bfbb7a2df0
1. Migrate and edit security and legal requirements content 2. Migrate and consolidate mitaka ops content Change-Id: Ib7b266f5567042766e0e74456712aa6a2700ee52 Implements: blueprint arch-guide-restructure
94 lines
3.8 KiB
ReStructuredText
94 lines
3.8 KiB
ReStructuredText
.. _legal-requirements:
|
|
|
|
==================
|
|
Legal requirements
|
|
==================
|
|
|
|
Using remote resources for collection, processing, storage,
|
|
and retrieval provides potential benefits to businesses.
|
|
With the rapid growth of data within organizations, businesses
|
|
need to be proactive about their data storage strategies from
|
|
a compliance point of view.
|
|
|
|
Most countries have legislative and regulatory requirements governing
|
|
the storage and management of data in cloud environments. This is
|
|
particularly relevant for public, community and hybrid cloud models,
|
|
to ensure data privacy and protection for organizations using a
|
|
third party cloud provider.
|
|
|
|
Common areas of regulation include:
|
|
|
|
* Data retention policies ensuring storage of persistent data
|
|
and records management to meet data archival requirements.
|
|
* Data ownership policies governing the possession and
|
|
responsibility for data.
|
|
* Data sovereignty policies governing the storage of data in
|
|
foreign countries or otherwise separate jurisdictions.
|
|
* Data compliance policies governing certain types of
|
|
information needing to reside in certain locations due to
|
|
regulatory issues - and more importantly, cannot reside in
|
|
other locations for the same reason.
|
|
* Data location policies ensuring that the services deployed
|
|
to the cloud are used according to laws and regulations in place
|
|
for the employees, foreign subsidiaries, or third parties.
|
|
* Disaster recovery policies ensuring regular data backups and
|
|
relocation of cloud applications to another supplier in scenarios
|
|
where a provider may go out of business, or their data center could
|
|
become inoperable.
|
|
* Security breach policies governing the ways to notify individuals
|
|
through cloud provider's systems or other means if their personal
|
|
data gets compromised in any way.
|
|
* Industry standards policy governing additional requirements on what
|
|
type of cardholder data may or may not be stored and how it is to
|
|
be protected.
|
|
|
|
This is an example of such legal frameworks:
|
|
|
|
Data storage regulations in Europe are currently driven by provisions of
|
|
the `Data protection framework <http://ec.europa.eu/justice/data-protection/>`_.
|
|
`Financial Industry Regulatory Authority
|
|
<http://www.finra.org/Industry/Regulation/FINRARules/>`_ works on this in
|
|
the United States.
|
|
|
|
Privacy and security are spread over different industry-specific laws and
|
|
regulations:
|
|
|
|
* Health Insurance Portability and Accountability Act (HIPAA)
|
|
* Gramm-Leach-Bliley Act (GLBA)
|
|
* Payment Card Industry Data Security Standard (PCI DSS)
|
|
* Family Educational Rights and Privacy Act (FERPA)
|
|
|
|
Cloud security architecture
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
Cloud security architecture should recognize the issues
|
|
that arise with security management, which addresses these issues
|
|
with security controls. Cloud security controls are put in place to
|
|
safeguard any weaknesses in the system, and reduce the effect of an attack.
|
|
|
|
The following security controls are described below.
|
|
|
|
Deterrent controls:
|
|
Typically reduce the threat level by informing potential attackers
|
|
that there will be adverse consequences for them if they proceed.
|
|
|
|
Preventive controls:
|
|
Strengthen the system against incidents, generally by reducing
|
|
if not actually eliminating vulnerabilities.
|
|
|
|
Detective controls:
|
|
Intended to detect and react appropriately to any incidents
|
|
that occur. System and network security monitoring, including
|
|
intrusion detection and prevention arrangements, are typically
|
|
employed to detect attacks on cloud systems and the supporting
|
|
communications infrastructure.
|
|
|
|
Corrective controls:
|
|
Reduce the consequences of an incident, normally by limiting
|
|
the damage. They come into effect during or after an incident.
|
|
Restoring system backups in order to rebuild a compromised
|
|
system is an example of a corrective control.
|
|
|
|
For more information, see See also `NIST Special Publication 800-53
|
|
<https://web.nvd.nist.gov/view/800-53/home>`_.
|