it is usual that the data is located outside of Spain and even in several different countries. The international transfer of data is defined as the processing of data that assumes a transfer of the same outside the territory of the European Economic Area, either it constitutes a transfer or communication of data, or it aims to carry out data processing on behalf of the data controller established in Spanish territory. In the case where the processor is established and/or using means for data processing in a Member State, the controller must apply the security obligations such as defined in the legislation of the Member State of the processor, independent of the agreements reached by both parties 15. The international transfer of data undertakes to distinguish between the countries integrated in the European Economic Area and third party states outside of this geographical area. In the first case, the data processor is governed by ordinary rules. Where the provision is made in countries outside the European Economic Area, the regime established by Articles 33 and 34 of the LOPD will operate.
13 14
Royal Decree 3/2010, of 8 January, which regulates the National Security Scheme in the field of Electronic Administration.
Royal Decree 4/2010, of 8 January, which regulates the National Interoperability Scheme in the field of Electronic Administration.
15
. According to article 17.3 of Directive 95/46/EC (in relation to article 4).
Page 19 of 42
Articles involved
Article 33 LOPD
Contents of Article It is not permitted the temporary or permanent transfer of personal data to other countries who do not offer a level of protection comparable to the LOPD. On occasion this transfer is permitted with prior administrative authorisation of the Spanish Data Protection Authority (AEPD) 16. Such authorisation is not necessary:
Article 34 LOPD
In the exceptional assumptions of Article 34.a and 34.j of the LOPD. In the case of countries for which the Commission has stated that it considers to have an appropriate level of protection of personal 17 data.
When these circumstances are not given it is necessary to obtain authorisation from the Director of the AEPD following the procedure established by the Section One, of Chapter V of Title IX of the RDLOPD. It is very important to take into account that when the contract follows the fixed criteria in the different models of contractual type clauses established by Decisions of the European 18 Commission, Article 70.2 of the RDLOPD points out that the adequate guarantees shall be considered established.
16 17
According to the procedure provided in the First Section of Chapter V of Title IX of the RDLOPD.
These are: Switzerland, Argentina, Guernsey, Isle of Man, Jersey, Pharoe Islands, Andorra, Israel. There are two countries with certain peculiarities. Canada in which organisations subject to Canadian data protection laws are considered safe, and United States, regarding companies who have subscribed to "Safe Harbour", that is the principles of Safe Harbour for the protection of the private life and the corresponding most frequent questions, published by the Department of Trade of the United States.
18
Specifically, the Decisions of the European Commission in question are: Commission Decision 2001/497/EC of 15 June 2001 on 'Standard contractual clauses for the transfer of personal data to a third countries, under Directive 95/46/EC. Commission Decision 2001/497/EC of 15 June 2001on 'Standard contractual clauses for the transfer of personal data to third countries under Directive 95/46/EC. (is repealed with effect from 15 May 2010). Commission Decision 2010/87/EU of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council.
Page 20 of 42
3.2
REGULATION OF THE LSSI
Service providers from the information society (data hosting services in the cloud and access to Internet), must comply with the requirements established in Law 34/2002, on the Information Society Services and Electronic Commerce (LSSI): Specifically, the service providers established in Spain are obliged to inform their clients permanently, easily, directly and freely on: The technical resources applied to increase security of the information (such as antivirus programs, antispyware and mail filters). The security measures that apply in the provision of services. The current tools for filtering and restricting access to certain content and services on the Internet which is unwanted or potentially harmful to children and young people. In the case of Internet access providers, they should also communicate to users the liabilities they may incur for unlawful use of the Net.
In addition to those legal provisions cited Law 32/2003, General Law on Telecommunications also ensures compliance of the obligations in the secrecy of communications and protection of personal data, as well as the rights and obligations of a public nature linked to electronic communications networks and services, imposing at the same time the relevant sanctions for its noncompliance. 3.3 REGULATION OF THE PENAL CODE
The range of issues that arise in a cloud environment can be very complex, although in this section we examine in particular the crime of fraud. The features of the cloud model, such as relocation and transfer of data and processes to third parties, may invite possible con men to create fake websites in the cloud to appropriate sensitive information dumped by the users or distribute malware in this environment to carry out phishing attacks online. The Penal Code regulates the crime of fraud in Article 248 (recently reformed according to Organic Law 5/2010, of 22 June) and in particular it establishes that: 1) Those who commit fraud deceive another for profit, leading them to performing an act in detriment to themselves or others. Also deemed con men are:
