This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Cloud-10 Regulatory Compliance"
m (→R3: Regulatory Compliance) |
m (→R3: Regulatory Compliance) |
||
| Line 2: | Line 2: | ||
Customers are ultimately responsible for the security and compliance with regulatory laws (e.g., SOX, HIPAA etc) of their own applications that are hosted in cloud. Data stewards and application owners must plan to put timely audits in place to ensure proper controls in the applications and infrastructure that is hosted at a cloud provider. Companies that are planning to adopt cloud (SaaS, Iaas, Paas etc) must ensure that their cloud provider understand the respective roles and responsbilities (RACI etc) in helping out customers in maintaining required compliance with the appropriate regulatory laws and standards (government and commercial). | Customers are ultimately responsible for the security and compliance with regulatory laws (e.g., SOX, HIPAA etc) of their own applications that are hosted in cloud. Data stewards and application owners must plan to put timely audits in place to ensure proper controls in the applications and infrastructure that is hosted at a cloud provider. Companies that are planning to adopt cloud (SaaS, Iaas, Paas etc) must ensure that their cloud provider understand the respective roles and responsbilities (RACI etc) in helping out customers in maintaining required compliance with the appropriate regulatory laws and standards (government and commercial). | ||
| + | IT managers are likely to push back on cloud adoption due to the fear of losing control of their resources to outside cloud providers who can change the underlying technology or implementation or both without customer’s consent which may have implications on regulatory compliance due to lack of transparency (Sullivan, 2009; Chow et al., 2009). IT organizations should analyze whether or not a move to the cloud makes sense with a risk management framework that incorporates data protection and compliance requirements and by making sure that the data protection, availability and key management expectations are well defined into the service level agreements (Getgen, 2009). | ||
| Line 19: | Line 20: | ||
Cloud Security Alliance. http://www.cloudsecurityalliance.org/csaguide.pdf | Cloud Security Alliance. http://www.cloudsecurityalliance.org/csaguide.pdf | ||
| + | O'Sullivan, D. (2009). The internet cloud with a silver lining. The British Journal of Administrative Management. | ||
| + | Chow, R., Golle, P., Jakobsson, M., Shi, E., Staddon, J., Masuoka, R., & Molina, J. (2009). Controlling data in the cloud: Outsourcing computation without outsourcing control. Paper presented at the CCSW '09: Proceedings of the 2009 ACM Workshop on Cloud Computing Security, Chicago, Illinois, USA | ||
| + | |||
| + | Getgen, K. (2009, October). 2009 Encryption and key management industry benchmark report. Trust Catalyst white paper on Risk Management for data protection. | ||
Latest revision as of 13:46, 12 April 2010
R3: Regulatory Compliance
Customers are ultimately responsible for the security and compliance with regulatory laws (e.g., SOX, HIPAA etc) of their own applications that are hosted in cloud. Data stewards and application owners must plan to put timely audits in place to ensure proper controls in the applications and infrastructure that is hosted at a cloud provider. Companies that are planning to adopt cloud (SaaS, Iaas, Paas etc) must ensure that their cloud provider understand the respective roles and responsbilities (RACI etc) in helping out customers in maintaining required compliance with the appropriate regulatory laws and standards (government and commercial). IT managers are likely to push back on cloud adoption due to the fear of losing control of their resources to outside cloud providers who can change the underlying technology or implementation or both without customer’s consent which may have implications on regulatory compliance due to lack of transparency (Sullivan, 2009; Chow et al., 2009). IT organizations should analyze whether or not a move to the cloud makes sense with a risk management framework that incorporates data protection and compliance requirements and by making sure that the data protection, availability and key management expectations are well defined into the service level agreements (Getgen, 2009).
References:
Anthes, G.. (2009, January). SaaS Realities. Computerworld, 43(1), 21-22. Retrieved August 9, 2009, from ABI/INFORM Global. (Document ID: 1626575741).
Business: Pain in the aaS; Computer security. (2008, April). The Economist, 387(8577), 86. Retrieved August 9, 2009, from ABI/INFORM Global. (Document ID: 1469385981).
Gartner: Seven Cloud-Computing Security Risks. http://www.cio.com/article/423713/Gartner_Seven_Cloud_Computing_Security_Risks?page=1&taxonomyId=1419
Google: Cloud computing more secure than traditional IT. http://www.computerweekly.com/Articles/2009/07/21/236982/cloud-computing-more-secure-than-traditional-it-says.htm
Top five cloud computing security issues. http://www.computerweekly.com/Articles/2009/04/24/235782/top-five-cloud-computing-security-issues.htm
Cloud Security Alliance. http://www.cloudsecurityalliance.org/csaguide.pdf
O'Sullivan, D. (2009). The internet cloud with a silver lining. The British Journal of Administrative Management.
Chow, R., Golle, P., Jakobsson, M., Shi, E., Staddon, J., Masuoka, R., & Molina, J. (2009). Controlling data in the cloud: Outsourcing computation without outsourcing control. Paper presented at the CCSW '09: Proceedings of the 2009 ACM Workshop on Cloud Computing Security, Chicago, Illinois, USA
Getgen, K. (2009, October). 2009 Encryption and key management industry benchmark report. Trust Catalyst white paper on Risk Management for data protection.
