Difference between revisions of "Cloud-10 Accountability and Data Ownership"

From OWASP
Jump to: navigation, search
(Created page with ' ==R1:Accountability and Data Ownership== Category:OWASP Cloud ‐ 10 Project __NOTOC__ <headertabs/>')
 
(R1:Accountability and Data Ownership)
Line 16: Line 16:
 
__NOTOC__
 
__NOTOC__
 
<headertabs/>
 
<headertabs/>
 +
 +
 +
An internal cloud or a data center of an autonomous organization is
 +
under complete control of that organization. The organization is
 +
accountable and owns data in an internal cloud. Unlike internal cloud,
 +
for economical reasons, an organization may choose to use a public
 +
cloud for hosting business services. In the public cloud, the
 +
accountability and data ownership gets delegated to the cloud
 +
provider.
 +
 +
Tim Mather, et.al. (cite Cloud Security & Privacy) categorize data
 +
risks of a public cloud in the following categories:
 +
 +
Data-in-transit risk: The data of a cloud consumer traverses to and
 +
from the cloud provider over the public internet. The data can be
 +
stolen or tampered in-transit. This poses confidentiality and
 +
integrity risks.
 +
 +
Data-at-rest risk: The cloud provider may store the data in its
 +
premises, or employ an Insfrastructure-As-A-Provider (IAAS) for data
 +
storage. The provider may use multi-tenancy architecture which
 +
collocates data of multiple cloud consumers in one physical
 +
storage. This poses the risks of physical security of the data,
 +
unauthorized data access, and lack of auditability.
 +
 +
Data processing: A cloud consumer may use a cloud for data processing.
 +
Data processing necessitates the data to be un-encrypted during the
 +
duration of the processing. There is a risk of data getting stolen.
 +
 +
Data location: For audit and compliance purposes, the specific
 +
location of data can be important. A cloud provider may have a
 +
geographically distributed storage architecture which conflicts
 +
with the regulatory requirements.
 +
 +
Data remanence: Upon a deletion request, a cloud provider may
 +
may nominally erase data. The remanant data can be accessed and
 +
stolen.

Revision as of 09:18, 16 November 2009

R1:Accountability and Data Ownership



An internal cloud or a data center of an autonomous organization is under complete control of that organization. The organization is accountable and owns data in an internal cloud. Unlike internal cloud, for economical reasons, an organization may choose to use a public cloud for hosting business services. In the public cloud, the accountability and data ownership gets delegated to the cloud provider.

Tim Mather, et.al. (cite Cloud Security & Privacy) categorize data risks of a public cloud in the following categories:

Data-in-transit risk: The data of a cloud consumer traverses to and from the cloud provider over the public internet. The data can be stolen or tampered in-transit. This poses confidentiality and integrity risks.

Data-at-rest risk: The cloud provider may store the data in its premises, or employ an Insfrastructure-As-A-Provider (IAAS) for data storage. The provider may use multi-tenancy architecture which collocates data of multiple cloud consumers in one physical storage. This poses the risks of physical security of the data, unauthorized data access, and lack of auditability.

Data processing: A cloud consumer may use a cloud for data processing. Data processing necessitates the data to be un-encrypted during the duration of the processing. There is a risk of data getting stolen.

Data location: For audit and compliance purposes, the specific location of data can be important. A cloud provider may have a geographically distributed storage architecture which conflicts with the regulatory requirements.

Data remanence: Upon a deletion request, a cloud provider may may nominally erase data. The remanant data can be accessed and stolen.