2)
Page 21 of 42
a.
Those who, for profit and through some computer manipulation or similar, make an unauthorised transfer of any assets in detriment of another, including the information in this category. Those who manufacture, introduce, own or provide computer programs specifically aimed at committing fraud. Those who use credit or debit cards, or traveller's cheques, or data appearing in any of these to carry out operations of any kind in detriment of their owner or of a third party.
b.
c.
Depending on the amount defrauded, the financial loss caused to the victim, the relationship between the victim and the defrauder, the means employed by him and other possible circumstances that serve to assess the incident, different sanctions are imposed on the con man, such as contained in said legal text 3.4 THE LEGAL SYSTEM OF DESTINATION COUNTRIES
The choice of country of destination of the data that are the object of a provision based on cloud computing must not only take into account the standards that regulate the information and communications technologies, but the whole of the Legal System. The Spanish Constitution and the Treaties of the European Union are in keeping with a constitutional tradition that safeguards the fundamental rights of individuals. Therefore, locating data in a country in which these rights are not guaranteed violates in some way the spirit of the Spanish constitutional model and a way of conceiving human rights. Precisely for this, Article 37.1.f and Article 70.3 RDLOPD enables the temporarily refuse or suspend a transfer when the situation of the protection of the fundamental rights and public liberties in the destination country its legislation prevents the guarantee of the complete performance of the contract and the exercise by data subjects of the rights guaranteed by the contract. On the other hand, sometimes the destination countries may confer extraordinary powers on its intelligence services, or on its security forces and agencies, for access to information contained on servers under their jurisdiction. Despite the fact that on the majority of occasions you are probably dealing with perfectly regulated measures which conform to our constitutional values, the possible intensity of the same should be examined in the risk analysis prior to the location not only of personal data, but also of that information and resources that the organisation wishes to safeguard against any external access (See section 5.2 Security on the part of the client).
Page 22 of 42
4.
4 RISKS OF CLOUD COMPUTING
Risks of cloud computing
As with all technology, cloud computing is not exempt from risks. The more complex the computing infrastructure used, the more potential vulnerabilities appear. Below are described the main security and privacy risks that may have an impact on resources in the cloud 19: 4.1 ABUSE AND MALICIOUS USE
Cloud computing offers a great number of advantages and opportunities that are also being exploited by computer pirates. Attacks such as password 20 theft, spam mail, captchas 21 farms or distributed denial-of-service attacks 22 become much simpler and cheaper. Cyber delinquents can plan their attacks contracting services in the cloud to later execute them in a matter of hours. Furthermore, the resources used will be withdrawn once the attack is finished, thus making their pursuit difficult. Similarly, they can contract storage services in the cloud to keep malicious or stolen data. In this way, they make it difficult for the authorities to access this information (due to the complexity it involves) to act against the attackers. 4.2 INTERNAL INFORMATION LEAKS
The threat can also come from the company itself, through human error or deliberate actions of cloud users. These incidents trigger loss of information, with resulting damage to the company image and the potential legal consequences. To avoid these situations, the organisations use measures such as the incorporation of confidentiality clauses in employment contracts or the establishment of security policies. 4.3 INSECURE APIS
API 23 is the single point of interaction with the programs that are running in the cloud. As the gateway to cloud services, they become a critical point of system security and privacy. Each service provider in the cloud offers their own connection APIs that allow from start or stop the services in the cloud to increase or decrease the resources of the same.
19 20
Source: Banegas, M. (Telefnica Espaa Grandes Clientes) Presentation Security in Cloud Computing. ENISE 4 (2010).
Password cracking is a computer process that consists of deciphering the password of certain applications to obtain unauthorised access.
21 Captcha is the acronym of Completely Automated Public Tuning test to tell Computers and Humans Apart It is a challenge-response test used in computing to determine whether the user is human or not. 22
Distributed Denial of Service (DDOS). The distributed denial of service consists of attacking a computer system to consume all its resources (for example, the bandwidth) preventing access to legitimate users.
Application Programming Interface. An application programming interface is the set of functions and procedures that libraries offer to be used by other software such as an abstraction layer.
23
Page 23 of 42
