Page 1019 - Cloud computing: From paradigm to operation
P. 1019
Security 7
2) Data protection
Data protection ensures that CSC data and cloud service derived data held in a cloud computing
environment is appropriately secured so that it can only be accessed or changed as authorized by
the CSC (or according to applicable law). This protection may include some combination of access
control lists, integrity verification, error correction/data recovery, encryption and other appropriate
mechanisms. When a CSP provides storage encryption for CSCs, this function can be client-side
encryption (e.g., within a CSP application) or server-side encryption.
3) Confidentiality protection
Private information can include personally identifiable information (PII) and confidential corporate
data. The collection, use, transfer, handling, storage and destruction of private information can be
subject to confidentiality regulations or laws. This restriction applies to both CSPs and their CSCs,
e.g., a CSC must be able to permanently delete a data table containing private information, even
though the CSP is not aware of the table contents. CSPs may also need to support information
handling, e.g., searching of CSC data in its transformed or encrypted form.
Confidentiality protection extends to private information that may be observed or derived from CSC
activities, such as business trends, relationships or communications with other parties, and activity
levels and patterns.
Confidentiality protection is also responsible for ensuring that all private information (including
observed or derived data) is used only for those purposes that have been agreed between a CSC and
a CSP.
A risk assessment of private information (called a "confidentiality risk assessment") can assist a CSP
in identifying the specific risks of confidentiality breaches involved in an envisaged operation. The
CSP should identify and implement capabilities to address the confidentiality risks identified by the
risk assessment and treatment of private information.
NOTE – In some jurisdictions, individual natural persons (i.e., human users) are treated separately from their
employers for confidentiality purposes. In such circumstances, confidentiality of the CSU will be appropriately
protected in addition to that of the CSC or tenant.
6.4 Data security lifecycle
Based on the actual situation of cloud service, the CSC data security lifecycle includes:
1) Creation: This is probably better named creation/update because it applies to creating or changing
a data/content element, not just a document or database. Creation is the generation of new digital
content, or the alteration/updating of existing content.
2) Transmission: This is the communication process of transferring data from one place to another.
3) Storage: Storage is the act of committing the digital data to some sort of repository, and typically
occurs nearly simultaneously with creation.
4) Use: Data is viewed, processed, shared or otherwise used in some sort of activity.
5) Migration: Data migration is the process of transferring data between storage types, formats, or
computer systems. It is a key consideration for any system implementation, upgrade, or
consolidation. Data migration occurs for a variety of reasons, including: server or storage equipment
replacements or upgrades; website consolidation; server maintenance; and data centre relocation.
6) Destruction: Data is permanently destroyed using physical or digital means (e.g., crypto shredding).
7) Backup and restoration: Users can create data backups and restore data from backups.
1011
