Difference between revisions of "Cloud-10 Accountability and Data Ownership"

From OWASP
Jump to: navigation, search
(R1:Accountability and Data Ownership)
(R1:Accountability and Data Ownership)
Line 26: Line 26:
 
provider.  
 
provider.  
  
Tim Mather, et.al. (cite Cloud Security & Privacy) categorize data
+
The cloud provider may store the data in its
risks of a public cloud in the following categories:
+
 
+
Data-in-transit risk: The data of a cloud consumer traverses to and
+
from the cloud provider over the public internet. The data can be
+
stolen or tampered in-transit. This poses confidentiality and
+
integrity risks.
+
 
+
Data-at-rest risk: The cloud provider may store the data in its
+
 
premises, or employ an Insfrastructure-As-A-Provider (IAAS) for data
 
premises, or employ an Insfrastructure-As-A-Provider (IAAS) for data
 
storage. The provider may use multi-tenancy architecture which
 
storage. The provider may use multi-tenancy architecture which
Line 41: Line 33:
 
unauthorized data access, and lack of auditability.
 
unauthorized data access, and lack of auditability.
  
Data processing: A cloud consumer may use a cloud for data processing.
+
For audit and compliance purposes, the specific
Data processing necessitates the data to be un-encrypted during the
+
duration of the processing. There is a risk of data getting stolen.
+
 
+
Data location: For audit and compliance purposes, the specific
+
 
location of data can be important. A cloud provider may have a
 
location of data can be important. A cloud provider may have a
 
geographically distributed storage architecture which conflicts
 
geographically distributed storage architecture which conflicts
 
with the regulatory requirements.  
 
with the regulatory requirements.  
  
Data remanence: Upon a deletion request, a cloud provider may  
+
Upon a deletion request, a cloud provider may  
 
may nominally erase data. The remanant data can be accessed and
 
may nominally erase data. The remanant data can be accessed and
 
stolen.
 
stolen.

Revision as of 14:50, 16 November 2009

R1:Accountability and Data Ownership



An internal cloud or a data center of an autonomous organization is under complete control of that organization. The organization is accountable and owns data in an internal cloud. Unlike internal cloud, for economical reasons, an organization may choose to use a public cloud for hosting business services. In the public cloud, the accountability and data ownership gets delegated to the cloud provider.

The cloud provider may store the data in its premises, or employ an Insfrastructure-As-A-Provider (IAAS) for data storage. The provider may use multi-tenancy architecture which collocates data of multiple cloud consumers in one physical storage. This poses the risks of physical security of the data, unauthorized data access, and lack of auditability.

For audit and compliance purposes, the specific location of data can be important. A cloud provider may have a geographically distributed storage architecture which conflicts with the regulatory requirements.

Upon a deletion request, a cloud provider may may nominally erase data. The remanant data can be accessed and stolen.