Difference between revisions of "Cloud-10 Accountability and Data Ownership"

From OWASP
Jump to: navigation, search
(R1:Accountability and Data Ownership)
(R1:Accountability and Data Ownership)
Line 1: Line 1:
  
 
==R1:Accountability and Data Ownership==
 
==R1:Accountability and Data Ownership==
 
 
 
 
 
 
 
 
 
 
 
 
[[Category:OWASP Cloud ‐ 10 Project]]
 
[[Category:OWASP Cloud ‐ 10 Project]]
  

Revision as of 14:50, 16 November 2009

R1:Accountability and Data Ownership



An internal cloud or a data center of an autonomous organization is under complete control of that organization. The organization is accountable and owns data in an internal cloud. Unlike internal cloud, for economical reasons, an organization may choose to use a public cloud for hosting business services. In the public cloud, the accountability and data ownership gets delegated to the cloud provider.

The cloud provider may store the data in its premises, or employ an Insfrastructure-As-A-Provider (IAAS) for data storage. The provider may use multi-tenancy architecture which collocates data of multiple cloud consumers in one physical storage. This poses the risks of physical security of the data, unauthorized data access, and lack of auditability.

For audit and compliance purposes, the specific location of data can be important. A cloud provider may have a geographically distributed storage architecture which conflicts with the regulatory requirements.

Upon a deletion request, a cloud provider may may nominally erase data. The remanant data can be accessed and stolen.