Preview only show first 10 pages with watermark. For full document please download

It Compliance Analysis For Cloud Computing Dirk Aumueller

It Compliance Analysis for Cloud Computing Dirk Aumueller

   EMBED

  • Rating

  • Date

    December 1969
  • Size

    1.9MB
  • Views

    326
  • Categories


Share

Transcript

University of Applied Sciences Darmstadt – Faculty of Computer Science – IT-Compliance Analysis for Cloud Computing A thesis submitted for graduation to the academic degree Master of Science (M.Sc.) submitted by Dirk C. Aumueller Examiner: Second Examiner: Prof. Dr. Christoph Wentzel Prof. Dr. Bruce Litow 16 February 2010 16 August 2010 Date of Issue: Date of Submission: Declaration I hereby declare that I have produced this paper without the use of any unauthorized material or sources or assistance of third parties and without making use of aids other than those specified. Concepts or assumptions taken over directly or indirectly from secondary sources have been identified as such. Figures and tables in this thesis are either produced by myself or the original sources have been duly identified. This paper has not previously been presented in identical or similar form to any other German or foreign examination board. The thesis work was conducted from 16 February to 16 August 2010 under the supervision of Prof. Dr. C. Wentzel (University of Applied Sciences Darmstadt, Germany) and Prof. Dr. B. Litow (James Cook University, Australia). Darmstadt, 16 August 2010 Dirk C. Aumueller 3 Confidentiality Agreement The publication of this master thesis, its duplication or distribution, whether in parts or complete, to third parties is prohibited without written approval of the author. Submitted copies must be archived by the supervisor. I am aware that the production of a master thesis poster and the accomplishment of the colloquium are not part of this confidentiality agreement. The obligation of confidentiality automatically expires after five years. Darmstadt, 16 August 2010 Dirk C. Aumueller 4 Abstract IT, its development, optimization and accompanying massive support of commerce and business processes has accelerated the pace of its future. At the same time, national and international legal and regulatory requirements for businesses are becoming more complex and more important. Their influence on strategy, governance and the alignment of all business departments cannot be neglected anymore in order to exist successfully in the market. The two biggest drivers for regulatory measures to ensure transparency are the globalization and the still ongoing financial and economic crisis. The described circumstances consolidate the need and interest of businesses for alternatives regarding the reduction of acquisition and operational costs and the optimization of business processes. Mapping this to IT, a concept is required which allocates quick and easy to configure services and pooled ITresources via broadband network. These have to be procured by self-provisioning, react flexibly to work requirements and performance, ensure complete monitoring and can be billed according to pay-per-use models. The answer to this query is cloud computing. However, cloud computing is still in its development phase, subject to continuous change and has not generated one consistent concept yet. Questions for security and conformity to regulatory requirements on national and international level are hardly answered, if at all in isolated cases, and therefore discourage potential users. This master’s thesis accepts the challenge of an analysis of IT-compliance as well as the verifiability of data security for cloud computing in Germany. First of all, the state of cloud computing is defined and described comprehensively. Further, data security and verifiability criteria are defined and validated by German legislation. Subsequently, an enquiry of facts on three popular cloud services of Amazon, Google and Salesforce.com adopts the defined IT-compliance criteria to them. The result is disillusioning and allows only the recommendations for the validation and confirmation of IT-compliance for cloud computing. The compiled recommendations of this master’s thesis provide a substantial contribution for decision-makers in businesses, including upper-management as well as IT departments, because both parties are confronted with the challenges of IT-compliance in case of introduction of cloud computing. 5 Abstrakt Die IT, ihre Entwicklung und Optimierung und die damit einhergehende massive Unterst¨ utzung der Gesch¨ aftswelt bzw. Gesch¨ aftsprozesse schreiten immer st¨ arker und schneller voran. Dabei werden die nationalen und internationalen gesetzlichen und regulatorischen Anforderungen an Unternehmen komplexer und wichtiger. Ihr Einfluss auf Strategie, Governance und das Alignment aller Unternehmensbereiche sind f¨ ur das erfolgreiche Bestehen am Markt nicht mehr zu vernachl¨ assigen. Die zwei gr¨ oßten Treiber f¨ ur regulatorische Maßnahmen um Transparenz zu gew¨ ahrleisten sind die Globalisierung und die immer noch anhaltende Finanz- und Wirtschaftskrise. Daraus festigen sich die Suche und das Interesse der Unternehmen an M¨ oglichkeiten f¨ ur die Senkung von Anschaffungs- und Betriebskosten und die Optimierung der Gesch¨ aftsprozesse. F¨ ur die IT formuliert, wird nach einem Konzept gesucht, das sehr schnell ben¨ otigte und leicht konfigurierbare Services und zusammengeschlossene IT-Ressourcen per Breitband Netzwerk bereitstellt. Diese m¨ ussen selbst beschafft werden k¨ onnen, elastisch auf die Arbeitsanforderung und -leistung reagieren, umfassende Messbarkeit gew¨ ahrleisten und nach pay-per-use Modellen abgerechnet werden. Die Antwort auf diese Suche ist Cloud Computing. Jedoch ist Cloud Computing erst in der Entstehung, unterliegt einem st¨ andigen Wandel und hat noch kein einheitliches Konzept hervorgebracht. Fragen der Sicherheit und der Konformit¨ at mit regulatorischen Anforderungen auf nationaler und internationaler Ebene lassen sich nur schwer, wenn u allen, ¨berhaupt in Einzelf¨ beantworten und schrecken daher interessierte Unternehmen ab. Diese Master These nimmt sich der Herausforderung einer Analyse der IT-Compliance, also der Verifizierbarkeit der Datensicherheit, beim Cloud Computing f¨ ur Deutschland an. Erstens wird daf¨ ur auf dem Stand von heute Cloud Computing definiert und umfassend beschrieben. Weitergehend werden Datensicherheits- und Verifizierbarkeitskriterien definiert und an Hand der deutschen Gesetzgebung validiert. Eine anschließende Analyse von drei popul¨ aren Cloud Services von Amazon, Google und Salesforce.com wendet die definierten IT-Compliance Kriterien auf diese an. Das Ergebnis ist ern¨ uchternd und l¨ asst nur die Nennung von Empfehlungen zum Erreichen der IT-Compliance beim Cloud Computing zu. Die in der Master These erarbeiteten Empfehlungen liefern einen wichtigen Beitrag f¨ ur Entscheidungstr¨ ager, sowohl im Unternehmens-Management, als auch in der IT-Fachabteilung, da beide Gruppen im Falle der Einf¨ uhrung von Cloud Computing mit den Herausforderungen der IT-Compliance konfrontiert werden. 7 Preamble Writing a scientific paper, like a master’s thesis, demands the support of many individuals in order to be finished successfully. Hence, I owe very special thanks to all my supporters who gave me advice and showed lots of patience. I would especially like to thank Mr. M.-P. Kost for his willingness to supervise and encourage my master’s thesis. At this point, I would like to say thank you very much for his cooperation and patience. Furthermore, I would particularly like to thank Dr. H. Haessig for his willingness to familiarize himself with my topic and his intensive support in methodical and legal challenges during many constructive discussions. Also, my thanks go to Mr. P. Holly, who already supervised and supported my master’s thesis during my semester abroad in numerous discussions. His introduction to cloud computing established my interest and understanding of future challenges. In general, I would like to thank EMC Deutschland GmbH for the great cooperation during research and writing of this master’s thesis, the provision of expert knowledge, documentation and further relevant papers. My thanks also go to Mrs. S. Amirzada for her help with the English revision of this thesis. Finally, I owe very special thanks to my parents, who have always had faith in me and supported my studies as best as possible. Thank you very much. 9 Contents 1. Introduction and Motivation 1.1. Economics Today . . . . . . . . 1.2. A New Challenge Arises: Cloud 1.3. IT-Governance . . . . . . . . . 1.4. Motivation . . . . . . . . . . . . . . . . . . Computing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 20 21 21 22 25 26 26 27 28 28 29 30 31 32 35 36 37 38 39 39 39 40 41 42 43 44 46 46 48 48 49 50 51 2. State of the IT 2.1. Key Technologies . . . . . . . . . . . . . . . . . . . . . . . . 2.1.1. High-Speed Broadband Network Access . . . . . . . 2.1.2. Data Centers . . . . . . . . . . . . . . . . . . . . . . 2.1.3. Storage . . . . . . . . . . . . . . . . . . . . . . . . . 2.1.4. Virtualization . . . . . . . . . . . . . . . . . . . . . . 2.1.4.1. Advantages of Running a Virtual Machine 2.1.4.2. Virtualized Infrastructure Benefits . . . . . 2.1.4.3. Virtualization Disadvantages . . . . . . . . 2.2. Cloud Computing Definition . . . . . . . . . . . . . . . . . . 2.3. Essential Cloud Characteristics . . . . . . . . . . . . . . . . 2.4. Evolution of Cloud Computing . . . . . . . . . . . . . . . . 2.5. Drivers to Cloud Adoption . . . . . . . . . . . . . . . . . . . 2.5.1. Small Initial Investment and Low Ongoing Costs . . 2.5.2. Economies of Scale . . . . . . . . . . . . . . . . . . . 2.5.3. Open Standards . . . . . . . . . . . . . . . . . . . . 2.5.4. Sustainability . . . . . . . . . . . . . . . . . . . . . . 2.6. Service Delivery Models . . . . . . . . . . . . . . . . . . . . 2.6.1. Infrastructure-as-a-Service . . . . . . . . . . . . . . . 2.6.2. Platform-as-a-Service . . . . . . . . . . . . . . . . . 2.6.3. Software-as-a-Service . . . . . . . . . . . . . . . . . . 2.7. Deployment Models . . . . . . . . . . . . . . . . . . . . . . 2.7.1. Public Cloud . . . . . . . . . . . . . . . . . . . . . . 2.7.2. Private Cloud . . . . . . . . . . . . . . . . . . . . . . 2.7.3. Hybrid Cloud . . . . . . . . . . . . . . . . . . . . . . 2.8. Impact of Cloud Computing for Users and Companies . . . 2.8.1. Start-Ups . . . . . . . . . . . . . . . . . . . . . . . . 2.8.2. Small and Medium Enterprises . . . . . . . . . . . . 2.8.3. Large Enterprises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Contents 2.9. Cloud Computing as Outsourcing Model . . . . . . . . 2.10. Adoption Barriers to Cloud Computing . . . . . . . . 2.10.1. Security . . . . . . . . . . . . . . . . . . . . . . 2.10.2. Privacy . . . . . . . . . . . . . . . . . . . . . . 2.10.3. Political Issues Due to Global Boundaries . . . 2.10.4. Further Barriers . . . . . . . . . . . . . . . . . 2.10.4.1. Connectivity and Open Access . . . . 2.10.4.2. Reliability . . . . . . . . . . . . . . . 2.10.4.3. Interoperability . . . . . . . . . . . . 2.10.4.4. Cloud Service Provider Independence 2.10.4.5. Economic Value . . . . . . . . . . . . 2.11. Service Level Agreements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 52 52 53 53 53 53 54 54 54 55 55 57 58 59 61 64 64 66 66 67 67 67 68 68 69 69 70 70 71 71 71 72 72 73 73 74 74 75 75 76 3. IT-Compliance 3.1. Introduction to IT-Compliance . . . . . . . . . . . . . . . . . . . . 3.1.1. The IT-Compliance Gap . . . . . . . . . . . . . . . . . . . . 3.1.2. Overview of Acts and Regulations with Influence on Cloud Computing and Compliance . . . . . . . . . . . . . . . . . . 3.1.3. Scoping of IT-Compliance . . . . . . . . . . . . . . . . . . . 3.2. IT-Compliance Criteria for Data Security . . . . . . . . . . . . . . 3.2.1. Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.2.1.1. System Configuration . . . . . . . . . . . . . . . . 3.2.1.2. Physical Access Control . . . . . . . . . . . . . . . 3.2.1.3. Availability Control . . . . . . . . . . . . . . . . . 3.2.1.4. Indexing and Retrieval . . . . . . . . . . . . . . . 3.2.1.5. Data-backup and Restart Processes . . . . . . . . 3.2.1.6. Dependence on Physical Location . . . . . . . . . 3.2.2. Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.2.2.1. Input Control . . . . . . . . . . . . . . . . . . . . 