Merge "Update legal-requirements chapter in Architecture Design Guide"
This commit is contained in:
Jenkins
Gerrit Code Review
commit
322a389042
@ -4,12 +4,17 @@
|
||||
Legal requirements
|
||||
==================
|
||||
|
||||
Most countries have legislative and regulatory requirements governing
|
||||
the storage and management of data in cloud environments. This is particularly
|
||||
relevant for public, community and hybrid cloud models, to ensure data privacy
|
||||
and protection for organizations using a third party cloud provider.
|
||||
Using remote resources for collection, processing, storage,
|
||||
and retrieval provides potential benefits to businesses.
|
||||
With the rapid growth of data within organizations, businesses
|
||||
need to be proactive about their data storage strategies from
|
||||
a compliance point of view.
|
||||
|
||||
.. TODO Elaborate and refine this section later.
|
||||
Most countries have legislative and regulatory requirements governing
|
||||
the storage and management of data in cloud environments. This is
|
||||
particularly relevant for public, community and hybrid cloud models,
|
||||
to ensure data privacy and protection for organizations using a
|
||||
third party cloud provider.
|
||||
|
||||
Common areas of regulation include:
|
||||
|
||||
@ -23,11 +28,66 @@ Common areas of regulation include:
|
||||
information needing to reside in certain locations due to
|
||||
regulatory issues - and more importantly, cannot reside in
|
||||
other locations for the same reason.
|
||||
* Data location policies ensuring that the services deployed
|
||||
to the cloud are used according to laws and regulations in place
|
||||
for the employees, foreign subsidiaries, or third parties.
|
||||
* Disaster recovery policies ensuring regular data backups and
|
||||
relocation of cloud applications to another supplier in scenarios
|
||||
where a provider may go out of business, or their data center could
|
||||
become inoperable.
|
||||
* Security breach policies governing the ways to notify individuals
|
||||
through cloud provider's systems or other means if their personal
|
||||
data gets compromised in any way.
|
||||
* Industry standards policy governing additional requirements on what
|
||||
type of cardholder data may or may not be stored and how it is to
|
||||
be protected.
|
||||
|
||||
Examples of such legal frameworks include the
|
||||
`data protection framework <http://ec.europa.eu/justice/data-protection/>`_
|
||||
of the European Union, and the requirements of the
|
||||
This is an example of such legal frameworks:
|
||||
|
||||
Data storage regulations in Europe are currently driven by provisions of
|
||||
the `Data protection framework <http://ec.europa.eu/justice/data-protection/>`_.
|
||||
`Financial Industry Regulatory Authority
|
||||
<http://www.finra.org/Industry/Regulation/FINRARules/>`_
|
||||
in the United States.
|
||||
Consult a local regulatory body for more information.
|
||||
<http://www.finra.org/Industry/Regulation/FINRARules/>`_ works on this in
|
||||
the United States.
|
||||
|
||||
Privacy and security are spread over different industry-specific laws and
|
||||
regulations:
|
||||
|
||||
* Health Insurance Portability and Accountability Act (HIPAA)
|
||||
* Gramm-Leach-Bliley Act (GLBA)
|
||||
* Payment Card Industry Data Security Standard (PCI DSS)
|
||||
* Family Educational Rights and Privacy Act (FERPA)
|
||||
|
||||
Cloud security architecture
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
An efficient cloud security architecture should recognize the issues
|
||||
that arise with security management. The security management addresses
|
||||
these issues with security controls. Cloud security controls are put
|
||||
in place to safeguard any weaknesses in the system and reduce the
|
||||
effect of an attack.
|
||||
|
||||
The following are different types of security controls.
|
||||
See also `NIST Special Publication 800-53
|
||||
<https://web.nvd.nist.gov/view/800-53/home>`_.
|
||||
|
||||
Deterrent controls:
|
||||
Typically reduce the threat level by informing potential attackers
|
||||
that there will be adverse consequences for them if they proceed.
|
||||
|
||||
Preventive controls:
|
||||
Strengthen the system against incidents, generally by reducing
|
||||
if not actually eliminating vulnerabilities.
|
||||
|
||||
Detective controls:
|
||||
Intended to detect and react appropriately to any incidents
|
||||
that occur. System and network security monitoring, including
|
||||
intrusion detection and prevention arrangements, are typically
|
||||
employed to detect attacks on cloud systems and the supporting
|
||||
communications infrastructure.
|
||||
|
||||
Corrective controls:
|
||||
Reduce the consequences of an incident, normally by limiting
|
||||
the damage. They come into effect during or after an incident.
|
||||
Restoring system backups in order to rebuild a compromised
|
||||
system is an example of a corrective control.
|
||||
|
||||
Loading…
Reference in New Issue
Block a user