Without a proper security policy, APIs may undergo malware attacks so that they carry out additional actions or those different from the actions originally programmed. With this, the attackers pursue the theft and/or access to information of the victim. 4.4 IDENTITY FRAUD
Identity fraud is a current risk both in traditional computing systems and in the cloud computing model. However, it has a special relevance in the latter. In the majority of computer systems you must identify yourself before performing any task. Usually, this identification is through the combination of user name and secret code or password. Depending on how you are using cloud computing, this traditional combination of user and password may not be sufficiently robust. You have to investigate other much more secure systems to avoid identity fraud on the Net. One solution to increase security is the use of an electronic DNI as a means of identity as it includes cryptographic measures and biometrics as a complement to the traditional security measures.
Illustration 2: Electronic DNI image
4.5
RISK PROFILE IGNORANCE
Security management in traditional computer environments has been studied for a long time. It is relatively simple to apply computing solutions to increase the security, making unauthorised entries difficult or reducing system vulnerabilities.
Page 24 of 42
However, cloud computing involves a previously unknown evolution. It offers new functionalities and increases business opportunities, but in turn it is a model that can be exploited by new threats on the Net. This does not mean that it is less safe than previous models, simply that there is less experience of attacks and security experts are studying the new modus operandi of the malicious users at the same time as potential design errors. Among these concerns, experts stress the use of shared 24 technologies, especially in relation with the necessary isolation of information of different users in the same infrastructure. In view of this, cloud service providers must maintain their efforts to ensure a service without cracks where each user has access solely to their own information.
24
Source: INTECO-CERT (2011). Riesgos y amenazas en cloud computing. (Risks and threats in cloud computing)
Page 25 of 42
5.
5
Security in the cloud
SECURITY IN THE CLOUD
Using services in the cloud involves a change in the way we understand information security. The traditional image ceases to exist in which all company services are in the basement of the building where only the computer administrators can gain access. When using cloud computing an important part of the security system falls on the company who provides the services in the cloud. To understand the information security model applied in this model it is necessary to know the different players involved: Service provider in the cloud: company that has the information infrastructure necessary for hosting the programs following the cloud computing model. Client: person, organisation or company that contracts services in the cloud. The client pays a certain amount of money to enjoy the benefits of cloud computing. The end user, or person or group of persons who use the program may be different to the client. For example, a company may contract services in the cloud to host a web server to be accessed by its employees, as shown in the image below.
Illustration 3: Example of participants in cloud computing
The security mechanisms that can be applied to protect the data hosted in the cloud must be considered as collaborative work between the two parties (service provider in the cloud and client), as both must assume some responsibilities. The performance of joint security audits is a best practice to check that the whole system is protected against potential threats.
5.1
SECURITY ON THE PART OF THE CLOUD COMPUTING PROVIDER
The cloud service provider is responsible for ensuring the physical security in its data processing centres. They should prevent unauthorised persons from entering said buildings to, for example, steal their equipment. Similarly, they should keep their
Page 26 of 42
equipment updated, both hardware and software, to deal with threats existing on the Internet. The provider uses mechanisms such as virtualisation and segmentation of data to strengthen the security of their services in the cloud. Virtualisation can be seen as a form of increasing the security of the processes that are carried out in the cloud. Several virtual machines can be run on a single server but each virtual machine runs an operating system in isolation. Memory and disk space are controlled by a hypervisor 25 that prevents processes running on different virtual machines from interacting with each other. The major risk which the service provider must face as regards this mechanism is the control and removal of malicious software that tries to evade the protections of the hypervisor to gain access to other virtual machines and even the host system. The relocation of the data is a feature that may also be exploited as a security mechanism itself. The segmentation of data allows the client data to reside on different servers, even in different data centres. In this way said data is protected against a hypothetical theft on the premises of the service provider. Also, when keeping the data in several places simultaneously, there is a backup system practically in real time. Thus, faced with security errors, you can recover the activity rapidly, allowing continuity of business.
25
Hypervisor: virtualisation platform that allows you to use different operating systems at the same time.
Page 27 of 42
5.2
SECURITY ON THE PART OF THE CLIENT