3.2.2.2. Immutability of Documents . . . . . . . . . . . . . 3.2.3. Confidentiality . . . . . . . . . . . . . . . . . . . . . . . . . 3.2.3.1. Logical Access Control . . . . . . . . . . . . . . . 3.2.3.2. Permission Access Control . . . . . . . . . . . . . 3.2.3.3. Transmission Control . . . . . . . . . . . . . . . . 3.2.3.4. Isolation Control . . . . . . . . . . . . . . . . . . . 3.2.4. Verifiability . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.2.4.1. Order Control . . . . . . . . . . . . . . . . . . . . 3.2.4.2. Logging . . . . . . . . . . . . . . . . . . . . . . . . 3.2.4.3. Documentation for Development and Release Processes . . . . . . . . . . . . . . . . . . . . . . . . . 3.2.4.4. Documentation for Technical and Objective Solutions 3.3. Regulatory Requirements on IT-Compliance Criteria . . . . . . . . 3.3.1. Data Protection Directive 95/46/EC . . . . . . . . . . . . . 3.3.2. Admissible Evidence . . . . . . . . . . . . . . . . . . . . . . 12 Contents 3.3.3. Accounting . . . . . . . . . . . . . . . . . . . . . . . . . 3.3.3.1. German Commercial Code . . . . . . . . . . . 3.3.3.2. Generally Accepted Accounting Principles . . 3.3.3.3. Tax Code . . . . . . . . . . . . . . . . . . . . . 3.3.3.4. Value Added Tax Act . . . . . . . . . . . . . . 3.3.3.5. Other Regulation for Accounting . . . . . . . . 3.3.3.6. Laws and Technological Responsibility . . . . . 3.3.4. Liability . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.3.4.1. Product Liability . . . . . . . . . . . . . . . . 3.3.4.2. Manufacturer’s Liability . . . . . . . . . . . . . 3.3.5. Data Privacy . . . . . . . . . . . . . . . . . . . . . . . . 3.3.5.1. Federal Data Protection Act . . . . . . . . . . 3.3.6. Law and Criteria Table . . . . . . . . . . . . . . . . . . 3.4. Cloud Computing IT-Compliance Audit Standards in Germany . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 77 79 80 81 82 82 83 83 84 88 88 90 91 4. Transformation of IT-Compliance Criteria into IT-Requirements 95 4.1. IT-Requirements based on IT-Compliance Criteria Explanatory Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 4.2. System Configuration . . . . . . . . . . . . . . . . . . . . . . . . . 96 4.3. Physical Access Control . . . . . . . . . . . . . . . . . . . . . . . . 97 4.4. Availability Control . . . . . . . . . . . . . . . . . . . . . . . . . . 98 4.5. Indexing and Retrieval . . . . . . . . . . . . . . . . . . . . . . . . . 99 4.6. Data-Backup and Restart-Processes . . . . . . . . . . . . . . . . . 99 4.7. Dependence on Physical Location . . . . . . . . . . . . . . . . . . . 100 4.8. Input Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 4.9. Immutability of Documents . . . . . . . . . . . . . . . . . . . . . . 101 4.10. Logical Access Control . . . . . . . . . . . . . . . . . . . . . . . . . 102 4.11. Permission Access Control . . . . . . . . . . . . . . . . . . . . . . . 103 4.12. Transmission Control . . . . . . . . . . . . . . . . . . . . . . . . . . 103 4.13. Isolation Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 4.14. Order Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 4.15. Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 4.16. Documentation for Development and Release Processes . . . . . . 106 4.17. Documentation for Technical and Objective Solutions . . . . . . . 107 5. Enquiry of Facts on Popular Cloud Services 5.1. Amazon S3 (IaaS) . . . . . . . . . . . . . . . . . . . . . . . 5.2. Google AppEngine (PaaS) . . . . . . . . . . . . . . . . . . . 5.3. Salesforce.com (SaaS) . . . . . . . . . . . . . . . . . . . . . 5.4. General Result of the Enquiry of Facts for Cloud Computing 109 . . . . 110 . . . . 113 . . . . 115 Services118 6. IT-Compliance Recommendations for Cloud Computing 123 6.1. General Recommendations . . . . . . . . . . . . . . . . . . . . . . . 124 6.2. Migration Strategy for Cloud Computing . . . . . . . . . . . . . . 126 13 Contents 6.3. Customized Service Level Agreements . . . . . . . . . . . . . . . . 126 7. Conclusion 129 7.1. Achieved Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130 7.2. Forecast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 A. Appendix I A.1. Table of Laws . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . I A.1.1. German Civil Code (B¨ urgerliches Gesetzbuch - BGB) . . . I A.1.2. Code of Civil Procedure (Zivile Prozessordnung - ZPO) . . II A.1.3. German Commercial Code (Handelsgesetzbuch - HGB) . . II A.1.4. Tax Code (Abgabenordnung - AO) . . . . . . . . . . . . . . IV A.1.5. Value Added Tax Act (Umsatzsteuergesetz - UstG) . . . . . VI A.1.6. German Signature Act (Gesetz u ¨ber Rahmenbedingungen f¨ ur elektronische Signaturen - SigG) . . . . . . . . . . . . . VI A.1.7. Product Liability Act (Produkthaftungsgesetz - ProdHaftG) VIII A.1.8. Limited Liability Company Act (GmbH Gesetz - GmbHG) VIII A.1.9. German Stock Companies Act (Aktiengesetz - AktG) . . . IX A.1.10. Federal Data Protection Act (Bundesdatenschutzgesetz BDSG) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IX A.1.11. Attachment (for § 9 sentence 1 BDSG / zu § 9 Satz 1 BDSG) X Bibliography XII 14 List of Figures 1.1. Structure of the master’s thesis . . . . . . . . . . . . . . . . . . . . 2.1. 2.2. 2.3. 2.4. 2.5. 2.6. The cloud computing paradigm defined by NIST The historical evolution of cloud computing . . . Cloud benefits as surveyed by IDC . . . . . . . . The cloud service delivery models at a glance . . The three cloud computing deployment models . Usage of cloud computing according to IDC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 34 37 38 40 45 49 59 60 60 63 65 75 87 91 3.1. Interaction of governance, risk management and compliance . . . . 3.2. The compliance gap between executive management and IT department 3.3. The solution for the compliance gap between executive management and IT department . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.4. Laws with influence on corporate governance including IT-compliance and IT-governance . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.5. All identified and sorted IT-compliance criteria with influence on this master’s thesis . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.6. Structure of laws with influence on IT-compliance . . . . . . . . . 3.7. Example of a risk management concept . . . . . . . . . . . . . . . 3.8. The eight principles of the attachment for § 9 sentence 1 BDSG . . 5.1. Salesforce.com’s certifications . . . . . . . . . . . . . . . . . . . . . 117 5.2. The maturity level of the three different analysed cloud services and the appropriate customer demand . . . . . . . . . . . . . . . . . . . 119 15 List of Tables 2.1. Comparison of the traditional IT infrastructure and cloud computing 38 3.1. IT-compliance criteria . . . . . . . . . . . . . . . . . . . . . . . . . 93 5.1. Amazon S3’s compliance status according to identified IT-compliance criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 5.2. Google AppEngine’s compliance status according to identified ITcompliance criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 5.3. Salesforce.com’s compliance status according to identified IT-compliance criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 17 1. Introduction and Motivation ”One reason IT suppliers are sharpening their focus on the ”cloud” model is its growth trajectory, which - at 27 % CAGR - is over five times the growth rate of the traditional, on-premise IT delivery/consumption model.” IDC 19 1. Introduction and Motivation The introduction illustrates in a brief summary the recent economic situation that has led to the current circumstances. It provides a general overview and justifies the importance of IT-governance. Second, the motivation for this master thesis is presented and explains the rationale on which it is based. 1.1. Economics Today Today’s working environment is globalized. In addition, the influence on business itself through the introduction of business processes with massive support of Information Technologies (IT) makes working in a global environment more complex. This complexity offers benefits (e.g niche markets) and disadvantages (e.g. unclear organizational structures) on which businesses have to react to stay successful in the market. At the end of the twentieth century and the accompanying phenomenon of the ”dotcom”-bubble, the motto was ”IT drives Business”. The costs for IT increased exorbitantly without questioning its value and use. This led to the ”dotcom”-crash [Inv10] in the year 2000 and hit the New Economy hard. The consequence was insolvency of many high technology businesses. After a prolonged consolidation phase, businesses started to understand that ”Business drives IT” and not vice versa. Therefore, IT got the role model it was originally intended for: the support of business with appropriate and efficient measures. In addition, the enacting of legal regulations for transparency reasons was introduced to prevent the possibility of another crisis. A transformation process began where businesses started to map requirements and business processes to IT. The archetype was a lean business which comes with only necessary IT resources. This transformation process boosted the maturing of IT and its role as a support with high importance. However, businesses obviously not only became lean, but also steep. After a few years of economic growth, the year 2008 brought the next challenge for businesses. The financial crises, triggered by the banking and investment sectors, escalated to a worldwide economic crisis. Again, businesses where looking for cutting costs and introducing new concepts to trim down business processes to react more flexibly to fluctuations in the market. Governments reacted by enacting of new and advanced legal regulations. In the meantime, technological advances and maturity of IT progressed in delivering a new concept for business. 20 1. Introduction and Motivation 1.2. A New Challenge Arises: Cloud Computing The above mentioned financial and economic crisis leads to numerous ideas of optimization for business and IT. Here, grid (see [Cen10]) for more information) and cloud computing (see chapter 2 are considered as best approaches for its practical realization. Both concepts promised cost reduction, pay-per-use, flexibility, effective usage of the IT infrastructure, and unified management. However, grid computing focuses only on offering one application per IT infrastructure, while cloud computing covers the complete IT infrastructure and application stack. The result is that cloud computing is experiencing a big hype pushed by IT producers, vendors and consultants. Currently, the concept of cloud computing is not defined clearly and allows labeling of almost all products as contribution to the idea of cloud computing. And in addition, the IT industry is rushing forward to identify and allocate new markets which enable new business models and promise substantial benefits for customers. Lastly, the market demand for cloud IT infrastructure has increased [Com10b] which appears to consolidate trust in the bright future of cloud computing. In addition, a wide variety of cloud computing services, partly for free and private consumers and partly by pay-per-use and businesses, attests to this observation. Thus, this master’s thesis focuses partly on cloud computing and its challenges to boost business by providing better support of IT. 1.3. IT-Governance The development of IT-Governance can be traced back directly to the knowledge gathered during the ”dotcom”-crash. It is the management’s responsibility to align all IT resources according to the overall business strategy, processes and aims. These efforts are concentrated in IT-governance and can be realized with the introduction of a common framework (e.g. CobiT, ISO 20000, and ITIL). IT-governance usually interacts with the risk and compliance domains, because all three together have a shared objective and are linked inseparably. They are then implemented as Governance-Risk-Compliance (GRC) in businesses. The incidents mentioned in chapter 1.2 already prove the necessity of control mechanisms for the proper operation of IT according to established business processes. However, these frameworks are not yet ready, at least partially, for the implementation of the new concept of cloud computing. Major efforts are required to update and extend the existing and already proved and tested frameworks to 21 1. Introduction and Motivation the new challenge. It is obvious that these frameworks are a critical driver to the integration of cloud computing as they focus on e.g. compliance and data security. With cloud computing evolving at the moment, IT-governance and its important subdomain IT-compliance will experience a continuous change during the next few years until all issues and open questions are answered thoroughly. 