Centro de Desarrollo Comunitario

The documentation of preformed data processing and applied safeguards is necessary to pro- vide an information basis for compliance monitoring and reporting (cf. Section3.6.4). Relevant

information for documentation covers in particular the events and location of data processing and storing, attempted and granted access (to cloud management, virtual resources and hard- ware resources), and administrator activities (of cloud customer and cloud provider).

In cloud infrastructures, documentation can be implemented on the level of (i) cloud man- agement, (ii) virtual resources, and (iii) hardware resources. Table4.2 provides an overview of possible information sources and the items that can be documented at each level, which are discussed in the following.

On the cloud management level, it is possible to document the management actions of cloud customers and cloud provider as well as the behaviour, configuration, and status of the cloud infrastructure. In particular, documentation of communication with the management in- terface provides evidence of management actions performed by the cloud customer and cloud provider and of their information basis (which is provided by the management front-end and used for management decisions). The same information can be documented for communication with third party cloud infrastructures. Such information is important for clarifying the respon- sibility for the configuration of virtual resources and their applied security polices. Further, it is possible to gather information on virtual resources that are visible to the cloud management (e.g., virtual resource identifier, resource configuration, and assigned hosting site). Such infor- mation can be used to verify the compliance of management functions and can be compared with information gathered on the virtual resource layer and the hardware resource layer for plausibility checks. However, the value of evidence of information provided by management interfaces is limited, since the source of information is not verified. For example, the informa- tion can be taken from the cloud management databases, like the nova database on resources and their state.1

On the virtual resource level, the interaction of end systems located outside the cloud with virtual resources located inside the cloud can be documented. This is needed to supervise access to virtual resources and data transfer to end systems. Additionally, logging mechanisms of guestOSand applications running on virtual resources can be used to document the data processing in virtual resources and applied security measures. InIaaS, these logging mecha- nisms are operated on behalf and within the area of responsibility of the cloud customers and are not available to the cloud provider. The same holds true for communication between vir- tual resources via the cloud customer’sVPN. The cloud customer can decide to provide the logging and communication information to the cloud provider, and additionally, can use it for comparison with information provided by the cloud provider for plausibility checks.

On the hardware resource level, it is possible to document the operation of the hardware resources and the hypervisor. The hardware resources and hypervisor are both operated at the hosting site. Therefore, the visibility of their operation at the cloud management level depends on the information provided by the hosting sites (for example, via theVMI), and consequently, can vary in granularity and trustworthiness for different hosting sites. The operation of hard- ware resources and the hypervisor are not visible at the virtual resource level, because they are obscured by the resource virtualisation. Therefore, both the hardware resources and the hypervisor are important information sources for documenting data processing in the cloud. In

1_{OpenStack wiki entry on ‘HAforNovaDB’ (high availability for Nova database), on the Internet:https://wiki.} openstack.org/wiki/HAforNovaDB(last visited: 30.06.2015).

Table 4.2: Documentation in cloud infrastructures

Level Information sources Items of documentation

Cloud management

Communication with management

front-ends, hosting sites, and third party cloud infrastructures

• Triggered actions

• Requested virtual resource configuration and security policy • Reported feedback

• Applied communication security • Actor’s identifier used for authentication

Cloud management

Information provided by the manage- ment interfaces (i.e., CMI, FMI, and

VMI)

• Configuration and status of virtual resources

• Configuration and status of cloud management components • Communication endpoints

• Identifier of virtual resources

Cloud management

Control messages of the management interfaces

• Actions triggered and performed by using the management inter- face

• Response messages of the connected systems • Identifier of virtual resources

Virtual

resources Communication with end systems

• Access (attempts and granted) to virtual resources • Data transfer to end systems

• Applied communication security • Communication endpoints

• Actor’s identifier used for authentication

Virtual resources

Logs generated within virtual resources (e.g., by guestOSand applications run- ning on virtual resources)

• Actions triggered and performed by guestOSand applications (e.g., data processing)

• Configuration and status of guestOS, applications, and security measures within the virtual resources

Virtual resources

Communication between virtual re- sources

• Actions triggered and performed by virtual resources (and hosted guestOSand applications)

• Response messages of virtual resources • Data transfer

• Applied communication security • Communication endpoints

• Identifier of involved virtual resources

Hardware

resources Communication with end systems

• Applied communication security • Identifier of involved end systems • Communication endpoints

• Actor’s identifier used for authentication Hardware

resources

Information provided by the hardware management interfaces

• Configuration and status of hardware resources Hardware

resources Information provided by the hypervisor

• Configuration and status of virtual resources • Identifier of hardware and virtual resources

Hardware resources

Logs generated on hardware resources (e.g., byOSand applications running on hardware resources)

• Actions triggered and performed byOSand applications (e.g., data processing)

• Configuration and status ofOS, applications, and security mea- sures running on the hardware resources

Hardware resources

communication between hardware re- sources

• Actions triggered and performed by hardware (and hostedOS

and applications)

• Response messages of hardware resources • Applied communication security • Communication endpoints

particular, the information on their operation can be used to identify the allocated hardware re- sources that are used for operating virtual resources. Information on resource allocation allows the verification of the location of data processing and theeffective level of security, which are both important for legally compliant data processing (cf. Section4.2.1).

Other sources of information are vulnerability analyses performed on hardware resource and virtual resource level as well as the manual entry of information by involved parties (e.g., cloud customer and cloud provider) [207]. Neither is limited to a specific level of cloud infras- tructures.

A vulnerability analysis allows the inspection of the effectiveness of implemented security measures, and therefore, provides an information basis on which to verify and extend docu- mentation on security measures created by the logging mechanisms mentioned above. There exist frameworks for systematic and comparable vulnerability analyses [101] [216] [155], and it is possible to perform vulnerability analyses on an automated basis (e.g., by using OpenVAS [168]). By using existing frameworks and tools, vulnerability analyses can be considered a reli- able and comprehensive method for gathering information on the effectiveness of implemented security measures.

Manual entry of compliance relevant information provides the opportunity to document ad- ditional information that is not directly assessable from the cloud infrastructure (e.g., purpose of data processing and contract information). Further, the information can be used for plau- sibility checks of assessable information in the cloud infrastructure (e.g., the geo-location of hosting sites and customers’ requirements for data processing). The reliability of manual en- tries is limited to the correctness of the entered information. Due to media discontinuity, there can be transcription errors and misrepresentation (fraudulently or accidentally). Double check- ing manual entries, in particular by multiple parties (e.g., cloud provider and cloud customer), can help to detect transcription errors and misrepresentation. However, transcription errors and misrepresentation can remain undetected, and therefore, are item of the trust relations between the involved parties (particularly between the cloud provider and cloud customer).