openstack-manuals/doc/arch-design-draft/source/legal-requirements.rst

3.8 KiB

Legal requirements

Using remote resources for collection, processing, storage, and retrieval provides potential benefits to businesses. With the rapid growth of data within organizations, businesses need to be proactive about their data storage strategies from a compliance point of view.

Most countries have legislative and regulatory requirements governing the storage and management of data in cloud environments. This is particularly relevant for public, community and hybrid cloud models, to ensure data privacy and protection for organizations using a third party cloud provider.

Common areas of regulation include:

  • Data retention policies ensuring storage of persistent data and records management to meet data archival requirements.
  • Data ownership policies governing the possession and responsibility for data.
  • Data sovereignty policies governing the storage of data in foreign countries or otherwise separate jurisdictions.
  • Data compliance policies governing certain types of information needing to reside in certain locations due to regulatory issues - and more importantly, cannot reside in other locations for the same reason.
  • Data location policies ensuring that the services deployed to the cloud are used according to laws and regulations in place for the employees, foreign subsidiaries, or third parties.
  • Disaster recovery policies ensuring regular data backups and relocation of cloud applications to another supplier in scenarios where a provider may go out of business, or their data center could become inoperable.
  • Security breach policies governing the ways to notify individuals through cloud provider's systems or other means if their personal data gets compromised in any way.
  • Industry standards policy governing additional requirements on what type of cardholder data may or may not be stored and how it is to be protected.

This is an example of such legal frameworks:

Data storage regulations in Europe are currently driven by provisions of the Data protection framework. Financial Industry Regulatory Authority works on this in the United States.

Privacy and security are spread over different industry-specific laws and regulations:

  • Health Insurance Portability and Accountability Act (HIPAA)
  • Gramm-Leach-Bliley Act (GLBA)
  • Payment Card Industry Data Security Standard (PCI DSS)
  • Family Educational Rights and Privacy Act (FERPA)

Cloud security architecture

An efficient cloud security architecture should recognize the issues that arise with security management. The security management addresses these issues with security controls. Cloud security controls are put in place to safeguard any weaknesses in the system and reduce the effect of an attack.

The following are different types of security controls. See also NIST Special Publication 800-53.

Deterrent controls:

Typically reduce the threat level by informing potential attackers that there will be adverse consequences for them if they proceed.

Preventive controls:

Strengthen the system against incidents, generally by reducing if not actually eliminating vulnerabilities.

Detective controls:

Intended to detect and react appropriately to any incidents that occur. System and network security monitoring, including intrusion detection and prevention arrangements, are typically employed to detect attacks on cloud systems and the supporting communications infrastructure.

Corrective controls:

Reduce the consequences of an incident, normally by limiting the damage. They come into effect during or after an incident. Restoring system backups in order to rebuild a compromised system is an example of a corrective control.