University of Twente Student Theses


Data location compliance in cloud computing

Noltes, Johan (2011) Data location compliance in cloud computing.

[img] PDF
Abstract:An example of such legislation is the EU data protection directive, which states that privacy sensitive data should always be located within the European Union. However, due to the nature of cloud computing, the location of the data is often unknown, or may change frequently. Currently, Cloud Service Providers (CSPs) do not always offer services that comply to this data location legislation, or in case they do, they do not always show compliance to their customers. This research is about how CSPs can show compliance to customer demands regarding data location. Interviews with CSPs show that CSPs are currently in principle able to determine and control the location of data of their customers, e.g. by using the configuration of the hypervisor. However, these CSPs do not give guarantees about the location of data. This research proposes the Cloud Computing Compliance Guideline, based on interviews and literature study. The Cloud Computing Compliance Guideline gives a process description of showing compliance, which enables CSPs to show compliance to customer demands regarding data location. The Cloud Computing Compliance Guideline comprises of four phases. Phase 1 describes how the customer prepares the movement to the cloud, by carrying out a risk assessment, data classification, creating security demands regarding data location and CSP selection. Phase 2 describes the negotiation process between the customer and CSP. The guideline describes two frameworks that can be used for the SLA negotiation: the SLA@SOI framework and the XACML framework. After the automated negotiation, the CSP takes security measures to ensure data will be stored conform the agreements. Phase 3 describes the regular storage process. Because all security measures are taken, no extra efforts are needed. However, the CSP monitors and logs the movement of data, to detect possible violations. Phase 4 describes how the CSP shows compliance to the customer demands regarding data location. This is done by regularly reporting the current status, and carrying out external audits to give assurance about the correctness of the process. When these phases are carried out correctly, an auditor checks whether CSP executes the correct processes and data is stored on the allowed locations. If this is the case, the auditor can give assurance that the agreements with the customer are enforced, so the CSP can show compliance to the customer demands. The Cloud Computing Compliance Guideline is validated using interviews with CSPs. These interviews indicate that CSPs think the Cloud Computing Compliance Guideline can be used in practice, but some adaptions are needed.
Item Type:Essay (Master)
Faculty:EEMCS: Electrical Engineering, Mathematics and Computer Science
Subject:54 computer science
Programme:Computer Science MSc (60300)
Link to this item:
Export this item as:BibTeX
HTML Citation
Reference Manager


Repository Staff Only: item control page