Page 1032 - Cloud computing: From paradigm to operation
P. 1032

7                                                     Security


            The specific requirements of the security clause of SLA could be negotiated by CSPs and CSCs based on the
            customized requirements of CSCs and their control ability over the resources. For CSPs, disclaimer items
            should be stated clearly in a business contract or a product description to avoid unnecessary dispute or
            security risk, so that CSPs will not be held responsible in case of force majeure.

            7.2.2   Elements of the security clause of SLA
            The security clauses of SLA include but are not limited to the following elements.

            7.2.2.1    Business continuity
            CSPs  should  deploy  adequate  protection  in  case  of  a  man-made  or  natural  disaster  to  ensure  service
            availability and business continuity. The detailed items or requirements are shown below:
            1)      Service availability
                    The percentage of time at which the service is usable in a given period of time. For a given cloud
                    service, the terms of its service ability should not be lower than the traditional information and
                    communication technology (ICT) service generally.

            2)      Average recovery time
                    The time to recover the lost data or resume the service from a fault occurrence or other disasters.
            7.2.2.2    Data security protection

            CSPs  should  have  a  comprehensive  protection  program  to  protect  the  CSC's  data  and  other  privacy
            information, and CSPs and CSCs should reach an agreement on the detailed mechanisms and requirements.
            1)      Storage physical security
                    CSPs should implement measures to ensure storage physical security, such as entrance guard, fire
                    protection system, backup power supply system, etc.
            2)      Data storage medium protection
                    CSPs should deploy protection measures such as device reinforcing, patch upgrading and so on, to
                    enhance the security of data storage medium.
            3)      Data encryption
                    It should be stated which data is being encrypted in the process of storage or transmission, and the
                    details of the encryption algorithms.
            4)      Data access control
                    The access control measure of data should be specified to prevent illegal access.
            5)      Data isolation
                    It should be noted that the data of different CSCs are isolated logically or physically.
            6)      Data deletion

                    It includes the assurance of data deletion. It should be assured that the data be deleted permanently
                    before the resources could be allocated to other CSCs.
            7)      Data backup
                    It includes the terms of recovery point objective (RPO) and recovery time objective (RTO), retention
                    policy, combination of on-site backup and off-site backup, etc.
            8)      Data operation audit
                    CSPs  should  audit the operation of  CSCs'  data  and be  able to  detect  abnormal  operations; the
                    auditor should be certified to be qualified for auditing.
            9)      Data compliance
                    Data  collection,  transfer,  handling,  storage  and  destruction  should  comply  with  the  applicable
                    regulations and laws in the CSC's governing jurisdiction. Similarly, the requirement of data retention
                    should also comply with the allowed retention time of different jurisdictional restrictions.




            1024
   1027   1028   1029   1030   1031   1032   1033   1034   1035   1036   1037