For their part, the client is responsible for keeping the operating system updated and installing the security patches that appear. It is also necessary to maintain traditional security policies such as user control, deletion of user accounts that are no longer used, or the review of software to check that there are no vulnerabilities, amongst others. The specific mechanisms that the client may adopt to strengthen security in the cloud include perimeter control, cryptography and the management of event log files. On the part of the client, one of the pillars of information security is perimeter control. To accomplish this, we advise installing and configuring a firewall, a computer application that is in charge of monitoring all communications that are made to and from your computer or network and decides whether they are permitted depending on the rules established by the system administrator. To add another level of network security, we also recommend installing and configuring an Intrusion Detection System or IDS 26. An IDS is a computer application that not only blocks or permits connections but that analyses these connections to detect whether any of them is carrying content which may be harmful for the computer or network. In addition it is capable of categorising the different threats and informing the system administrator following a list of rules and heuristics. Cryptography is another of the mechanisms that is going to play a leading role in the use of cloud services. Cryptography provides a high level of security in three main aspects: o Protection of Internet connections between users and applications in the cloud. The use of Secure Sockets Layer (SSL) 27 and Transport Layer Security (TLS) 28 ensures that all data that travels from the cloud server to the user is encrypted preventing access to third parties even when an unsecure Wi-Fi network is used.
26 27
Intrusion Detection System.
Secure Sockets Layer: SSL protocol. Provides authentication and privacy of information between extremes on the Internet through the use of cryptography. Transport Layer Security: TLS. Consists of a cryptographic protocol that provides secure communications through the
28
Internet. TLS is an independent protocol that allows the protocols of a higher level to act on top of it transparently. Based on SSL from Netscape 3.0. TLS assumes the evolution of its predecessor, although they are not interoperable.
Page 28 of 42
Illustration 4: Amazon.com SSL Certificate
Protection of connections between the system administrators and cloud services. In this case, the use of Secure Shell (SSH)29 and Virtual Private Network (VPN)30 will allow the system administrators or application developers to maintain a safe channel of communication with the cloud systems.
Illustration 5: Protection of cloud computing connections
Secure Shell: Interpreter of secure orders. The name of a protocol and the program that implements it, and serves to access remote machines through a network.
30
29
Virtual Private Network: VPL A network technology that allows an extension to the network on a public or non-controlled network, such as for example the Internet.
Page 29 of 42
Data protection using cryptography. If you use the cloud as a data storage system we recommend that you use an appropriate encryption level for those sensitive data that are going to be placed there. In this way, if any unauthorised user intercepts the data or has access to the file system in the cloud, this user will not be able to read the content placed there without knowing the encryption code.
Illustration 6: Use of encrypted archives in Ubuntu One
The only way to check computer activity, detect incidents and formulate a plan of action to prevent a reoccurrence in the future is to manage the system logs 31. Although it is likely that you will not have access to all the information about system events, the client must store and review all the logs that are under their responsibility. For example, the log of users who access the application, manipulate or delete files on the virtual machine, or the log of potentially harmful connections detected by the IDS and by the firewall. We also advise making frequent backups of these logs and even storing them on a different machine because if an attacker takes control of the system in the cloud it could destroy the log files thus erasing their footprints.
Log: text file which gathers all the activity that takes place on a certain computer, allowing for certain programs that its owner or administrator authorises to detect illegal activities and identify, using their IP address, the corresponding user.
31
Page 30 of 42
6.
6 PRIVACY IN THE CLOUD
Privacy in the cloud
Information is the most important asset of organisations. Ensuring the privacy of information during its life cycle is crucial when using cloud computing services. 6.1 DATA PROTECTION
The life cycle that the data processed in the cloud follows is described below: The data is prepared to be able to adapt to the cloud converting its format and creating a file that contains all the necessary information. The data "travels" to the cloud through an Internet connection, via email, through a specific application to import it or by transferring to the cloud the backup obtained from a server in the organisation. The data is processed in the cloud, from its storage to the calculation of complex mathematical operations. It is important to mention that the data is stored in backups on the cloud to facilitate future access. The final data "travels" back to the user. Once processing is complete, the end result should return to the user with the added value of the information generated in the cloud.
