Presently, Cloud Service Providers (CSPs) don’t always provide services which conform to this data location legislation, or in case they do, they don’t always show compliance to their customers. This study is about how CSPs can show conformity to customer demands regarding data location. Interviews with CSPs reveal that CSPs are presently in principle able to determine and control the location of data of their customers, e.g. making use of the configuration of the hypervisor. But, these CSPs don’t give guarantees about the location of data. This investigation proposes the Cloud Computing Compliance Guideline, dependant on interviews and literature study. The Cloud Computing Compliance Guideline offers a process description of showing compliance, which enables CSPs to show compliance to customer demands concerning data location…
Contents: Data location compliance in cloud computing
1 Introduction
1.1 Motivation
1.1.1 Market situation
1.1.2 Risk
1.1.3 Data location legislation
1.1.4 Current situation
1.1.5 Conclusion
1.2 Document structure
2 Background
2.1 What is cloud computing
2.2 Service models
2.2.1 Traditional IT
2.2.2 Infrastructure as a Service (IaaS)
2.2.3 Platform as a Service (PaaS)
2.2.4 Software as a Service (SaaS)
2.2.5 ‘X’ as a Service
2.3 Deployment models
2.3.1 Private cloud
2.3.2 Public cloud
2.3.3 Community cloud
2.3.4 Hybrid cloud
2.4 Conclusion
3 Research methodology
3.1 Scope
3.1.1 Compliance aspects
3.1.2 Stakeholder perspective
3.1.3 Customer segment
3.1.4 CSP segment
3.1.5 Cloud service model
3.1.6 Cloud deployment model
3.2 Problem statement
3.2.1 Research questions
3.3 Methodology
3.3.1 Expert interviews
3.3.2 CSP interviews
3.3.3 Literature study
3.3.4 Modeling
3.3.5 Validation
3.4 Conclusion Master thesis Data location compliance in cloud computing Johan Noltes
4 Customer demands
4.1 What makes cloud computing different for customer demands?
4.2 Compliance in cloud computing
4.2.1 What is compliance?
4.2.2 Relevant legislation
4.2.3 Consequences of non-compliance
4.2.4 Legal and regulatory versus accountability approach
4.2.5 Defining location
4.3 How do customers determine their demands in cloud computing?
4.3.1 Risk analysis
4.3.2 Data classification
4.3.3 Security demands and Service Level Agreements
4.4 Conclusions
5 Cloud Service Provider infrastructure and data location
5.1 Technical infrastructure
5.1.1 Virtualization
5.1.2 Data storage
5.1.3 Data storage virtualization
5.2 Data location determination
5.2.1 IaaS
5.2.2 PaaS
5.2.3 SaaS
5.2.4 From virtual locations to physical locations
5.2.5 Data location movement
5.3 Conclusions
6 Current limitations for CSPs in showing data location compliance
6.1 Negotiation and agreements
6.2 Enforcing data location
6.2.1 Enforcing data location
6.2.2 Giving assurance
6.3 Chain of suppliers
6.4 Conclusion
7 Agreements and enforcement
7.1 Negotiation and agreements
7.1.1 Literature study: policy specification languages
7.1.2 Literature study: SLA negotiation frameworks
7.1.3 Conclusion
7.2 Enforcing agreements
7.2.1 General enforcing techniques
7.2.2 SLA@SOI
7.2.3 XACML framework
7.2.4 Conclusion Master thesis Data location compliance in cloud computing – Johan Noltes vii
7.3 Chain of suppliers
7.3.1 Infrastructure as a Service (IaaS)
7.3.2 Platform as a Service (PaaS)
7.3.3 Software as a Service (SaaS)
7.3.4 Conclusion
7.4 Conclusion
8 The Cloud Computing Compliance Guideline
8.1 Phase 1: Preparation
8.2 Phase 2: Making service agreements
8.2.1 Negotiation and making service agreements
8.2.2 Enforcing agreements
8.3 Phase 3: Data storage
8.4 Phase 4: Reporting
8.4.1 Giving assurance
8.4.2 Audit results
8.4.3 Iterative loop
8.5 Conclusion
9 Validation
9.1 Interview approach
9.2 Interview results
9.2.1 Cloud Computing Compliance Guideline: general overview
9.2.2 Phase 1: Data location
9.2.3 Phase 2: Negotiation and agreements
9.2.4 Phase 2 / 3: Enforcing
9.2.5 Phase 4: Reporting
9.2.6 Phase 4: Showing compliance
9.2.7 Cloud Computing Compliance Guideline: feasibility of implementation
9.2.8 External validation
9.2.9 What is missing?
9.3 Conclusions
10 Conclusions, discussion and future work
10.1 Conclusions
10.1.1 Customer demands
10.1.2 Data location…
Source: University of Twente