Seite 75 - Cloud Migration Version 2012 english

75 
Layer Security/ Secure Sockets Layer (TLS/SSL), Virtual Private Network 
(
VPN) communications channels). 
31
Secure data processing 
When processing data, it is particularly important to monitor and log all 
access and activities e.g. in the storage services and Cloud applications in 
order to recognise attacks. For instance, access at unusual times or from 
unusual places could be an indication of injection attacks. 
In addition, portability and interoperability play an important role in 
minimising the danger of vendor lock‐in, i.e. making it difficult to migrate to 
another provider because of system compatibility problems. The aim is to 
enable customers to migrate smoothly from one Cloud provider to another 
at any time. That means negotiating exit agreements with the Cloud 
provider with guaranteed standard formats while retaining all logical 
relations. Cloud infrastructures for community Clouds and hybrid operating 
models must always be set up for maximum interoperability, which can be 
achieved by using standard and open interfaces, protocols and independent 
platforms. For government, the integration of open standards into 
interoperability and security plays a very important role on account of the 
different standardisation committees and industry consortia. The Cloud 
provider should support as many different standards as possible such as the 
Open Virtualisation Format (OVF), vCloud API and Open Cloud Computing 
Interface (OCCI). 
Secure access to Cloud services 
Not only the data itself but also the credentials for accessing Cloud services 
or individual applications require protection. Access credentials must be 
transmitted in encrypted form and be regularly rotated/changed. Regular 
rotation minimises the danger of compromised access credentials while 
providing added security in the management of access rights, e.g. if access 
rights are not deleted when employees leave the company. In general, 
strong authentication – e.g. two‐factor authentication, simple 
authentication mechanisms (username and password) – is preferred. For 
Cloud solutions as well as conventional on‐premise IT, access rights should 
be issued individually on a need‐to‐know basis. These roles and rights 
should be regularly reviewed. 
In addition, key management best practices should be adopted in the 
following areas: 
31
An expanded version of this chapter can be found under