14.2.6.3  Incident Response Plan

Many compliance initiatives specifically outline the requirement of incident response teams and their related plans. When dealing both with the cloud and outsourcers in general, this approach needs to be explained, negotiated, documented, and formalized such that there is no room for interpretation when it comes to plan execution. Specifically, the roles and responsibilities for all involved parties ought to be explicitly outlined to ensure that appropriate actions are taken and necessary notifications are made. Breach notification is a particularly troublesome issue with clouds because the laws mandating them tend to be jurisdictional and related to the physical geography of the place of the breach. When developing the responsibilities of the incident response plan, it may be best to consider verbiage that would allow for tying the obligation to determine the actual location of the breach and the related notification requirements for that region to the cloud provider rather than the client.

14.3  Conclusion

As it can be imagined, compliance with the vast array of legislation and regulations when using cloud computing services can be quite complicated and burdensome. However, hopefully the crux of this chapter was not lost and it did not appear as though one should reconsider engaging cloud providers. The intent was rather to ensure client organizations that are already considering outsourcing to the cloud understand which data and systems might be prime (easy) candidates for outsourcing, and which may be prohibitively expensive. The key, as can likely be imagined, is to have firm control over an organization’s information assets and a strong understanding of the related legislative and regulatory requirements over that data. Once that concept is understood, and the requirements are gathered, it is achievable to consider the cloud options and obtain and benefit from them at realistic costs.

Bibliography

“Auditing the Cloud”, Grid Gurus, http://gridgurus.typepad.com/grid_gurus/2008/10/auditing- the-cl.html, October 20, 2008

Anderson R (2008) Security engineering: a guide to building dependable distributed systems. Wiley, New York

Cloud Computing: Bill of Rights. http://wiki.cloudcomputing.org/wiki/CloudComputing:Bill_of_ Rights

Security Guidance for Critical Areas of Focus in Cloud Computing v2.1, Cloud Security Alliance. http://www.cloudsecurityalliance.org/csaguide.pdf, 2009

Hurley W (2009) Beautiful Security. O’Reilly Media

Jaquith A (2007) Security metrics: replacing fear, uncertainty, and doubt. Addison-Wesley Professional

Mather T (March 2, 2009) Cloud computing is on the up, but what are the security issues? Secure Computing Magazine, London

Raywood D (March 9, 2009) Data privacy clarification could lead to greater confidence in cloud computing. Secure Computing Magazine, London

Reese G (2009) Cloud application architectures: building applications and infrastructure in the cloud. O’Reilly Media

Roiter N (March 2009) How to secure cloud computing. Information Security Magazine. http:// searchSecurity.techtarget.com/magazineFeature/0,296894,sid14_gci1349670,00.html

Sherwood J (2005) Enterprise security architecture: a business-driven approach. CMP Wood L (January 30, 2009) Cloud computing and compliance: be careful up there. ITWorld

Chapter 15

Cloud Computing – Data Confidentiality

and Interoperability Challenges

Fabrizio Gagliardi and Silvana Muscella

Abstract  Interoperability, which brings major benefits for enterprise and science, is key for the pervasive adoption of grids and clouds. The lack of interoperability has impeded broader adoption and the reason, enterprise argues, why the grids have not performed at expected levels. Interoperability between existing grids and clouds is of primary importance for the EU.

This chapter focuses on the guiding principles of interoperability and openness for the development of cloud computing, as they have been for the Internet so far. Therefore, global standardization efforts are emphasized in this chapter and seen as a key priority.

We look at the importance of interoperability and what standardization efforts are taking place surrounding cloud computing, considering how enterprises do not wish to tie their applications to specific providers’ remote infrastructure – particularly if there is proprietary technology deployed. Nevertheless, it is still considered early in the market’s development for formal standardization of many aspects of cloud computing – except maybe in the area of virtualization technology – but industry leaders recognize the importance of interoperability.

The chapter delivers a snapshot of the impact that cloud computing is making on the European market and the influence of EU regulation in listing the Opportunities for Europe. The concluding remarks and considerations provide a look at the future market drivers and the key challenges of interoperability and data confidentiality.

F. Gagliardi (*)

External Research, Microsoft Research, EMEA office: 12, Av. des Morgines, CH-1213, Petit-Lancy (Geneva),

e-mail: Fabrizio.Gagliardi@microsoft.com

Systems and Applications, Computer Communications and Networks,

DOI 10.1007/978-1-84996-241-4_15, © Springer-Verlag London Limited 2010

15.1  Confidentiality of Data and Principal Issues

Globally: An Overview

Today, companies considering using a cloud-based service need to obtain a clear understanding of the privacy, security, and legal consequences before signing the SLA with a service provider. Forrester urges in a recent report [1] to develop a checklist of data security and compliance priorities and compare organizational needs to the cloud service provider’s policies and procedures.

Other important questions surround confidentiality of data and a variety of related issues including security, privacy, and trust. Who is responsible for the data residing or moving in the cloud, and under which jurisdiction they fall, are common unresolved questions. A key example is the UK National Health Service (NHS) that has a jurisdiction which states that all UK Data must never leave the United Kingdom.

Specific items have to be included in the agreements for companies before signing the contracts, which cover items as to how data are being handled once the service contract is terminated, the kind of data that are returned to the organization, and ensuring the elimination of the data at the host cloud service providers’ network. Early adopters have run into a number of hurdles, including not knowing where their data resides, what happens to the data when a decision is made to change the services, and how the service provider guards the customer’s privacy. Concern over proprietary data and personal information is a major issue. A cloud provider may not necessarily commit to offering internal auditing on this feature, but understanding through logs and who accesses the data should be available to the company.

Robert Gellman prepared a report for the World Privacy forum indicating that the stored information [2] in the cloud eventually ends up on a physical machine owned by a particular company or person located in a specific country. That stored information may be subject to the laws of the country where the physical machine is located. For example, personal information that ends up maintained by a cloud provider in a EU Member State could be subject permanently to EU privacy laws.

15.1.1  Location of Cloud Data and Applicable Laws

More specifically, Gellman’s report goes into greater detail on the explanation of the EU directives, such as the EU’s Data Protection Directive [2, 3] that offers an example of the importance of location on legal rights and obligations. Under Article 4 of the Directive, a national data protection law applies when a controller located in the territory of the Member State processes personal information. A cloud provider in an EU Member State could bring personal data obtained from a non-EU-based user under a European data protection law. Once an EU law applies to the personal data, the data remain subject to the law, and the export of that data will thereafter be subject to EU rules limiting transfers to a third country. Thus, if a US company gave its data to a cloud provider based in France, French data protection law would