openstack-manuals/doc/arch-design-draft/source/legal-requirements.rst

.. _legal-requirements:

==================
Legal requirements
==================

Using remote resources for collection, processing, storage,
and retrieval provides potential benefits to businesses.
With the rapid growth of data within organizations, businesses
need to be proactive about their data storage strategies from
a compliance point of view.

Most countries have legislative and regulatory requirements governing
the storage and management of data in cloud environments. This is
particularly relevant for public, community and hybrid cloud models,
to ensure data privacy and protection for organizations using a
third party cloud provider.

Common areas of regulation include:

* Data retention policies ensuring storage of persistent data
  and records management to meet data archival requirements.
* Data ownership policies governing the possession and
  responsibility for data.
* Data sovereignty policies governing the storage of data in
  foreign countries or otherwise separate jurisdictions.
* Data compliance policies governing certain types of
  information needing to reside in certain locations due to
  regulatory issues - and more importantly, cannot reside in
  other locations for the same reason.
* Data location policies ensuring that the services deployed
  to the cloud are used according to laws and regulations in place
  for the employees, foreign subsidiaries, or third parties.
* Disaster recovery policies ensuring regular data backups and
  relocation of cloud applications to another supplier in scenarios
  where a provider may go out of business, or their data center could
  become inoperable.
* Security breach policies governing the ways to notify individuals
  through cloud provider's systems or other means if their personal
  data gets compromised in any way.
* Industry standards policy governing additional requirements on what
  type of cardholder data may or may not be stored and how it is to
  be protected.

This is an example of such legal frameworks:

Data storage regulations in Europe are currently driven by provisions of
the `Data protection framework <http://ec.europa.eu/justice/data-protection/>`_.
`Financial Industry Regulatory Authority
<http://www.finra.org/Industry/Regulation/FINRARules/>`_ works on this in
the United States.

Privacy and security are spread over different industry-specific laws and
regulations:

* Health Insurance Portability and Accountability Act (HIPAA)
* Gramm-Leach-Bliley Act (GLBA)
* Payment Card Industry Data Security Standard (PCI DSS)
* Family Educational Rights and Privacy Act (FERPA)

Cloud security architecture
~~~~~~~~~~~~~~~~~~~~~~~~~~~~

An efficient cloud security architecture should recognize the issues
that arise with security management. The security management addresses
these issues with security controls. Cloud security controls are put
in place to safeguard any weaknesses in the system and reduce the
effect of an attack.

The following are different types of security controls.
See also `NIST Special Publication 800-53
<https://web.nvd.nist.gov/view/800-53/home>`_.

Deterrent controls:
 Typically reduce the threat level by informing potential attackers
 that there will be adverse consequences for them if they proceed.

Preventive controls:
 Strengthen the system against incidents, generally by reducing
 if not actually eliminating vulnerabilities.

Detective controls:
 Intended to detect and react appropriately to any incidents
 that occur. System and network security monitoring, including
 intrusion detection and prevention arrangements, are typically
 employed to detect attacks on cloud systems and the supporting
 communications infrastructure.

Corrective controls:
 Reduce the consequences of an incident, normally by limiting
 the damage. They come into effect during or after an incident.
 Restoring system backups in order to rebuild a compromised
 system is an example of a corrective control.