1.4. Motivation The complexity of business and the drive of constantly changing markets demand quick resolutions for business. Here, IT-Governance approaches as a strategic and tactical instrument to align IT according to business needs. It includes legal requirements, economic sector dependent frameworks and certifications and even business philosophies for this alignment. On the other hand, IT itself is maturing and providing sophisticated and auxiliary measures to support business. Cloud computing as a new design concept for IT and business and its implementation raises the compliance question of the above mentioned requirements. IT-governance is a rather big domain, because it includes and interacts with risk and compliance issues. Therefore, it is wise to focus on a certain subdomain of IT-governance. Data security is always a big and controversial topic discussed in German public forums and the compliance of the appropriate IT infrastructure is of high importance, e.g. for tax authorities. In addition, the fear of private persons and businesses regarding misuse of private information is immense and bears the risk of prosecution for companies. Hence, this master’s thesis focuses on the IT-compliance of data security with cloud computing. The described circumstances are the motivation for this master’s thesis and express the research question: ”Is IT-compliant data security possible and transparent with cloud computing?” Figure 1.1 displays the order of research to answer the above question. This thesis starts in chapter 2 with a comprehensive description and definition of cloud computing to familiarize the interested reader with this new architectural design. Next, chapter 3 shifts the research work to the definition of data security and IT-compliance criteria and their justification in the current German legislation. Based on the insight of the previous chapter, chapter 4 transforms the abstract IT-compliance criteria into abstract IT-requirements. Combining now the ITcompliance and IT domain, an enquiry of facts is done in chapter 5. This enquiry of facts is the main part where the motivation question of this master’s thesis is 22 1. Introduction and Motivation answered. As a result, a recommendation is expressed in chapter 6 to deal with IT-compliant data security and cloud computing, whatever findings the enquiry of facts may reveal. Figure 1.1.: Structure of the master’s thesis 23 2. State of the IT ”Cloud computing will be as influential as Ebusiness.” IDC 25 2. State of the IT The chapter deals with the explanation and definition of cloud computing to form a basis for a further masters’ thesis. It includes information about key technologies, a definition of cloud computing, the evolution of cloud computing and drivers to cloud adoption. In addition, different service delivery models, cloud deployment models, the impact of cloud computing for users and companies, cloud computing as the next, maybe final, stage of outsourcing and barriers of adoption round up the topic of cloud computing. Lastly, a short introduction to Service Level Agreements is performed. For this reason, the chapter is a quite comprehensive compendium of the current state of cloud computing. 2.1. Key Technologies Cloud computing is based on four key technologies: high-speed broadband access, data centers, storage and virtualization. All four key technologies have reached a maturity level where they are treated as commoditized products. They are widely accepted and established within the industry. The benefits of stand-alone operation of each key technology have already been explored and integrated into IT infrastructure and business. At this point, cloud computing appears as an architectural concept which combines or integrates and consolidates all four key technologies. 2.1.1. High-Speed Broadband Network Access The Internet started its triumphal procession in the late 90’s and a world without it is unimaginable today. During the Internet’s maturity process, more and more services went online. Companies without web presence are almost a no-go, because the Internet is not only a nice gimmick, but a big marketing and sales channel. The evolution of the Internet started with modems which were slow (up to 56 Kbit/s). Mass-implementation was reached in Germany with the distribution of Integrated Services Digital Network (ISDN, see [Wik10d]). The difference in the speed of surfing the Internet by modem or ISDN is remarkable and was a first step towards broadband network access. ISDN is today’s choice for landline communication and the basis for its successor. As the Internet grew and more and more information was available, ISDN became too slow to transfer complex web pages. The result was extensive marketing of Digital Subscriber Line (DSL, see [Wik10c]) by telecommunication providers. Again, the increase of speed enabled more sophisticated and complex services. DSL offers speed up to 500 MBit/s, whereas usually 16 MBit/s are available from telecommunication providers. In addition, cellular mobile telephony is a rapidly growing market which enhances 26 2. State of the IT broadband network access with mobility to use Internet services wherever you go. High-speed broadband network access is a key technology for cloud computing, because the execution of complex and integrated applications can be transferred from client computers to servers available via networks, e.g. Internet. End-users with high-speed broadband network access experience these applications (now as web edition) the same way as a local installation, in terms of reaction time and convenience. Another advantage is the configuration of client devices which, depending on application requirements, is costly. Using cloud computing and its high-speed broadband network access key technology, any available web browser is sufficient for operation. Key technologies are always critical for the operation and success of a concept. Permanent interruption or temporary unavailability of high-speed broadband network access is a total disaster for cloud computing and its users, depending on their cloud services. It is therefore imperative to backup and protect network access with measures to ensure network availability, e.g. backup network access via a second telecommunication provider. 2.1.2. Data Centers Data centers have had a remarkable development since the early stages of computing and are a key technology in the wider sense. They were and still are the locations to host all computing resources; initially housing one single big computer, and today even hundreds of thousands. The evolution of IT and the ability to build smaller computers made housing possible. Today’s data centers are a small world itself. They host the IT infrastructure, surrounded with protective measures to guarantee physical security for all data. In addition, clustering of huge amounts of computers has had the disadvantage of heat and therefore, an appropriate cooling system is integrated to keep temperatures low. Data centers are also build to withstand disasters like power failure. Diesel generators and fuel supply tanks protect computing continuity during an external power failure. In the late 90’s a decentralization of computers began as they became cheap enough to be bought by consumers. Each computer has enough capacity for office work, gaming or just surfing the Internet today. Now, cloud computing is starting to centralize IT infrastructure and computing power again. Another term for cloud is one or more cloud data centers which provide applications, storage and infrastructure as services. These services are highly scalable, always up to date and have moderate pay as you use (or even 27 2. State of the IT base offers for consumers for free). Cloud data centers enable companies to reduce costs for their IT department in a first step. Later, possible elimination of their entire IT infrastructure might result, but thin devices to use external cloud services. Another advantage of cloud data centers is Green IT. Compared to traditional data centers, cloud data centers have a much better degree of capacity utilization (see chapter 2.1.4). Data centers do have disadvantages, too. A blackout of a complete data center leads to great economic damage to all customers which source services of the cloud data center. In addition, cloud data centers become favored targets for cybercrime, because data is concentrated in one location and not widespread through several small data centers. Cloud providers must take appropriate actions for protection. Here, economies of scale bring cloud computing the advantage to implement a complete protection and security approach for cloud data centers. 2.1.3. Storage Storage is another key technology for cloud computing, because today’s information and data is stored on electronic and mechanical volumes. Starting in the 90ties with some hundred Megabytes, the capacity of a single hard drive today has reached 2 GB and more. A whole industry is engaged in producing better and faster storage devices to save more information on less space. As Information is capital for companies and they rely on its availability at all times. Cloud computing makes use of two scenarios for storage: first, storage as a service in the cloud and second, as pure storage in the background. With storage as a service, customers receive scalable storage for their business connected to moderate costs compared to having their IT infrastructure. Pure storage means space to either save data or host virtual machines. Transferring storage to cloud services saves costs, but might bring disadvantages. Privacy, secrecy and ownership are open questions when data is in the cloud. In addition, legal and compliance issues need clearance. 2.1.4. Virtualization The last and most important key technology is virtualization. Virtualization provides the user with an abstraction layer to detach the software layer from hardware, computing power and storage. This logical layer hides the underlying physical hardware and enables the integration of different heterogeneous hardware resources into one homogeneous. It leads to the separation of hardware and software 28 2. State of the IT to stay flexible. The main reason for operating a virtualized IT environment is cost reduction and raising computing efficiency. In addition, the technological advance allows the proper utilization and operation of virtualization on big scale now. Virtualization is the major enabler for the cloud computing concept. A good definition of virtualization is: ”Virtualization is the creation of a virtual (rather than actual) version of something, such as an operating system, a server, a storage device or network resources [Tec00].” The source of the definition even explains Virtualization in detail and in the context of different areas of IT (see [Tec00]). 2.1.4.1. Advantages of Running a Virtual Machine The first advantage of running a virtual machine is compatibility. A virtual machine, like a physical computer, includes its own emulated hardware components, operating system and applications. The result is the analogousness to all operating systems for the x86-architecture, the necessary hardware drivers and applications when running a not virtualized computer. Isolation is the second advantage. Even though several different virtual machines use the same hardware resources on which they are hosted, they are contained as running on their own physical server. If one virtual machine is failing with an error, others are not affected. The advantage of isolation is a higher security and availability for critical applications. The third advantage is encapsulation. A virtual machine is like a container including the complete hardware, operating system and applications. This creates easier management for the responsible administrators and the virtual machine is portable. Hardware independence is the fourth advantage. The virtual components of a virtual machine can be configured completely differently, because it is separated from the physical hardware through the virtualization layer. Combining compatibility and encapsulation, hardware independence enables the movement of a virtual machine from one x86-computer to another without the need of upgrading or installing new device drivers, operating system or application updates. The result is the operation of different virtual machines with different hardware requirements on one physical computer. 