Seite 74 - Cloud Migration Version 2012 english

74 
ENISA
29
the Cloud Security Alliance (CSA)
30
and in 'Security 
Recommendations for Cloud Computing Providers'. 
So what are the 7 key preventative measures that a Cloud computing user 
can take to avoid or reduce the associated security risks? 
Define the level of data protection 
When creating or transferring data in the Cloud, the user must classify his 
data (e.g. normal, high, extremely high security level), analyse his security 
requirements and define how the Cloud provider should store and transfer 
what data. This may involve the use of certain encryption processes or a 
sophisticated privileges scheme for access to certain information. In 
addition, the data should also be defined in relation to the Cloud provider's 
security standards.
Secure storage of data in the Cloud 
Stored data are encrypted using different algorithms (e.g. Advanced 
Encryption Standard (AES)) and key lengths (e.g. 256 bits). As a rule of 
thumb, the stronger the encryption process, the more secure the data. The 
level of encryption must still be tested and improved from time to time.  
With all the benefits of encryption, key management remains the 
responsibility of Cloud service users. If they lose their keys, they also lose 
their encrypted data. If their keys are compromised, the security of their 
data may be compromised as well. Customers must therefore weigh up their 
key management options and implement procedures to minimise these 
dangers. In addition, the problem of processing data in encrypted form still 
remains to be solved. There have been some advances in homomorphic 
encryption. However, the only current solution is to encrypt the data prior 
to further processing. 
Secure transfer of data in the Cloud 
Besides the secure, isolated storage of data, the secure transport of 
customers' data in the Cloud and between Cloud computer centres plays an 
important role. (e.g. via (SSH), Internet Protocol Security (IPSec), Transport 
29
Catteddu, D. and Hogben, G., editors. 'Cloud Computing: Benefits, risks and recommendations 
for information security'. The European Network and Information Security Agency (ENISA), 2009. 
30
Brunette, G. and Mogull, R., editors. 
Security Guidance for Critical Areas of Focus in Cloud 
Computing
V2.1. Cloud Security Alliance, 2009. Cloud Security Alliance (2010)