The mere fact that the data leaves the organization can constitute a risk from the point of view of privacy: a malicious user could intercept the data while it is being transferred over the Internet. Even if it is not intercepted, the data is being stored and processed in computer infrastructure beyond the user's control.
The mere fact that the data leaves the organization can constitute a risk from the point of view of privacy
The mechanisms to minimise these privacy risks are very simple. Before migrating to processes in the cloud we advise asking yourself: "Is it really necessary for the entire organisation's data to be in the cloud?" The following example clarifies this question.
Page 31 of 42
A company in charge of processing employee payslips decides to use cloud services. This company has databases of thousands of workers with DNI, name, postal address, gross income, workplace, withholding percentage, number of hours worked, etc. The mathematical operation that this company wishes to make in the cloud is the calculation of the net income that must be given to each employee at the end of the month. Is it necessary for all employee data to be migrated to the cloud? Do you really need an employee's DNI to deduct the percentage of income tax? A safe solution is to send to the cloud only the data needed to carry out the calculation of the income, i.e. the gross income and the withholding percentage. Instead of sending to the cloud the name or the DNI to identify the worker, you create a new identifier (for example, a number) that allows you to correctly assign the new value to each worker. In this way, it prevents a possible attacker from intercepting the communications to translate this data. Furthermore, the service provider in the cloud should never have sensitive data on its systems; they should only contain mathematical values without knowing who they belong to or what they contain. 6.2 INTEGRITY
To maintain the proper integrity of the data means that these remain the same during transfer, storage and recovery operations. In the field of cloud computing, integrity of the data is especially critical: the data is constantly being transferred between the cloud services and the different users who access them. Due to the features of cloud computation, several users can be accessing and changing certain information at the same time. Therefore mechanisms must be implemented that ensure the proper integrity of the data. The major threat for data integrity in the cloud is that the data becomes corrupted due to errors in its handling. If you do not detect that there has been a problem during transfer and the data is stored erroneously, the next time the user wishes to access this data he will not be able to use it. To avoid a situation whereby data in the cloud cannot be used or that it is not available three principal mechanisms are used: integrity control, change management and backups.
Page 32 of 42
Integrity control uses mathematical functions (summary function or hash) to check that the data has not undergone modifications during its transfer. The process consists of obtaining a value for the hash function before moving the data and another when moving is finished. If these values do not match it is because there has been a problem in the transaction and it must be repeated. In the case of cloud computing summary functions are not only used for files but also for complete virtual machines or for backups. Change management maintains a record of changes to data or files stored in the cloud. Each change is associated to a date stamp and the user who produced it. If it detects that several users have modified the resource at the same time it can analyse the date stamp to check which version is valid. Similarly, if an integrity error is detected in the resource you can return to a previous version that is correct.
Backups are the last line of defence to ensure the integrity of the data. Making adequate use of the tools in the cloud you can schedule backups from time to time. If an integrity failure is detected at a general level, the only way of solving it is to revert to a previous version of the system stored as a backup. ACCESS CONTROL
6.3
Just as happens with traditional architectures, access control also plays an important role in cloud computing. Although this technology is informally represented as a cloud which connects everyone from their computers (both fixed and mobile devices), it does not mean that any person can access any data or process in the cloud. You must distinguish clearly between the services that are offered freely and for free in the cloud and the use of resources in the cloud for personal or business use.
Page 33 of 42
You can use email systems in the cloud, such as Gmail or MSN Hotmail, and this does not mean that any person can read the email of another freely. Although maybe the most complete example to talk about access control in the cloud is Picasa. Picasa is a free storage and organisation system for photos in the cloud. When you creating a new album for all, the user has the option of whether these photos are public and visible to everyone, to be seen only by a set of persons or if it is a private gallery to which only the user has access. In this specific case, it is the user of Picasa who establishes the access control policy using the system as an exhibitor of images for everyone or as a private backup system of photos. Extending the previous example, when a company or entity uses cloud computation capabilities, the system administrator must establish proper access control to ensure that users only use the data or processes for which they are authorised. 6.4 LOSS PREVENTION