29 2. State of the IT 2.1.4.2. Virtualized Infrastructure Benefits Virtualization of a few servers is the start of the journey towards virtualized IT infrastructure. The real benefits for small, medium and enterprise sized companies become obvious when transforming the complete traditional IT infrastructure to a virtualized IT infrastructure. Raising efficiency of existing resources is obvious. Today’s data centers are complex and confusing, because of the sheer numbers of servers to manage. Virtualization offers the possibility to change the traditional ”one application per server”-model into ”as many virtual servers as performance allows”-model. The average workload of a physical server is low, ignoring certain peaks. Lots of server capacity is wasted. Analyzing and planning the consolidation process helps to reduce the hardware requirements upto 10 to 1 or more (depending on the average workload per server). The consolidation enables a constant high workload of the remaining physical servers and having still a reserve for peaks [VMw10]. Reduction of hardware- and operating costs is another benefit. Virtualization reduces the purchase costs, because few servers are needed. The complexity of the data center shrinks and the administration becomes easier, costing less time and money. Next, efforts for energy- and cooling-consumption are declining which results in less energy costs. Taking a look at the USA, electric utilities e.g. in California like PG&E, are offering a compensation for virtualization projects, because of its significance to the reduction of energy consumption [PE06]. Availability enhancement of hardware and applications is a big benefit for companies. The availability is at its best, because virtual machines are moved between servers when maintenance, backup or migration is required. In addition, disaster recovery is possible in a matter of minutes, not hours or days. All these benefits of virtualization improve the business continuity. Operational flexibility is a result of the above mentioned benefits. Virtualization is a first step to implement dynamic resource management for reacting quickly to market changes. The virtualized IT Infrastructure can supply new servers, desktops and applications faster than in a traditional IT infrastructure. Management and security improvements for desktops are the next benefit. Providing virtualized desktops in companies has a major impact on management and security. The management of the virtualized desktops is becoming easier, because the virtual images are set up once and then distributed. Updates are centrally installed for all virtual machines. This way of providing software plus updates leads to improved security for desktops. Thus, virtualization contributes to one of the most critical topics in IT: security. 30 2. State of the IT Green IT including reduction of environmental pollution is the last benefit. Besides optimizing the IT infrastructure virtualization helps to reduce environmental pollution. The market researcher Gartner (www.gartner.com) estimates that already 1.2 million workloads are executed in virtual machines. This is equal to an energy saving of about 8.5 billion kWh (e.g. more than consumed in New England for heating, air conditioning and cooling per year) [Inc07]. In addition, IDC (www.idc.com) quotes the unused and therefore wasted server capacity with the following values: 140 Billion USD, 3 years of new hardware supply or more than 20 million servers. Calculating the Carbon Dioxide (CO2 ) emission with 4 tons per server and year this means 80 million tons of Carbon Dioxide yearly. The amount exceeds the emissions of Thailand and more than half of South American countries [IDC07]. 2.1.4.3. Virtualization Disadvantages The market analyst RAAD Research (www.raad-research.de) interviewed in December 2008 more than 1,400 IT-manager about virtualization in the SAP sector [Com09]. The overall picture was very positive, but some disadvantages of virtualization were mentioned. High efforts in administration and complexity might appear. Starting a virtualization project consumes time and money in the beginning. A precise analysis of the current ”as-is” status in the IT infrastructure is necessary to develop a migration plan. For the responsible IT department, the migration is connected with an advanced training to build up knowledge about virtualization. Development and preparation of the migration and learning skills for virtualization are a double burden to master on. The dependence of virtual machines on working physical hardware is fundamental. Worries about failure of physical hardware are the second most common challenge for virtualization. The risk for application blackout is high, when hosting several virtual machines on one physical host. There are appropriate measures necessary to counter the possible failure of the physical hardware to guarantee a high availability. Legacy applications are missing virtualization chance, because some old applications are depending on specialized hardware. On the other hand, administrators do not want to move databases to virtual machines, because of a possible performance loss. These special cases have not been considered in the migration process yet. It is open to dispute if the costs for licensing and implementation are high. The market for virtualization software has commercial and open source solutions. 31 2. State of the IT Commercial solutions for companies seem to perform better, because support agreements ensure business continuity. In addition, the implementation costs of a new technology with extensive consequences for an existing IT infrastructure are probably always high. These disadvantages are known and are addressed by the vendors of virtualization software, e.g. the dependence of working physical hardware is already implemented by VMware (www.vmware.com) in their software VMotion. In conclusion, it is unimaginable to work today without virtualization. 2.2. Cloud Computing Definition The term cloud computing relates to drawing (e.g. in the software Microsoft Visio) the Internet or networks in general, especially the infrastructure, as a cloud. It is a synonym for hiding the underlying complexity and technical aspects as they very often do not matter to the end-users. The end-user is only interested in the result of the services he uses. The definition of cloud computing is the first and most difficult task when talking about it. As most talk is still vague and the definitions vary from company to company or (national) organization, a definition is the basis of going on with this master’s thesis. This chapter shows several cloud computing definitions and a final one at the end of this chapter. Wikipedia (www.wikipedia.com) is probably the most popular website to start looking for a definition or a certain topic. Therefore in the corresponding article cloud computing is described as ”Internet-based development and use of computer technology. In concept, it is a paradigm shift whereby details are abstracted from the users who no longer have need of, expertise in, or control over the technology infrastructure in the cloud that supports them. Cloud computing describes a new supplement, consumption and delivery model for IT services based on the Internet, and it typically involves the provision of dynamically scalable and often virtualized resources as a service over the Internet [Wik10a].” The Wikipedia definition is fully packed and tries to define cloud computing on the conceptual layer with a heap of features which shall satisfy most readers. The definition is a combination of several definitions from different sources, e.g. one part relates to Gartner’s definition as 32 2. State of the IT ”a style of computing where massively scalable IT-related capabilities are provided as a service using Internet technologies to multiple external customers [Inc08].” Gartner tries to stay more abstract in its definition. The term ”IT-related technologies” covers today not only data centers, smartphones or notebooks, but has an influence on almost everything in daily work life. Another definition comes from Infoworld (www.infoworld.com) IT-news site which quotes Cloud Computing as ”a way to increase capacity or add capabilities on the fly without investing in new infrastructure, training new personnel, or licensing new software. Cloud computing encompasses any subscription-based or pay-per-use service that, in real time over the Internet, extend IT’s existing capabilities [Inf09a].” Infoworld.com gives basically the same explanation but in different words. So, everybody talking about cloud computing knows some details, but might interpret them differently. The last definition provided here comes from the Computer Security Division of the National Institute of Standards and Technology (NIST) (www.nist.gov) which is an agency of the U.S. Department of Commerce. The reason for using this definition is the influence of the U.S. Government on Cloud Computing, simply because they have ”an IT budget of more than 70 billion dollars a year ... [and] represents the largest IT consumer on the planet” [Ela09]. NIST defines cloud computing as ”a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction [NIS10].” NIST’s definition is complete, yet not perfect and as they acknowledge still undergoing changes while the topic of cloud computing evolves. Interestingly, when researching the emerging process of cloud computing, NIST seems to be the origin for all definitions and even big market researchers, e.g. IDC, use them and the according wording. As a result, this master’s thesis is based on NIST’s definition. Figure 2.1 displays the complete picture of cloud computing in NIST’s understanding. The following chapters will take on this figure and explain the important parts. 33 2. State of the IT Figure 2.1.: The cloud computing paradigm defined by NIST [NIS10] 34 2. State of the IT 2.3. Essential Cloud Characteristics The different definitions of cloud computing described in chapter 2.2 and all other definitions available in the Internet, lead back to five essential characteristics to associate cloud computing with [NIS10]. Furthermore, these characteristics are the main demands of the industry for future IT, too. Figure 2.1 shows the five essential characteristics on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service which are described in detail next. The first characteristic is on-demand self-service. There is no interaction required in the provisioning process; it is triggered unilaterally by the consumer and automatically accessed irrespective of which provider is chosen. The provisioning is not limited to one layer of the Everything-as-a-Service stack, but implemented for all. All services are used on-demand, because the consumers’ requirements change from day to day or even within hours. The second characteristic is broad network access. The fundamental infrastructure requirement is the availability of the network as all services are provided via it. Network access has to support all different types of clients, including thin and thick clients like notebooks, smartphones or regular desktops. Therefore the network has to be standardized to work in a heterogeneous environment. The third characteristic is resource pooling. It contains default components like storage, network and virtualization, but also adds e.g. processing time, memory or network bandwidth to the pooled items. All resources are pooled in a way to provide a multi-tenancy environment which enables consumers to assign and reassign resources dynamically on demand. Resource pooling leads to location independence, because there is no knowledge and also no control for the consumer where the demanded services are hosted and executed. However, location independence will be restricted to, e.g. only certain countries, which can guarantee compliance. The fourth characteristic is rapid elasticity. All consumed capacities are scaled up and down as fast as possible when required. The scaling process is done manually by the consumer or even automated via key performance indicators. One of the unsolved questions here is the unlimited scalability from the consumer’s point of view. Purchasing of these resources is done in any quantity and at any time. The fifth characteristic is measured service. All services are monitored, controlled and optimized automatically by defined key performance indicators. The key performance indicators are defined on all abstraction layers of the cloud including infrastructure, platform and software services. In addition, the monitoring, con- 35 2. State of the IT trolling and reporting of used resources is provided transparent for consumer and provider of the services. Definition of the key performance indicators might be done together and declared in a contract or SLA. The five characteristics always require the trust, combined efforts and transparency of both, consumer and provider of cloud services, to succeed in their business. 