Difference between revisions of "Cloud-10 Accountability and Data Ownership"

From OWASP
Jump to: navigation, search
(R1:Accountability and Data Ownership)
(R1:Accountability and Data Ownership)
Line 6: Line 6:
 
<headertabs/>
 
<headertabs/>
  
 +
A traditional data center of an organization is under complete control
 +
of that organization.  The organization logically and physically
 +
protects the data it owns.  For economical reasons, an organization
 +
may choose to use a public cloud for hosting its business services. In
 +
this case, the organization loses control of its data. This poses
 +
critical security risks that the organization needs to carefully
 +
consider and mitigate.
  
An internal cloud or a data center of an autonomous organization is
+
The severity of risks depends on the sensitivity of the data stored in
under complete control of that organization. The organization is
+
the cloud.  Informal blogs, twitter posts, public news, and newsgroup
accountable and owns data in an internal cloud. Unlike internal cloud,
+
messages are examples of less sensitive data. The risk of hosting
for economical reasons, an organization may choose to use a public
+
such data in the cloud is low. On the contrary, data such as
cloud for hosting business services. In the public cloud, the
+
health-related records, criminal records, credit history, and payroll
accountability and data ownership gets delegated to the cloud
+
information is highly sensitive business data. There are serious
provider.  
+
business and legal ramifications if such data is compromised.
 +
Therefore, the risk of hosting such data in the cloud is very high.
  
The cloud provider may store the data in its
+
Since data in the cloud is physically in control of the cloud
premises, or employ an Insfrastructure-As-A-Provider (IAAS) for data
+
provider, the foremost risk is that of ensuring confidentiality of the
storage. The provider may use multi-tenancy architecture which
+
stored data.  Encryption can be employed to ensure confidentiality. If
collocates data of multiple cloud consumers in one physical
+
the cloud provider uses multi-tenancy architecture, then separate
storage. This poses the risks of physical security of the data,
+
encryption keys, one per cloud consumer, should be employed.
unauthorized data access, and lack of auditability.
+
  
For audit and compliance purposes, the specific
+
A cloud provider may physically store a consumer's data in various
location of data can be important. A cloud provider may have a
+
countries.  Such architecture poses several risks.  For example, a
geographically distributed storage architecture which conflicts
+
country has its own legal system, and the cloud provider operating in
with the regulatory requirements.  
+
that country is bound to that system.  The laws of a country may force
 +
a cloud provider to permit legal officials to access the data, and any
 +
encryption keys, stored in that country's geographical boundary.  The
 +
physical location of data can additionally have economic
 +
ramifications. For example, the tax rules vary based on the country
 +
in which sales orders are processed.  A cloud consumer may not be able
 +
to benefit economically by processing orders in a country that offers
 +
lowest tax rates, since the cloud provider may store orders data in
 +
any country.
  
Upon a deletion request, a cloud provider may  
+
 
may nominally erase data. The remanant data can be accessed and
+
A cloud provider may store the consumer's data in its premises, or
stolen.
+
employ an Infrastructure-As-A-Provider (IAAS) for data storage.  The
 +
provider may use multi-tenancy architecture which collocates data of
 +
multiple cloud consumers in one physical storage.  This architecture
 +
may lack appropriate controls to ensure that a cloud consumer can
 +
access only its own data, and not the data of other consumers.  If the
 +
cloud consumers are competitors in their business domain, then such
 +
such lack of control can pose serious business risks for the
 +
consumers.
 +
 
 +
Upon a request to delete some data, a cloud provider may only
 +
nominally delete it, and leave traces that can be used to reconstruct
 +
the original data. Such reconstructed data can be stolen, and
 +
misused, posing a significant risk to the cloud consumer.

Revision as of 16:06, 17 November 2009

R1:Accountability and Data Ownership


A traditional data center of an organization is under complete control of that organization. The organization logically and physically protects the data it owns. For economical reasons, an organization may choose to use a public cloud for hosting its business services. In this case, the organization loses control of its data. This poses critical security risks that the organization needs to carefully consider and mitigate.

The severity of risks depends on the sensitivity of the data stored in the cloud. Informal blogs, twitter posts, public news, and newsgroup messages are examples of less sensitive data. The risk of hosting such data in the cloud is low. On the contrary, data such as health-related records, criminal records, credit history, and payroll information is highly sensitive business data. There are serious business and legal ramifications if such data is compromised. Therefore, the risk of hosting such data in the cloud is very high.

Since data in the cloud is physically in control of the cloud provider, the foremost risk is that of ensuring confidentiality of the stored data. Encryption can be employed to ensure confidentiality. If the cloud provider uses multi-tenancy architecture, then separate encryption keys, one per cloud consumer, should be employed.

A cloud provider may physically store a consumer's data in various countries. Such architecture poses several risks. For example, a country has its own legal system, and the cloud provider operating in that country is bound to that system. The laws of a country may force a cloud provider to permit legal officials to access the data, and any encryption keys, stored in that country's geographical boundary. The physical location of data can additionally have economic ramifications. For example, the tax rules vary based on the country in which sales orders are processed. A cloud consumer may not be able to benefit economically by processing orders in a country that offers lowest tax rates, since the cloud provider may store orders data in any country.


A cloud provider may store the consumer's data in its premises, or employ an Infrastructure-As-A-Provider (IAAS) for data storage. The provider may use multi-tenancy architecture which collocates data of multiple cloud consumers in one physical storage. This architecture may lack appropriate controls to ensure that a cloud consumer can access only its own data, and not the data of other consumers. If the cloud consumers are competitors in their business domain, then such such lack of control can pose serious business risks for the consumers.

Upon a request to delete some data, a cloud provider may only nominally delete it, and leave traces that can be used to reconstruct the original data. Such reconstructed data can be stolen, and misused, posing a significant risk to the cloud consumer.