This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Cloud-10 Accountability and Data Ownership"

From OWASP
Jump to: navigation, search
(R1:Accountability and Data Ownership)
(R1:Accountability and Data Ownership)
Line 26: Line 26:
 
provider.  
 
provider.  
  
Tim Mather, et.al. (cite Cloud Security & Privacy) categorize data
+
The cloud provider may store the data in its
risks of a public cloud in the following categories:
 
 
 
Data-in-transit risk: The data of a cloud consumer traverses to and
 
from the cloud provider over the public internet. The data can be
 
stolen or tampered in-transit. This poses confidentiality and
 
integrity risks.
 
 
 
Data-at-rest risk: The cloud provider may store the data in its
 
 
premises, or employ an Insfrastructure-As-A-Provider (IAAS) for data
 
premises, or employ an Insfrastructure-As-A-Provider (IAAS) for data
 
storage. The provider may use multi-tenancy architecture which
 
storage. The provider may use multi-tenancy architecture which
Line 41: Line 33:
 
unauthorized data access, and lack of auditability.
 
unauthorized data access, and lack of auditability.
  
Data processing: A cloud consumer may use a cloud for data processing.
+
For audit and compliance purposes, the specific
Data processing necessitates the data to be un-encrypted during the
 
duration of the processing. There is a risk of data getting stolen.
 
 
 
Data location: For audit and compliance purposes, the specific
 
 
location of data can be important. A cloud provider may have a
 
location of data can be important. A cloud provider may have a
 
geographically distributed storage architecture which conflicts
 
geographically distributed storage architecture which conflicts
 
with the regulatory requirements.  
 
with the regulatory requirements.  
  
Data remanence: Upon a deletion request, a cloud provider may  
+
Upon a deletion request, a cloud provider may  
 
may nominally erase data. The remanant data can be accessed and
 
may nominally erase data. The remanant data can be accessed and
 
stolen.
 
stolen.

Revision as of 19:50, 16 November 2009

R1:Accountability and Data Ownership



An internal cloud or a data center of an autonomous organization is under complete control of that organization. The organization is accountable and owns data in an internal cloud. Unlike internal cloud, for economical reasons, an organization may choose to use a public cloud for hosting business services. In the public cloud, the accountability and data ownership gets delegated to the cloud provider.

The cloud provider may store the data in its premises, or employ an Insfrastructure-As-A-Provider (IAAS) for data storage. The provider may use multi-tenancy architecture which collocates data of multiple cloud consumers in one physical storage. This poses the risks of physical security of the data, unauthorized data access, and lack of auditability.

For audit and compliance purposes, the specific location of data can be important. A cloud provider may have a geographically distributed storage architecture which conflicts with the regulatory requirements.

Upon a deletion request, a cloud provider may may nominally erase data. The remanant data can be accessed and stolen.

Retrieved from "https://wiki.owasp.org/index.php?title=Cloud-10_Accountability_and_Data_Ownership&oldid=73498"