2.4. Evolution of Cloud Computing The evolution of cloud computing is tightly bound to the Internet. When the Internet became interesting to individuals and businesses at the beginning of the 90’s, Internet Service Providers (ISPs) offered the possibility to access this new medium. However, services were not cheap and limited to providing dial-up connectivity via telephone services. The range of websites was still small and not focused on consumers, but scientists and organizations. The more popular the Internet became the more ISPs started to look for attractive offers for their customers. During this consolidation process, ISPs integrated value-added services like email or access to servers in their data centers. The result was the specialization of hosting services for hardware and required software and in addition combination with Internet access infrastructure. Colocation centers, a specialized form of data centers [Wik10b], commoditized rather quickly, but is today still used as ”classic webhosting”. The main benefit was a multi-tenant environment including network, servers and storage with a minimum of cost and complexity for the customer. Again, a next evolution step added more value to the offered services. This time service providers started the transformation from pure computing infrastructure to application service providers (ASPs). The result was specialized applications consumed by customers, but owned and operated (including the infrastructure) by the ASPs. It is important to differentiate between ASP and Software-as-aService, because ASP provided dedicated software and infrastructure to each tenant individually. SaaS on the other hand provides a shared multi-tenant environment. Following this line of events, cloud computing appeared, yet not completely defined and still in a state of transformation. The various ”old” concepts mentioned above and their stages in evolution of ISPs and service providers became integrated with support of new technologies like virtualization to react flexibly on market demands. So, cloud computing is not exactly new, but a new architectural concept with a 36 2. State of the IT combination of old and new concepts, enabled and supported by newly evolved powerful technologies. Figure 2.2 illustrates the line of events of the different evolution steps which lead to cloud computing. Figure 2.2.: The historical evolution of cloud computing 2.5. Drivers to Cloud Adoption The cloud computing hype is laden numerous baseless with pretended benefits. Some of them are unrealistic, because almost all IT businesses try to get on the bandwagon of cloud computing. More specifically, some drivers offer real potential for businesses in order to consolidate and reduce IT costs with increased efficiency and flexibility. Table 2.1 describes the difference between traditional IT infrastructure and cloud computing. Looking at table 2.1, identification of several drivers for cloud computing is possible. The four most promising drivers are small investment and low ongoing costs, economics of scale, open standards and sustainability. These four drivers for adopting a cloud are answers to integrating cloud solutions into existing traditional IT infrastructures. The IDC substantiates the named drivers in a survey in the third quarter of 2009. Figure 2.3 shows the relevant question with corresponding answers. 37 2. State of the IT Table 2.1.: Comparison of the traditional IT infrastructure and cloud computing Figure 2.3.: Cloud benefits as surveyed by IDC [IDC09] The following subchapters describe the four mentioned serious drivers with potential to benefit from operating or using a cloud infrastructure. 2.5.1. Small Initial Investment and Low Ongoing Costs Cloud computing reduces capital expenditures for IT infrastructure. Capital expenditures are only required for accessing and using cloud services, e.g. network and client systems. These small investments lower entry barriers of adopting cloud services in contrast to traditional IT where acquisition costs are high. In addition, operation costs are reduced to the actual cloud service usage level or time, because billing is done by pay-per-use models. Custom Service Level Agreements (SLAs) allow individual contracts. Pay-per-use models enable customer’s flexibility to 38 2. State of the IT quickly react to escalating costs of cloud services and as a final possibility to terminate contracts as preferred. 2.5.2. Economies of Scale Acquisition of new IT infrastructure is always based on a project which evaluates in its sizing phase the requirements of the hardware or software to fulfill business needs. This process is complex and it is difficult to estimate the actual percentage of performance. Under- and overestimations are a daily occurrence. However, projects always consume time, sometimes less usually more, which prolongs the duration to starting the operational usage. Cloud computing enables on demand and accurately allocated computing resources as needed by businesses. The results are shorter evaluation projects and a better risk management, because lots of unknown factors are eliminated by default. 2.5.3. Open Standards The third important driver in establishing cloud computing widely is open standards. Today, customers are bound to their cloud service provider. Clouds of the big players (e.g. Amazon, Google and Microsoft) are all developed and implemented with different technologies. Interconnectivity or interoperability is missing based on the fact that there are no standards or interfaces that have been published or implemented yet. Unless a critical mass of cloud consumers and the market’s demand for modularity and standardized cloud interfaces is reached, vendor lock-in is a threat to cloud computing. Nevertheless, these standards will come, e.g. VMware as the biggest virtualization software vendor, announced ”Project Redwood” as an interface (available as plugin for their products) for interoperability between clouds [Sea09]. 2.5.4. Sustainability The fourth driver is an immense advantage for companies. Especially start-ups and Small and Medium Sized Enterprises (SMEs) benefit from cloud infrastructures. The reason is economies of scale which enable cloud service providers with better and complete security, risk and disaster measures. In addition, cloud service providers eliminate technological bottlenecks. Consumers of cloud services are able to concentrate on their core business and change this faster according to market demands. On the other hand, the cloud service provider is specialized in cloud 39 2. State of the IT service delivery. Sustainability is achieved, because both parties focus on their core business and do not have to worry about other core business tasks. 2.6. Service Delivery Models Everything-as-a-Service (EaaS / XaaS) is a concept of offering IT services on different layers of the IT stack. The Aim is the delivery of fine grained, scalable, without location limits and pay-per-use services on demand. The resources of these services are virtualized, multi-tenant and available on-demand with pay-per-use models. The results are self-provisioned and elastic usage of cloud services. It is one view point on the practical application of cloud computing. Jonathan Yarmis, vice president of ARM Research (www.armresearch.com) stated in 2008 that ”Cloud Computing is not just for software as a service, but EaaS Everything as a Service. Many things as discrete products become cloud-based offerings. It offers us an independence of device and location that is profoundly important [CNE08].” This quotation of Jonathan Yarmis shows the importance of EaaS as a part of cloud computing and the need to describe it in detail. Figure 2.4.: The cloud service delivery models at a glance [Clo09] Figure 2.4 shows the EaaS stack with the three accepted layers. The layers with the biggest influence on cloud computing from bottom to top are Infrastructure-as- 40 2. State of the IT a-Service (IaaS), Platform-as-a-Service (PaaS) and Software-as-a-Service (SaaS). These layers build the main service levels with relevance to cloud service providers. It is not unlikely for the future that more service layers are added to the three accepted ones. Especially, industry or security services might be added as demand grows. An important fact for cloud computing and its service delivery models is the drastic change of business models. Not selling ”only” a product and licenses, but the ongoing service delivery and customer satisfaction will change the relationship between customers and cloud service providers. A strong customer loyalty enabled through trust is necessary for cloud service providers to stay in the market. IaaS, PaaS and SaaS are described in detail in the next sub chapters. 2.6.1. Infrastructure-as-a-Service The concept started under the term Hardware-as-a-Service (HaaS) and was later transformed to Infrastructure-as-a-Service (IaaS) to show the holistic approach for all hardware to run an IT infrastructure as a service. It was first described in March 2006 by Nicholas Carr as a concept of renting ”IT hardware - or even an entire data center - as a pay-as-you-go subscription service that scales up or down to meet your needs [Blo06].” and is used by ”Organizations with highly variable computing demands ..., but given the extremely low levels of capacity utilization in most corporate data centers, it may become an attractive option for a lot of mainstream organizations as well [Blo06]”. IaaS enables consumers to have more control over the IT infrastructure. In addition, customers can work flexibly, because they can customize and administer the virtualized IT infrastructure (servers, storage and network) to their needs and depending on their platforms and applications. The opportunity of new business models where infrastructure is just rented and not purchased and implemented in expensive and time consuming projects especially helps start-ups and SMEs. Each customer has his self-provisioned and elastic virtualized IT infrastructure without considerations of the actual underlying physical IT infrastructure. Standardization of IT infrastructure allows the differentiation of storage and computing services; actually computing services follow storage services. 