One of the biggest risks any information system has to deal with is the loss of data, whether it is because a user has accidentally deleted information, due to hardware failure or because of a computer attack. Losing data not only means having to redo part of the work done, but in many cases it can mean substantial economic losses. The solution to this problem is approached from two main points of view. On the one hand, a proper security policy restricts the freedom of users to delete parts of the system, protects the equipment in view of a malicious software attack and also prevents persons outside of the organisation from accessing or corrupting the data. The service provider is responsible for solving any of the problems related to electronic components. If an error is detected in any of the equipment within its premises, it is automatically isolated and all the processes run on it are moved to another machine that has no problems. This process may last only a few minutes and can even be performed without cutting the service, allowing uninterrupted availability of cloud services. On the other hand, a proper backup policy allows the recovery of data even when all security measures have failed or when there is a breakdown in some hardware component. All service providers in the cloud offer backup systems completely transparent to the user. You only have to choose the assets that you want to protect and the frequency with which you want these copies. Recovery against an attack can be as simple as restoring a previous snapshot of the virtual machine.
Page 34 of 42
The features described above allow you to have a robust system prepared for carrying out proper recovery against disasters, that is, assuring business continuity. Lastly, there is another advantage related to mobile devices, used more and more in companies and from which you access the organisation's information: laptops, USBs, mobiles, etc. These devices can be stolen or lost exposing large amounts of completely personal data outside of the organisation. If cloud systems are used, even if you lose a mobile or someone steals a laptop, the information will remain inaccessible to third parties.
Page 35 of 42
7.
7
Steps for entering the cloud
STEPS FOR ENTERING THE CLOUD
Once you have understood how cloud computing works and the different possibilities that it offers, it is time to think about whether the company or entity can benefit from them. A possible diagram for making decisions is the following 32:
Illustration 7: Decision making diagram
The following sections include the different steps that must be followed for "jumping" into the cloud: 7.1 ANALYSIS OF NEEDS AND OPPORTUNITIES
Firstly, the company or entity must examine: The characteristics of its activity: o o Business areas suitable for migration. Set of users who will take advantage of the opportunities of cloud computing. For example, people who work remotely or users who travel a lot. You must take into account the needs of this group of users and the possibility that they are well suited to the solutions based in the cloud.
32
See footnote 5.
Page 36 of 42
Budget: using cloud applications can save you a large amount of money in the purchasing of software licenses. Therefore, a good starting point would be to use office suites in the cloud instead of buying and installing an office suite for each of the organisation's computers.
Illustration 8: Example of an evaluation of operating variables
The security and failure tolerance parameters that each organisation must define in its ideal model of cloud computing are organised into four categories: o Preparing the organisation to provide an acceptable level of service while protecting the confidentiality and integrity of the information. Delivery of the service: ability of the systems to provide the services in accordance with the requirements established in the service agreement. o Response and recovery: criteria to measure the capacity of the system to restore itself in case of incidents or failures. Specific legal and regulatory compliance.
Service levels and deployment models. Based on sections 1.3 Service levels and 1.4 Service deployment models.
Page 37 of 42
Based on the parameters established, carry out a SWOT analysis to identify the strengths, weaknesses, opportunities and threats of each cloud model for the organisation. This analysis should be a minimum that the entity can complement with more comprehensive methods, such as risk analysis. With this analysis, the organisation must obtain the information for identifying the most suitable cloud model for each circumstance. 7.2 OFFER OF SERVICES IN THE CLOUD
If you decide that the characteristics of the business or entity require a solution based on cloud computing, the next mandatory step is to carefully examine the different options existing in the market. There are many companies specialised in cloud computing services that have be working with this technology for years while there are tradition hosting companies who are starting to offer different packages of functions in the cloud. On the other hand, large software multinationals such as Microsoft, Amazon and Google have a wide range of services in the cloud that can be quickly applied to the specific needs of the client. 7.3 LIABILITY AND TERMS OF USE
