Seite 80 - Cloud Migration Version 2012 english

80 
issuing time‐limited certificates and thus separating the wheat from the 
chaff. 
3.2.4
Detecting security incidents 
Detecting security incidents is often a difficult task for Cloud users. 
Conventional IT environments, with on‐premises data‐processing, can rely 
on an internal security incident management process which uses 
monitoring, log file analyses, intrusion detection systems as well as data loss 
prevention (DLP). 
When outsourcing in the Cloud, it is not only the Cloud service itself that is 
outsourced, but also significant aspects of security incident management. 
Security incident management should therefore be included in the contract 
with the Cloud provider. 
Cloud users should inform themselves about the provider's detection 
capabilities before migrating to the Cloud. The existence of a security 
operation centre (SOC) and suitable security incident management is an 
important selection criterion for a Cloud service. Cloud users and providers 
should have the same idea about what qualifies as a security incident. In 
fact, the definition of a security incident is mandatory in international Cloud 
computing as Cloud users and providers may be located in different 
jurisdictions and, for example, the loss of personal data could have different 
implications. The loss of certain personal data may be immaterial to a US 
provider, but it could be consequential to a European Cloud user. The 
process for communicating security incidents and their escalation should 
also be set down. 
A look at the tools for detecting and clearing security incidents can also 
provide clues as to the maturity of the provider's security incident 
management.
33
3.2.5
Reacting to Security incidents 
Computer forensics 
Computer forensics pertains to the identification, collection, analysis and 
presentation of digital data in order to establish the facts of the case. In the 
identification stage, possible evidence is identified together with the client, 
depending on the actual case. Data collection entails establishing the 'scene 
of the crime' and area of investigation, carefully preserving any evidence 
33
An expanded version of this chapter can be found under