41 2. State of the IT The basis of billing for storage is usually used data volume per time and transferred data volume. Looking at the billing of computing power, CPU and memory usage plus external data volume transfer are standard indicators. Popular IaaS vendors and products are: 1. Amazon (www.amazon.com) • Elastic Computing Cloud (EC2) • Simple Storage Service (S3) 2. GoGrid (www.gogrid.com) 3. Rackspace (www.rackspace.com) 2.6.2. Platform-as-a-Service Platform-as-a-Service (PaaS) is the provision of application or technical framework platforms without spending time on thinking and working on the underlying necessary hardware, operating system and task specific tools. At the moment, the focus for companies of PaaS is on using this concept when developing and running (web) applications for the cloud. Therefore the whole life cycle of the development of a web application and the appropriate workflow is supported and represented in PaaS offers. Forrester (www.forrester.com) thinks of PaaS in times of the financial and economic crises / recession as a way out for companies when ”Either unable to keep up with their demand for new applications or were under pressure to cut IT costs - or both [For09].” Especially software developers profit from PaaS and its advantages with faster time-to-market cycles during product developing. It is not necessary to deal with operating system or similar application issues, because PaaS services already provide frameworks to develop in. Examples of frameworks are Java, Ruby or .NET. The SOA paradigm of loose coupling plays an important role as today’s business processes are often a combination of several modularized services which provide a certain value. Services of PaaS are integration, access control, synchronization and data management which are implemented via an Internet Service Bus (ISB). Michael Iovino, CIO at Author Solutions (www.authorsolutions.com), stated that 42 2. State of the IT ”Eight of his programmers built the company’s iUniverse authoring application with Salesforce.com’s Force.com PaaS development environment. In only three months, the team delivered a full-fledged program with a complete set of business logic and multifaceted options that assist book authors with everything from text layout to marketing and distribution [Inf09b].” This quote shows the potential of PaaS for developers of established companies or even young start-ups when using PaaS as integrated development solution for generating business applications as services when costs must stay low and time is limited. Popular PaaS vendors are: 1. Google (www.google.com) • Google App Engine 2. Salesforce (www.salesforce.com) • Force.com 3. Microsoft (www.microsoft.com) • Azure 2.6.3. Software-as-a-Service Software-as-a-Service (SaaS) is the highest layer of the EaaS stack. It is defined as the on demand usage of net-native software which is available via a network (e.g. the Internet) by cloud service providers. Payment is done on a pay-per-use model instead of buying licenses. The provider of the service infrastructure bears the costs for hosting, management and updates. The customer pays only for the operation of the service. Again, like the other layers of EaaS, the aim is to reduce costs for IT infrastructure with the benefit of getting a more flexible, scalable and efficient workflow. All tasks of data center operation for these services are the cloud service provider’s responsibility. The customer cuts his total expenditures by deleting capital outlays and only having to deal with the operational expenses. Software vendors profit from controlling and limiting use. The result is the prohibition of copying and distribution by unauthorized users. A disadvantage of SaaS is the limited ability to customize applications that are being used. 43 2. State of the IT SaaS shows similarities to Application-Service-Providers (ASP), but is not the same. ASP is a single-tenant implementation with dedicated hardware and software for one customer. The provided software is usually not net-native and therefore tends to have poor performance. SaaS on the other hand, features multi-tenancy and net-native implementation. SaaS has the biggest range of applications for companies in the sector of Customer Relationship Management (CRM) and Enterprise Resource Planning (ERP). Here, Salesforce.com is a big player in providing SaaS CRM solutions and was added to the quadrant of visionaries [Gar07]. This displays the relevance of the SaaS topic for modern business, because it is seen as a major step towards competitive usage of applications in the future. Popular vendors of (partly free of charge) SaaS are: 1. Google • Google Docs • Google Mail 2. Apple (www.apple.com) • iWork.com 3. Microsoft • MS Online Services 2.7. Deployment Models Cloud computing, especially the term cloud, is a metaphor for the Internet or comparable huge networks where it is intended to hide complexity. The end user just sees his client device and its connection to the cloud which provides all necessary systems, services and data. All cloud deployment models are subsets of the Internet as it is the global network. Whether you call these deployment models external / internal or public / private, both representations mean the relationship of the cloud to a company. It is important to understand that the differentiation is always based on the relationship to a company as it is the point of contract and the entry to the Internet. 44 2. State of the IT Public and private cloud concepts have the same characteristics like dynamic provisioning, scalable resources, virtualized IT infrastructure and pay-per-use. The difference is the operator and the authorized users of a cloud deployment model. Public clouds are available for everybody with access to a network connected to the Internet, while private clouds are only accessible for registered users, e.g. users of a company. This does not matter to the end user as his perspective on the cloud is a single point of contact to use available services without knowledge of the complex IT infrastructure. Cloud computing infrastructures usually provide a set of services which is hosted in data centers on servers with virtualization technology and connected via network to the Internet. In general, offers of a high quality in the commercial sector are based on service level agreements (SLAs) suited to the customer’s requirements. In addition, open standards enable the implementation of cloud deployment models based on open source software (e.g. XEN, see (http://www.xen.org)) and push the growth of cloud computing. Figure 2.5.: The three cloud computing deployment models Figure 2.5 illustrates the three different cloud deployment models. On top is the big cloud which is home to all public clouds available. These are called off-premises, third-party or external clouds. Below is a private cloud, representing a company’s private cloud IT infrastructure. It is called on-premises or internal. The third deployment model is a combination of private and public cloud and is called 45 2. State of the IT hybrid cloud. It offers via clouds on-premises / internal and off-premises / external services. The three different cloud deployment models are described in detail in the following subchapters. 2.7.1. Public Cloud The public cloud deployment model is the mainstream model with the widest distribution and publicity. IT infrastructure is hosted, operated and managed in one or more data centers by a third-party vendor. Numerous customers (so called tenants) share the common IT infrastructure and services. The vendor is responsible for security management and daily operations. It results in less or normally no control for the customer and almost no overview about physical or logical security and compliance aspects of the IT infrastructure [BIT09, 30]. Public clouds offer their resources on a dynamic, fine-grained, self-provisioned basis via Internet with web applications and web services to customers. The offered services are usually highly standardized parts of business processes. Individualization of these services is not possible. Billing of provided resources is conducted on a fine-grained, utility-computing basis. In general, the customer has no direct contact (e.g. phone or email) with the customer service, because all processes are automated [BIT09, 30]. Public clouds are interesting for start-ups and SMEs, because of the lower capital expenditures in using required services instead of building up and maintaining their own IT infrastructure. As mentioned above, the limit is the missing individualization to own needs. The National Institute of Standards’ (NIST) division for computer security, Computer Security Resource Center (CSRC), defines public cloud as follows: ”Public cloud - The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services [NIS09, 2].” 2.7.2. Private Cloud The private cloud deployment model is mainly intended for large enterprises with an existing IT infrastructure, because required capital expenditures for migrating 46 2. State of the IT to a cloud IT infrastructure and operating are clear. Building up a new private cloud results in high capital expenditures. The operation of the private cloud is handled by the company’s IT department or outsourced to a third-party vendor [BIT09, 30]. A private cloud builds a sealed off IT infrastructure which is only accessible by the company and its users via a local network or virtual private network connections from outside. Possible benefits are data security, corporate governance and reliability concerns, established policies and regulatory compliance. In addition, control of the IT infrastructure is within the company. Large companies might favor private clouds because of physical and logical control aspects. Owning the private cloud IT infrastructure allows custom configuration and implementation according to business processes [BIT09, 30]. Individualization enables the company to deal more flexibly with business process changes or other specific requirements. Network, storage and computing in a private cloud are used only by the owned company itself. Different departments as tenants of the services and IT infrastructure might make different usage of it. Therefore, several different sourcing patterns emerge within the private cloud deployment model: • Dedicated - The private cloud is hosted, operated and managed in the company’s data center(s) by the IT department. • Community - The private cloud IT infrastructure is off-premise with a thirdparty vendor. The third-party vendor is contracted by SLAs with clauses for security and compliance. Contracts are customized to fit the requirements (e.g. security and compliance) of the company. • Managed - The private cloud IT infrastructure is owned by the company and managed by a third-party vendor. The CSRC of NIST defines private cloud as follows: ”Private cloud - The cloud infrastructure is operated solely for an organization. It may be managed by the organization or a third party and may exist on premise or off premise [NIS09, 2].” 47 2. State of the IT 2.7.3. Hybrid Cloud The hybrid cloud deployment model is a combination of public and/or private clouds. Presumably, hybrid cloud environments will be the industry’s standard. Companies achieve the freedom of deciding to operate critical business processes and sensitive data within the company’s private cloud, and to put non-critical business processes and non-sensitive data to third-party vendors and their public clouds. There are three characteristics necessary to enable the hybrid cloud deployment model. First, overcoming the barriers of diverse clouds must be achieved with interfaces, middleware and standards. Second, the integration of heterogeneous cloud environments of different companies and third-party vendors to a homogenous interface for the end user [BIT09, 30]. Third, establishing trust between customers (companies) and vendors for data security and compliance. These three characteristics build the foundation for hybrid clouds. The CSRC of NIST defines hybrid cloud as follows: ”Hybrid cloud - The cloud infrastructure is a composition of two or more clouds (private or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load-balancing between clouds) [NIS09, 2].” 2.8. Impact of Cloud Computing for Users and Companies Cloud computing has an inevitable impact for users and companies. Both will rely on cloud offered services in the future. Users in terms of individuals or consumers are already operating in the cloud with free services, e.g. mail accounts of Google or picture services like Photobucket (www.photobucket.com). On the other hand, companies are still cautious about the cloud, but observe closely and evaluate on demand. They start to analyze the potential in small projects with low budgets or even outsource an unimportant or non-critical process. Common for individuals and companies is the advancing evolution of IT, connected with the revolution of business through cloud computing. IDC surveyed 202 companies (SMEs and enterprise businesses) in May 2009, inquiring about the usage of cloud computing. Figure 2.6 illustrates that operation 48 2. State of the IT Figure 2.6.: Usage of cloud computing according to IDC [ZDN10] of cloud services has been already implemented in 29 % of surveyed companies. Another 29 % will implement cloud services within 12 to 24 months, followed by 27 % which are still in the evaluation process without a result. On the other hand, 15 % have decided not to use cloud services. One noticeable result of this survey shows the difference of usage between SMEs, who don’t want to use cloud computing, and large enterprises, which are already using it. An answer is unclear although it appears that large enterprises are more willing to adapt to new factors to open up markets. Speaking in general terms, companies, who are already using cloud computing, have analyzed its impact and have seen its benefits. The following subchapters describe the impact of cloud computing separately for start-ups, SMEs and large enterprises. 