As in any business agreement, the relationship between the service provider in the cloud and the client (in this case, the contractor) must be regulated by a contract. This contract should clearly define the position of each of the parties as well as their responsibilities and obligations. The terms of use are responsible for defining the most important technical specifications related to the delivery and quality of the service. The latter establish the performance levels and availability guaranteed by the provider. It is important to point out that in other types of commercial agreements, the contracts are always negotiated. In the case of cloud service providers no such rapprochement of positions exists. These companies clearly display the conditions under which they provide your service and it is the client who must carefully study each of them until he finds which one most satisfies his needs. The parts of the contract on which the client must focus his attention are the following: Service Level Agreements (SLAs) with their corresponding period reports. Confidentiality: principally in the operations of data transfer and storage on servers.
Page 38 of 42
Availability. This clause specifies the level of availability that the service provider undertakes to maintain. Usually all service providers maintain a level of availability close to 100%, although it is likely that some will display this in hours per month. Performance. This section assures that you achieve the power generating capacity, storage and bandwidth levels contracted with each service provider.
Security. The service provider undertakes to maintain a sufficient level of security on its premises to host your data and processes, therefore it must give the client a list of security measures being implemented in its systems. The client must pay special attention to this section because it tends to be quite vague on the part of the service providers, but it must contain a Policy on backup management and Incident Management. It is advisable that the provider has an operational and updated Business Continuity and Disaster Recovery Plan. Payment. This section contains details on the payments that must be made by the client to enjoy the contracted services. It should clearly include the amount and frequency of such payments. Suspension of service. This clause is more related to contracts where there is only one server. In the case of cloud computing it could be removed, but large companies keep it in to indicate to the client that it may temporarily suspend the service due to updates in their information infrastructure. Support services. This section will contain the commitments of the service provider as regards client support. It is important that the contract specifies the time that the provider requires to recover the system when an error occurs. Cancelation or modification. The features of cloud computing allow great flexibility when modifying the services that the client needs. The legal agreement should clearly state the options of contract modification or termination of the same, above all in relation to recovery and deletion of the information. Privacy and regulatory compliance. This clause defines the level of commitment from the service provider of the enforcement of the laws in its own territory and to comply with the regulations in force within the Spanish or European territory, in particular those relating to privacy and data protection. In any case, the contents of the contract must permit you to accurately establish the commitments of regulatory compliance assumed by the provider.
Page 39 of 42
7.4
USE OF MIGRATION MECHANISMS
The most important thing when using cloud services is to be aware that part of the IT assets will be transferred. Therefore, we recommend carrying out research into the implications of migrating all of your data and processes to the cloud. In this study you must weigh up the amount and sensitivity of the data handled. You must always try to ensure that the most sensitive data is subject to the strictest controls to prevent it from being accessed by persons without the proper authorisation. The process of migration may be sequential: During the early stages of cloud computing, we advise that you do not migrate to the cloud the most sensitive data or processes, while the heaviest applications are transferred to the cloud. For example, you could install the web server and mail on the cloud but keep the database server on the premises. Once you have tested whether the formula functions you can perform a complete migration to the cloud, using the support tools provided by the service providers and thereby significantly reducing the complexity of the task. Each of the cloud service providers has its own migration system. In some it is enough to send an email to a specific address with the data that you wish to migrate so that everything works properly while in other cases there is a web interface on which you can carry out the configuration. To allow for proper business continuity it is very important to keep a complete copy of the system in the traditional model for a while. In case problems are detected after performing the migration to the cloud, you can return to the traditional model. In this way, you can work on the proper integration of the application in the new model transparently for the users.
Page 40 of 42
Follow us:
Web
http://observatorio.inteco.es ObservaINTECOs Facebook profile http://www.facebook.com/ObservaINTECO ObservaINTECOs Twitter profile http://www.twitter.com/ObservaINTECO ObservaINTECOs Scribd profile http://www.scribd.com/ObservaINTECO ObservaINTECOs Youtube profile http://www.youtube.com/ObservaINTECO Blog of the Information Security Observatory http://www.inteco.es/blogs/inteco/Seguridad/BlogSeguridad
Send your doubts and comments to:

