Page 1032 - Cloud computing: From paradigm to operation
P. 1032
7 Security
The specific requirements of the security clause of SLA could be negotiated by CSPs and CSCs based on the
customized requirements of CSCs and their control ability over the resources. For CSPs, disclaimer items
should be stated clearly in a business contract or a product description to avoid unnecessary dispute or
security risk, so that CSPs will not be held responsible in case of force majeure.
7.2.2 Elements of the security clause of SLA
The security clauses of SLA include but are not limited to the following elements.
7.2.2.1 Business continuity
CSPs should deploy adequate protection in case of a man-made or natural disaster to ensure service
availability and business continuity. The detailed items or requirements are shown below:
1) Service availability
The percentage of time at which the service is usable in a given period of time. For a given cloud
service, the terms of its service ability should not be lower than the traditional information and
communication technology (ICT) service generally.
2) Average recovery time
The time to recover the lost data or resume the service from a fault occurrence or other disasters.
7.2.2.2 Data security protection
CSPs should have a comprehensive protection program to protect the CSC's data and other privacy
information, and CSPs and CSCs should reach an agreement on the detailed mechanisms and requirements.
1) Storage physical security
CSPs should implement measures to ensure storage physical security, such as entrance guard, fire
protection system, backup power supply system, etc.
2) Data storage medium protection
CSPs should deploy protection measures such as device reinforcing, patch upgrading and so on, to
enhance the security of data storage medium.
3) Data encryption
It should be stated which data is being encrypted in the process of storage or transmission, and the
details of the encryption algorithms.
4) Data access control
The access control measure of data should be specified to prevent illegal access.
5) Data isolation
It should be noted that the data of different CSCs are isolated logically or physically.
6) Data deletion
It includes the assurance of data deletion. It should be assured that the data be deleted permanently
before the resources could be allocated to other CSCs.
7) Data backup
It includes the terms of recovery point objective (RPO) and recovery time objective (RTO), retention
policy, combination of on-site backup and off-site backup, etc.
8) Data operation audit
CSPs should audit the operation of CSCs' data and be able to detect abnormal operations; the
auditor should be certified to be qualified for auditing.
9) Data compliance
Data collection, transfer, handling, storage and destruction should comply with the applicable
regulations and laws in the CSC's governing jurisdiction. Similarly, the requirement of data retention
should also comply with the allowed retention time of different jurisdictional restrictions.
1024