Page 603 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 603

standards as your organization. Many cloud vendors may actually
               provide a more secure environment than most organizations can

               maintain themselves. Cloud providers often have the resources to
               invest in security engineers, operations, and testers that many small to
               midsize (or even large) organizations simply can’t afford. It is
               important to investigate the security of a cloud service before adopting
               it.

               With the increased burden of industry regulations, such as the

               Sarbanes–Oxley Act of 2002 (SOX), Health Insurance Portability and
               Accountability Act (HIPAA), and Payment Card Industry Data Security
               Standards (PCI DSS), it is essential to ensure that a cloud service
               provides sufficient protections to maintain compliance. Additionally,
               cloud service providers may not maintain your data in close proximity
               to your primary physical location. In fact, they may distribute your
               data across numerous locations, some of which may reside outside
               your country of origin. It may be necessary to add to a cloud service

               contract a limitation to house your data only within specific logical and
               geographic boundaries.

               It is important to investigate the encryption solutions employed by a
               cloud service. Do you send your data to them preencrypted, or is it
               encrypted only after reaching the cloud? Where are the encryption
               keys stored? Is there segregation between your data and that

               belonging to other cloud users? An encryption mistake can reveal your
               secrets to the world or render your information unrecoverable.

               What is the method and speed of recovery or restoration from the
               cloud? If you have system failures locally, how do you get your
               environment back to normal? Also consider whether the cloud service
               has its own disaster-recovery solution. If it experiences a disaster,
               what is its plan to recover and restore services and access to your

               cloud resources?

               Other issues include the difficulty with which investigations can be
               conducted, concerns over data destruction, and what happens if the
               current cloud-computing service goes out of business or is acquired by
               another organization.

               Snapshots are backups of virtual machines. They offer a quick means
   598   599   600   601   602   603   604   605   606   607   608