2.8.1. Start-Ups Starting a new company is always connected to a high risk of failure. The most critical point is funding and the scaling of capital expenditures in required equipment. In the past, a good IT infrastructure was seen as an indicator for initial 49 2. State of the IT public offering (IPO). The costs for the relevant IT took quite a big amount of available capital. Cloud computing enables start-ups to concentrate on their core business and have bigger amounts of capital available to support such activities. They are able to scale the IT infrastructure off premise in relation to the growth of the business. They don’t need to care about management and the updating of IT infrastructure, because this is the cloud service providers’ task. A big advantage for start-ups is the missing legacy infrastructure. Furthermore, cloud computing helps start-ups to rapidly modify their business ideas to new markets, channels, business models and product lines. On the other hand, using cloud services might enhance dependencies and vendor lock-ins. Therefore, cloud computing might act as an accelerator for starting up a new company with modest financial commitment for IT infrastructure. In conclusion, start-ups are pioneers in taking the chance for cloud services and their integration into business. 2.8.2. Small and Medium Enterprises SMEs are not clearly defined, e.g. number of employees, maturity age or business complexity. Nevertheless, SMEs build the connection between start-ups and large enterprises where every decision is critical for future success. IT departments are usually small and it is difficult to push new IT projects, because their justification is hard. It is even possible that the IT budget is declining as the quotation ”never touch a running system” affects the SME’s decision negatively. Here, cloud computing opens new perspectives for the IT staff, as very few investments are required to feature new products, channels or countries of operation with cloud services. In addition, cloud computing enables the transformation of old IT infrastructure, e.g. back from start-up times, to be replaced with state of the art processes and even to reduce associated costs. SMEs can profit and push their growth, because they lower the risk of investment in new IT infrastructure. Instead they might open up new markets. Looking back at figure 2.6, the high rejection rate of SMEs for usage of cloud computing must be seen in the context of the economic crisis where companies try to conserve at least the status quo. The benefits of cloud computing outweigh and will find their way into SMEs when economies starts to grow again. In summary, the impact of cloud computing on SMEs enables their chance to grow their business into a large enterprise. On the other hand, obsolete components of existing IT-systems can be eliminated and replaced by cloud services for flexibility and scalability of future projects. 50 2. State of the IT 2.8.3. Large Enterprises Large enterprises have the best starting position. They have proprietary data centers and most of them already started a few years ago with server consolidation realized through virtualization. Therefore, cloud computing can be implemented via the private cloud deployment model. Large enterprises prefer this method, because control and data storage stay on premise. Services of external cloud providers will be implemented only after significant cost savings are realizable, but it is only matter of time until financial costs support cloud service providers over the internal IT department. During the migration process towards cloud computing, large enterprises might use external cloud services as backup or when peak workloads occur. On the contrary, large enterprises look for vendor lock-ins or proprietary architectures or solutions which endanger cost savings, flexibility and extensibility towards cloud computing. In addition, large enterprises are subject to regulatory compliance, especially in the stock market, financial or health sectors. They need the guarantee to use cloud services which are compliant with the related regulatory framework. In general, large enterprises are willing to discuss cloud computing and its implementation. Looking into the IT market, big players already have either running projects or are implementing their first phase of cloud computing architecture into their business (see figure 2.6). Overall, the impact of cloud computing will change the way of doing business and their approach towards IT. 2.9. Cloud Computing as Outsourcing Model The globalization process of business structures during the last ten years has been formed in part through outsourcing. Outsourcing is swapping internal departments and tasks to third party vendors which are usually specialized in certain businesses. Contracts regulate the goods and services and even the period of validity between the outsourcing company and the third party vendor. Outsourcing is still seen as a quick way to reduce costs by leveraging differences in global salary levels or standards (see outsourcing to 2nd and 3rd world countries with low wages [Akt07, 1]). Looking now at IT outsourcing, cloud computing is a sophisticated stage of IT outsourcing. The reason is the elimination of internal IT departments including data centers and complex application landscapes. Companies of the future require only devices connected to the Internet via broadband network access. All other 51 2. State of the IT required services, e.g. infrastructure, platforms and applications are located off premise by cloud service providers and used on demand. Consumers of these cloud services have no control or influence on the cloud service providers’ IT infrastructure, because they just use the offered service as agreed in SLAs. Furthermore, all cloud services are not dedicated, but shared between all consumers, as the cloud is multi-tenant. A popular comparison to describe outsourced IT services in the cloud is ”electricity comes out of socket-outlets”. The consumer does not know where and how the electricity is produced; it just works and that is relevant for the consumer. German BITKOM (www.bitkom.de) thinks of cloud computing at least as a special outsourcing form, if not even as the final stage of IT outsourcing. Virtualized, standardized, on demand, without asset- and employee considerations, leads to the ”industrialization” of IT through cloud computing [BIT09, 32]. 2.10. Adoption Barriers to Cloud Computing With all new technologies and concepts, corresponding concerns or barriers arise in terms of their implementation. Cloud computing as a concept and architecture which incorporates different technologies, service models and deployment models faces several barriers despite its benefits. This result arises from its complexity. The following subchapters give a quick overview of barriers to the adoption of cloud computing and in addition, its relevance to data security. Some technological barriers viewed on the whole are mentioned too, which are of concern to potential and existing customers of cloud services. 2.10.1. Security As a rule concepts and technologies with a lack of control over them are considered insecure. With cloud computing it is giving up control of storage, networks, computing resources and applications step by step. Customers have to rely on cloud service providers that appropriate security mechanisms and features are implemented. This relationship of trust makes security the number one concern for responsible executives when discussing cloud opportunities. Another point of view to convince interested parties of cloud security is the factor that a cloud service provider can maintain security much better, because of its size and the specialization towards cloud computing. 52 2. State of the IT 2.10.2. Privacy The European Union, and especially Germany, has strict regulations on data privacy, its access, handling and transmission. Some industry sectors face even more regulations to comply with. Therefore, compliance with complex cloud computing regulations is a fundamental criterion in distributing IT infrastructure and processes into the cloud. At the time of writing this master’s thesis, it is not clear if cloud computing can provide adequate protection to guarantee compliance. But with growing demand of the industry for privacy models and compliance, these will probably arise. 2.10.3. Political Issues Due to Global Boundaries The independence of data and its physical location is given with cloud computing, because data centers of cloud service providers are installed around the globe. Additionally, cloud service providers can use third parties and these are working in the cloud too, which has links around the globe. The main problem is now that private data may not leave certain defined national or regional boundaries. Compliance and legislation add complexity to the topic of independence of physical location, because national law is mandatory. Companies afraid of economic espionage might not want their data in certain countries. It is the cloud service provider’s duty to clear doubts about the physical location of customer’s data. In addition, politics can hinder cloud computing, because the difference in national laws might forbid certain aspects of cloud computing, e.g. net-neutrality in EU [Onl09]. 2.10.4. Further Barriers Besides security and privacy concerns, cloud computing faces a variety of technological barriers. This chapter highlights the more important. 2.10.4.1. Connectivity and Open Access Cloud computing depends on broadband connectivity to the Internet. Open access for companies and consumers allows new possibilities, products and distribution channels. These will lead to a more sophisticated level of all. So, connectivity and open access accompany the industrialization of IT because access to computing power and information is ensured. Without connectivity or open access, some 53 2. State of the IT geographical regions are deprived from of using cloud services and these are lost as consumers, too. 2.10.4.2. Reliability Using cloud services requires reliability, because most applications must be available round the clock. Failures and disastrous events need fallback mechanisms which are online immediately. Companies operating cloud services must discuss and agree with cloud service providers on reliability features in SLAs. Furthermore, cloud service providers should cover questions and their solutions in public to build trust. These reliability measures will lead to additional costs and this might lead to higher costs with cloud computing. A detailed analysis depending on the situation is always implicitly required. 2.10.4.3. Interoperability Interoperability is a key enabler or barrier to cloud computing, because today’s companies invested great efforts to standardize processes, e.g. into Enterprise Resource Planning (ERP) systems. These efforts are always based on integration of IT infrastructure or application landscapes, which require scalable infrastructures to adapt to unforeseen situations. As cloud computing offers different cloud deployment models, public and private to name both extremes, interoperability is mandatory to integrate all cloud models. Interoperability is a fundamental basis to build a company’s personalized IT with cloud services and to guarantee flexibility of choosing cloud service providers. 