Page 1043 - Cloud computing: From paradigm to operation

P. 1043

Security 7

Furthermore, some details are essential, including:

1) The emergency response team members, the specific responsibilities and the contact information
of each team member. Generally speaking, the emergency response team consists of management,
business, technical, and administrative staff.
2) The BIA results involving the relationship between the various parts of the cloud computing system,
the priority level of key components, etc.
3) The criterion procedures and checklists of the cloud computing system recovery.
4) The inventory of hardware, software, firmware, and other resources to support CSPs' daily
operation, with each entry containing specifications like versions, quantities, etc.
5) The contact information of CSCs and the response procedures negotiated by the CSPs and CSCs
according to the security clause of SLA to minimize CSCs' loss in a security accident.
6) Generally CSP could not have the privilege to access CSC's private data unless CSP have obtained the
authorization of CSC. In the case of emergency launched by CSC, CSC might need CSP's help to make
response more effectively and would give CSP the authorization for the data. As a part of
compliance, CSP should not abuse the authorization to access CSC's data.
8.9.2 Testing and implementation phase

In order to test the effectiveness of the emergency response plan, CSPs should organize testing and drills of
the emergency response plan, with the help of related personnel familiar with the response procedures. The
testing and drills should meet the following requirements:
1) The programmes of testing, training and drills should be pre-established.

2) The detailed process of testing, training and drills should be recorded and reports should be written
to this effect.
3) CSPs and CSCs are recommended to corporately complete a planned testing whenever significant
changes occur inside or outside the cloud computing condition.

When security incidents or business interruption occurs, the emergency response plan should be strictly
enforced once the conditions for the launch are met, and all operation logs should be recorded during the
whole emergency process. Afterwards, according to the security clause of SLA, CSP should submit the
response reports to CSCs.
Based on the testing, drills and implementation results, the emergency response plan should be revised to
improve its effectiveness and feasibility.
8.9.3 Maintenance phase

To remain effective, the emergency response plan should always be maintained in a ready state that could
reflect the requirements of the cloud computing systems, the SLA modification, configuration changes, and
personnel changes. Generally, the plan should be reviewed annually to accommodate the changes of the
actual cloud computing environment. The modification of the plan is based on the following elements:
1) The changes of premises, facilities, resources and services.
2) The changes of the security clause of SLA requirements, critical security configuration, significant
patch upgrading and backbone team members.
3) The assessment of the plan's effectiveness upon the detailed records of the actual implementation
of the plan during the testing and security accidents.

8.10 Backup

Backup capability is an important issue for CSCs and CSPs in the cloud computing environment. Before
running the backup activities, CSPs need to address some specifications such as:
− the backup strategy for each CSC or a specific cloud service;
− the storage method including encryption or not;

1035

1038 1039 1040 1041 1042 1043 1044 1045 1046 1047 1048