75
Layer Security/ Secure Sockets Layer (TLS/SSL), Virtual Private Network
(
VPN) communications channels).
31
Secure data processing
When processing data, it is particularly important to monitor and log all
access and activities e.g. in the storage services and Cloud applications in
order to recognise attacks. For instance, access at unusual times or from
unusual places could be an indication of injection attacks.
In addition, portability and interoperability play an important role in
minimising the danger of vendor lock‐in, i.e. making it difficult to migrate to
another provider because of system compatibility problems. The aim is to
enable customers to migrate smoothly from one Cloud provider to another
at any time. That means negotiating exit agreements with the Cloud
provider with guaranteed standard formats while retaining all logical
relations. Cloud infrastructures for community Clouds and hybrid operating
models must always be set up for maximum interoperability, which can be
achieved by using standard and open interfaces, protocols and independent
platforms. For government, the integration of open standards into
interoperability and security plays a very important role on account of the
different standardisation committees and industry consortia. The Cloud
provider should support as many different standards as possible such as the
Open Virtualisation Format (OVF), vCloud API and Open Cloud Computing
Interface (OCCI).
Secure access to Cloud services
Not only the data itself but also the credentials for accessing Cloud services
or individual applications require protection. Access credentials must be
transmitted in encrypted form and be regularly rotated/changed. Regular
rotation minimises the danger of compromised access credentials while
providing added security in the management of access rights, e.g. if access
rights are not deleted when employees leave the company. In general,
strong authentication – e.g. two‐factor authentication, simple
authentication mechanisms (username and password) – is preferred. For
Cloud solutions as well as conventional on‐premise IT, access rights should
be issued individually on a need‐to‐know basis. These roles and rights
should be regularly reviewed.
In addition, key management best practices should be adopted in the
following areas:
31
An expanded version of this chapter can be found under