This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Cloud-10 Accountability and Data Ownership"
(→R1:Accountability and Data Ownership) |
(→R1:Accountability and Data Ownership) |
||
| Line 6: | Line 6: | ||
<headertabs/> | <headertabs/> | ||
| + | A traditional data center of an organization is under complete control | ||
| + | of that organization. The organization logically and physically | ||
| + | protects the data it owns. For economical reasons, an organization | ||
| + | may choose to use a public cloud for hosting its business services. In | ||
| + | this case, the organization loses control of its data. This poses | ||
| + | critical security risks that the organization needs to carefully | ||
| + | consider and mitigate. | ||
| − | + | The severity of risks depends on the sensitivity of the data stored in | |
| − | + | the cloud. Informal blogs, twitter posts, public news, and newsgroup | |
| − | + | messages are examples of less sensitive data. The risk of hosting | |
| − | + | such data in the cloud is low. On the contrary, data such as | |
| − | + | health-related records, criminal records, credit history, and payroll | |
| − | + | information is highly sensitive business data. There are serious | |
| − | + | business and legal ramifications if such data is compromised. | |
| + | Therefore, the risk of hosting such data in the cloud is very high. | ||
| − | + | Since data in the cloud is physically in control of the cloud | |
| − | + | provider, the foremost risk is that of ensuring confidentiality of the | |
| − | + | stored data. Encryption can be employed to ensure confidentiality. If | |
| − | + | the cloud provider uses multi-tenancy architecture, then separate | |
| − | + | encryption keys, one per cloud consumer, should be employed. | |
| − | |||
| − | For | + | A cloud provider may physically store a consumer's data in various |
| − | location of data can | + | countries. Such architecture poses several risks. For example, a |
| − | + | country has its own legal system, and the cloud provider operating in | |
| − | + | that country is bound to that system. The laws of a country may force | |
| + | a cloud provider to permit legal officials to access the data, and any | ||
| + | encryption keys, stored in that country's geographical boundary. The | ||
| + | physical location of data can additionally have economic | ||
| + | ramifications. For example, the tax rules vary based on the country | ||
| + | in which sales orders are processed. A cloud consumer may not be able | ||
| + | to benefit economically by processing orders in a country that offers | ||
| + | lowest tax rates, since the cloud provider may store orders data in | ||
| + | any country. | ||
| − | Upon a | + | |
| − | + | A cloud provider may store the consumer's data in its premises, or | |
| − | + | employ an Infrastructure-As-A-Provider (IAAS) for data storage. The | |
| + | provider may use multi-tenancy architecture which collocates data of | ||
| + | multiple cloud consumers in one physical storage. This architecture | ||
| + | may lack appropriate controls to ensure that a cloud consumer can | ||
| + | access only its own data, and not the data of other consumers. If the | ||
| + | cloud consumers are competitors in their business domain, then such | ||
| + | such lack of control can pose serious business risks for the | ||
| + | consumers. | ||
| + | |||
| + | Upon a request to delete some data, a cloud provider may only | ||
| + | nominally delete it, and leave traces that can be used to reconstruct | ||
| + | the original data. Such reconstructed data can be stolen, and | ||
| + | misused, posing a significant risk to the cloud consumer. | ||
Revision as of 21:06, 17 November 2009
R1:Accountability and Data Ownership
A traditional data center of an organization is under complete control of that organization. The organization logically and physically protects the data it owns. For economical reasons, an organization may choose to use a public cloud for hosting its business services. In this case, the organization loses control of its data. This poses critical security risks that the organization needs to carefully consider and mitigate.
The severity of risks depends on the sensitivity of the data stored in the cloud. Informal blogs, twitter posts, public news, and newsgroup messages are examples of less sensitive data. The risk of hosting such data in the cloud is low. On the contrary, data such as health-related records, criminal records, credit history, and payroll information is highly sensitive business data. There are serious business and legal ramifications if such data is compromised. Therefore, the risk of hosting such data in the cloud is very high.
Since data in the cloud is physically in control of the cloud provider, the foremost risk is that of ensuring confidentiality of the stored data. Encryption can be employed to ensure confidentiality. If the cloud provider uses multi-tenancy architecture, then separate encryption keys, one per cloud consumer, should be employed.
A cloud provider may physically store a consumer's data in various countries. Such architecture poses several risks. For example, a country has its own legal system, and the cloud provider operating in that country is bound to that system. The laws of a country may force a cloud provider to permit legal officials to access the data, and any encryption keys, stored in that country's geographical boundary. The physical location of data can additionally have economic ramifications. For example, the tax rules vary based on the country in which sales orders are processed. A cloud consumer may not be able to benefit economically by processing orders in a country that offers lowest tax rates, since the cloud provider may store orders data in any country.
A cloud provider may store the consumer's data in its premises, or
employ an Infrastructure-As-A-Provider (IAAS) for data storage. The
provider may use multi-tenancy architecture which collocates data of
multiple cloud consumers in one physical storage. This architecture
may lack appropriate controls to ensure that a cloud consumer can
access only its own data, and not the data of other consumers. If the
cloud consumers are competitors in their business domain, then such
such lack of control can pose serious business risks for the
consumers.
Upon a request to delete some data, a cloud provider may only nominally delete it, and leave traces that can be used to reconstruct the original data. Such reconstructed data can be stolen, and misused, posing a significant risk to the cloud consumer.
