Seite 153 - Cloud Migration Version 2012 english

153 
by comparing the costs of the potential damage with the costs of the 
respective risk control measures. 
Risks through the Cloud provider 
A risk assessment concerning the Cloud provider is only possible if there is 
sufficient transparency in the way the provider delivers services. Even if you 
choose a regional software vendor who has previously offered highly 
functional software solutions on a license basis for the applications in 
question, and is now offering them on a subscription software basis, it still 
might be the case that infrastructure services from non‐European providers 
are used and that legal uncertainty would thus occur. 
The following main risks were identified by ENISA (European Network and 
Information Security Agency) in the course of studies: 
Insufficient service level guarantees 
Provider dependency 
Insufficient data isolation 
Problems with compliance requirements 
Insufficient safeguarding of administrative functions 
Data protection violations 
Insufficient data deletion upon request by the customer 
Insider attacks by untrustworthy persons 
As a recommendation for mitigating the risk, the following areas should be 
coordinated with the provider: 
Do interfaces and data export functions exist? 
Do contractual provisions for control functions exist? 
Are the applicable data protection provisions complied with? 
Are the data locations known and assured? 
Under which governing law is the service provided?