Seite 33 - Cloud Migration Version 2012 english

33 
The prime risk management parameters are ‘impact’ and ‘probability’. As 
the probability may be low, but not 'nil', an effective process must be 
established comprising of two components to deal with actual risks: 
Detection 
Reaction 
Detection
 (
Chapter 3.2.4) is the process of flagging security incidents. 
Various studies show that only about 50% of all security incidents are 
detected within a week, while the rest are only discovered much later. Cloud 
computing complicates matters further. 
Detection of a security incident must trigger a suitable
reaction
.
Given the 
changing architectures in Cloud computing, the procedures for obtaining 
legal evidence of security incidents are subject to change, and both 
enterprises and the courts have yet to follow suit. 
Later in this book, we will examine the big picture that the management of 
identities and authentication for a user's Cloud ecosystem, and explain why 
these are strategic factors that must not be underestimated. 
2.3
Cloud and the Law  
Cloud Computing and the migration of private data (personal, business or 
Government) to a Cloud provider are, as any larger technology project in the 
business field, not only a technical, but also a legal matter. The three fields 
of law most relevant in this context are data protection, compliance and 
contract law.
8
2.3.1
Applicable law 
From a legal point of view the first and most fundamental question to be 
asked in the context of Cloud Computing is that of applicable law. This is 
because different jurisdictions may have quite different provisions in the 
relevant fields of law. 
The question of which law is applicable arises also within the EU, despite all 
harmonisation efforts. On the one hand this is due to the fact that 
community law does not exist for each and every field of law or legal 
question. On the other hand national differences exist even within the 
8
An expanded version of this chapter can be found under