[CSA Guidance] Domain 14: Storage

[Hoff]

Please use this discussion thread to discuss anything related to the
CSA Security Guidance for Critical Areas of Focus in Cloud Computing -
Domain 14: Storage

[Sergio]

Hello,

There are more questions that I think should be addressed in this
domain:
-Who is responsible for the confidentiality and integrity of stored
data? The cloud provider or the owner of the data?
I think the owner of the data should take care of the confidentiality,
but for integrity I might think about SLAs where the cloud provider
has the ability to prove that data was not tampered with?
-What about trusted third parties as authorities that certify the
integrity of data?
-Should we address here the audit of storage data?
-Should we address the problem of key management, key escrow and
separation of roles here as well?
-How should this data be accessed if a court rules it?

Thanks
Sergio
http://elastic-security.com/

[Michael]

IMHO, the data owner is ultimately responsible for his/her data
security, including confidentiality and integrity.

The cloud storage provider CSP has to be technically capable of
assisting the data owner in preserving confidentiality and integrity.

Moreover, there should (or must) have third party(s) being involved in
auditing, particularly for the purpose of data integrity (but also for
other purposes such as possession).

[sam smith]

Thank you guys for your valuable replies. Although I have changed my research proposal to tackle another issue of cloud computing " software as a services, I believe there  are unanswered questions about cloud computing security. Such the geographical problem If the cloud consumer is a company from X country. Is it logical to trust a provider from Y country. The data in this case will not be secure at all. alot more can be talking about in this respect.

cheers.

2009/6/4 Michael <michae...@gmail.com>

[Jimmy Blake]

I agree, the cloud service provider is normally defined as a
'custodian' or 'processor' and the customer remaining the 'owner' of
the data.

The owner is responsible for ensuring the security of the data, that
includes appropriate due diligence to ensure they pick a supplier that
maintains the appropriate level of confidentiality, integrity and
availability of their data. In addition the owner should ensure that
there are contractual obligations in place with the cloud service
provider to ensure this.

No matter how much functionality we add to our services as cloud
services providers, we only provide a platform (even if this is a
service). Much as an operating system can be configured and used in
both a secure and also highly insecure fashion based on context and
configuration, our platforms can be also. If a owner chooses pick
easily guessed passwords, allocates accounts to the wrong employees,
sets inappropriate access rights, etc we can't do anything about it.
Cloud services providers can try and build as much enforcement of best
practice into their platforms, but ultimately the responsibility lies
with the customer ('owner') themselves.

Regards


James
http://www.jimmyblake.com

[Sergio]

I agree, the owner must protect his data, but the cloud brings new
challenges:
-The "processor" or cloud provider may be used to compute security
operations
like encryption, which need keys. Is there a secure way (that means
without
trusting the processor) to do this? Don't think so. Maybe there is a
way with a
trusted third party but that will kill performance.

I completely agree with the need of having best practices applied and
your examples.
Regards
Sergio
http://elastic-security.com

On Jun 15, 9:22 am, Jimmy Blake <jimmybl...@gmail.com> wrote:
> I agree, the cloud service provider is normally defined as a
> 'custodian' or 'processor' and the customer remaining the 'owner' of
> the data.
>
> The owner is responsible for ensuring the security of the data, that
> includes appropriate due diligence to ensure they pick a supplier that
> maintains the appropriate level of confidentiality, integrity and
> availability of their data. In addition the owner should ensure that
> there are contractual obligations in place with the cloud service
> provider to ensure this.
>
> No matter how much functionality we add to our services as cloud
> services providers, we only provide a platform (even if this is a
> service). Much as an operating system can be configured and used in
> both a secure and also highly insecure fashion based on context and
> configuration, our platforms can be also. If a owner chooses pick
> easily guessed passwords, allocates accounts to the wrong employees,
> sets inappropriate access rights, etc we can't do anything about it.
> Cloud services providers can try and build as much enforcement of best
> practice into their platforms, but ultimately the responsibility lies
> with the customer ('owner') themselves.
>
> Regards
>

> Jameshttp://www.jimmyblake.com

[Ali Raza]

Dear All

I am a student of Masters in Pakistan and now a days doing a course
work research on security of data storage in cloud computing. The
scenario i am building is that if you put the burden of securing the
data on the owner of the data then i dont think any owner would be
interested in any such service where he have to pay extra to secure
the data alongwith getting the storage space.

Secondly the cloud vendors with only a little effort can make a
trustworthy model for data storage in cloud computing which will
efficiently use the encryption and key management techniques alongwith
some policies for user's check and balance.

But whatever the case i personally feels that it is professionally
unethical when you ask user that the vendor has no concern with the
security of data.

Regards

S. Ali Raza