observatorio@inteco.es
Instituto Nacional de Tecnologas de la Comunicacin
www.inteco.es

Guide For Companies On Cloud Computing: Security and Privacy Implications

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Guide For Companies On Cloud Computing: Security and Privacy Implications

Caricato da

Copyright:

Formati disponibili

Guide for companies: security and privacy of cloud computing

INFORMATION SECURITY OBSERVATORY

Edition: October 2011

1 INTRODUCTION TO CLOUD COMPUTING ........................................... 6

2 MAIN FEATURES OF CLOUD COMPUTING ....................................... 12

3 LEGAL FRAMEWORK .......................................................................... 15

4 RISKS OF CLOUD COMPUTING .......................................................... 23

5 SECURITY IN THE CLOUD ................................................................... 26

6 PRIVACY IN THE CLOUD ..................................................................... 31

7 STEPS FOR ENTERING THE CLOUD.................................................. 36

Introduction to cloud computing

INTRODUCTION TO CLOUD COMPUTING

CLOUD COMPUTING AS EVOLUTION OF TECHNOLOGY

Amazon Web Services (AWS) http://aws.amazon.com/

THE PLACE OF CLOUD COMPUTING IN IT DEVELOPMENT

Illustration 1:Examples of services delivered at each level of cloud computing

Router: Device that distributes traffic between networks.

SERVICE DEPLOYMENT MODELS

Main features of cloud computing

MAIN FEATURES OF CLOUD COMPUTING

Content of contractual clauses

The processor must:

Access to data by third parties

Article 12 LOPD Articles 20, 21 and 22 RDLOPD

How do articles 9 and 12 of the LOPD affect cloud computing?

. According to article 17.3 of Directive 95/46/EC (in relation to article 4).

REGULATION OF THE LSSI

Risks of cloud computing

Illustration 2: Electronic DNI image

RISK PROFILE IGNORANCE

Security in the cloud

SECURITY IN THE CLOUD

Illustration 3: Example of participants in cloud computing

SECURITY ON THE PART OF THE CLOUD COMPUTING PROVIDER

SECURITY ON THE PART OF THE CLIENT

Intrusion Detection System.

Illustration 4: Amazon.com SSL Certificate

Illustration 5: Protection of cloud computing connections

Illustration 6: Use of encrypted archives in Ubuntu One

Privacy in the cloud

Steps for entering the cloud

STEPS FOR ENTERING THE CLOUD

Illustration 7: Decision making diagram

Illustration 8: Example of an evaluation of operating variables

USE OF MIGRATION MECHANISMS

Send your doubts and comments to:

Instituto Nacional de Tecnologas de la Comunicacin

Potrebbero piacerti anche