2.10.4.4. Cloud Service Provider Independence Cloud computing is marketed with self-provisioning and the ease of relocation of services to different cloud service providers. At the moment, this promise is no more than a wish or a part of the cloud computing concept which has not yet been realized. The probability of vendor and service lock-ins is high and even in the cloud service provider’s interest. Companies with an interest in flexible and scalable provisioning will have problems when a migration to another cloud service provider is necessary. A possible solution is for example the division of cloud services into storage and process services and different cloud service providers. This creates flexibility, but is connected with the risk of becoming the integrator of these different cloud services. Finally as food for thought, playing integrator of 54 2. State of the IT cloud services might be the main source of future employment for internal IT in enterprises. 2.10.4.5. Economic Value Cloud computing promises the reduction of costs through flexibility, scalability and pay-per-use models. Mostly capital expenditures for project work, development and integration will shrink. However, companies must invest in knowledge to master the new tasks. This means IT personnel needs training to understand the new concept of cloud computing and will be able to transform existing IT infrastructure towards cloud services. In addition, hidden costs might exist, because cloud service providers can ask for extra fees for support, disaster recovery, data loss insurance and application customization. On the other hand, accounting departments might put pressure on IT, because cloud computing makes it difficult to predict rising costs of the IT infrastructure in the future. Companies with interest in cloud computing must discuss these challenges internally and externally to avoid high costs in bad planning. 2.11. Service Level Agreements The increasing amount of IT services offered demands controlling and transparency measures for service providers and customers. Service level agreements (SLA) build the basis for these measures, because they document all specifications of a service in detail on the interface between service provider and customer. Of particular interest for SLAs are the scope of services, reaction times and performance of transactions. Service providers usually offer their services with multiple service levels. The customer selects the required service and service level depending on its economic and financial interests. SLAs open up the critical discussion between service provider and customer to clarify relevant questions about the quality of service. Additionally, they help to reduce legal actions when problems arise, because the service and its output are defined in detail. SLAs have become popular due to the introduction of the IT Infrastructure Library (ITIL) (www.itil.org) and form an integral part of service-level management. SLAs are defined as follows: ”A contract between the provider and the user that specifies the level of service expected during its term. SLAs are used by vendors and customers as well as internally by IT shops and their end users. They 55 2. State of the IT can specify bandwidth availability, response times for routine and ad hoc queries, response time for problem resolution (network down, machine failure, etc.) as well as attitudes and consideration of the technical staff. SLAs can be very general or extremely detailed, including the steps taken in the event of a failure [PCM10].” —————————————————— 56 3. IT-Compliance ”For small businesses, regulatory burdens can be overwhelming.” Michael K. Simpson (US American Politician) 57 3. IT-Compliance This chapter provides an introduction to IT-compliance, identifies IT-compliance criteria for data security, enumerates regulatory requirements on IT-compliance and describes current cloud computing IT-compliance audit standards in Germany. The extensiveness of compliance in general as well as that of IT-compliance constrains the focus of this chapter to data security which itself represents a fraction of the overall field of IT-compliance. 3.1. Introduction to IT-Compliance The term Compliance means adherence to all legal duties, regulations and guidelines relevant to a company. It covers all strategic measures for a legal and consistent achievement of corporate governance regulations. Companies usually must fulfill a certain minimum level consisting of mandatory national regulations. In addition to these legal aspects, industry and sector specific standards and rules enhance the field of compliance. Above these standards are voluntary social and moral concepts (Code of Conduct, Corporate Social Responsibilities) as well as integrating economic interests. The introduction of compliance in a company leads to the commitment of business process definitions, establishment of transparency and effective organizational structures. An accurate definition of compliance from Techtarget (www.techtarget.com) is as follows: ”Compliance is either a state of being in accordance with established guidelines, specifications, or legislation or the process of becoming so [Tec04].” IT, as today’s main support and business driver, requires being compliant with the above mentioned aspects, too. Therefore IT-compliance is becoming more and more a fundamental part on which a company builds its compliance, because all business transactions and processes are supported (manually or automated) with IT infrastructure. The implementation of compliance is required for limited liability companies and corporations and it is the executive management’s task to enforce it. The violation or non-compliance to national regulations prompts penalties according to civil and penal law for executives who are liable. For example, the Federal Data Privacy Act (Bundesdatenschutzgesetz - BDSG) demands a prison term of two years or an appropriate fine when infringement occurs. 58 3. IT-Compliance Figure 3.1.: Interaction of governance, risk management and compliance Figure 3.1 provides an abstract overview of GRC. Companies use compliance in addition to risk management and governance. All three together form a cycle. Governance states strategies, goals, tactics and procedures for the success of the company. Risk management identifies, analyses, profiles, observes and creates counter measures to risks which contravene to the chosen governance strategy. And compliance aligns processes, management and activities to related legislation. All three, governance, risk management and compliance (GRC) interact and are essential to the overall vision of a company. 3.1.1. The IT-Compliance Gap Besides the growing complexity of legal requirements, underestimating the ITcompliance gap between the executive management and the responsible IT department jeopardizes business continuity. Executive managements frequently think of compliance as an IT-topic and vice versa. In reality the difference between both positions is the abstraction level (see figure 3.2). It is the executive management’s task with support of the legal department to develop a complete approach for IT-compliance requirements of the company. The results are written down in a functional requirements document. This functional requirements document is the work assignment for the IT department which is now responsible for the development of a requirements specification and its successive implementation (see 3.3). Continuous improvement is necessary to stay up to date. 59 3. IT-Compliance Figure 3.2.: The compliance gap between executive management and IT department [Hae08, 5] Figure 3.3.: The solution for the compliance gap between executive management and IT department [Hae08, 42] 60 3. IT-Compliance The result of this process is compliance and, by far more important, constant commitment of all responsible employees or individuals. This precaution enables security not to come into conflict with legislation. It is the intention of this master’s thesis to create awareness for the gap between the IT and the executive management. A quick overview of compliance and its importance to modern business reveals a complex and yet insufficiently managed domain in today’s business world. In addition, compliance is not limited to certain aspects of business, but influences business in total. It is necessary to limit and focus the compliance topic in this paper to remain within reasonable and researchable boundaries. Therefore, this master’s thesis will research only IT-compliance pertaining to cloud computing. 3.1.2. Overview of Acts and Regulations with Influence on Cloud Computing and Compliance Cloud Computing requires the compliance of a broad spectrum of national and international acts. This chapter provides an overview of all compliance topics pertaining to cloud computing. The object is to sensitize the reader to the complexity of IT-compliance. 1. All legal entities with private rights in Germany, corporations (AG) and limited liability corporations (GmbH) must deal with the following requirements: • External control (tax authorities and accounting systems) – German Commercial Code (Handelsgesetzbuch - HGB) – Tax Code (Abgabenordnung - AO) – International Financial Reporting Standards (IFRS), Accounting Law Reform Act (Bilanzrechtsmodernisierungs-Gesetz - BilMoG) – Generally Accepted Accounting Principles (Grunds¨ atze ordnungsm¨ aßiger Buchf¨ uhrung - GoB) and Principles of Proper EDP-supported Accounting Systems (Grunds¨ atze ordnungsm¨ aßiger DV-Buchf¨ uhrungssysteme - GoBS) – Newsletters and standards of the German Institute of Auditors (IDW), e.g. IDW FAIT I, II and III 61 3. IT-Compliance – Principles of Data Access and Audibility of Digital Documents (Grunds¨ atze zum Datenzugriff und zur Pr¨ ufbarkeit digitaler Unterlagen - GDPdU) • Internal control – Internal Control over Financial Reporting (Internes Kontrollsystem - IKS, introduced via KonTraG in the year 1998) – Limited Liability Company Act (GmbH Gesetz - GmbHG) – German Stock Corporations Act (Aktiengesetz - AktG) • Concerning data privacy – Federal Data Protection Act (Bundesdatenschutzgesetz - BDSG) – All Regional Data Protection Acts (Landesdatenschutzgesetz LDSG) • In accordance with the Value Added Tax Act (Umsatzsteuergesetz UStG) • Follow-up of copyright and patent laws (Urheberrechtsgesetz - UrhG) • For trust in commercial laws – German Signature Act (Gesetz u ur elek¨ber Rahmenbedingungen f¨ tronische Signaturen - SigG) – Digital Register for Trade and Cooperative Societies (Elektronisches Handels- und Genossenschaftsregister - EhuG) 2. Regulations within industry sectors supplement the above mentioned norms: • Banks and investment companies – German Banking Act (Kreditwesengesetz - KWG), Collective Investment Schemes Act (Kapitalanlagegesetz - KAG) and Securities Trading Act (Wertpapierhandelsgesetz - WphG) – Basel II: implemented since the year 2007 in KWG and Solvency Regulation (Solvabilit¨ atsverordnung - SolVO) 62 3. IT-Compliance • Assurance companies – Solvency II (risk-management) • Pharmaceutical and food production industry – FDA-rules (good practices) like GMP, GLP and GCP – EU regulations 3. Supplementary country-specific regulations, e.g. for companies under SECsupervision (listed at the US stock market): • Sarbanes Oxley Act (SOX) 4. Public administration has special regulations: • Information and telecommunication minimum requirements (audit courts) • BSI-Grundschutz Catalogues Figure 3.4.: Laws with influence on corporate governance including IT-compliance and IT-governance [SMG10, 6] 63 3. IT-Compliance 3.1.3. Scoping of IT-Compliance IT-Compliance is a part of business with growing complexity. Looking at chapter 3.1.2, IT-compliance just for cloud computing covers all aspects of business. It regulates minimum standards for interaction and transactions of the way of doing business and it consists of acts, laws, principles and industry standards. It is impossible to cover all the above mentioned laws with regard to cloud computing and as a result it is necessary to further narrow the scope of this master’s thesis. The main focus in terms of content of this master’s thesis lies within IT-compliant data security and its adaption to cloud computing. The formal level of the master’s thesis is a more abstract approach to provide persons in charge with valuable information. It shall not hinder any solutions on the technical side. In addition, specific cases require a detailed analysis of the situation and associated laws on the subject. That is a jurist’s job. The laws quoted are used with cloud computing and data security in mind, but make no claim to be complete. The last and maybe most important point is that all laws apply on a purely national basis. This master’s thesis is written for Germany and its laws. Some comparisons to other countries are used for clarity reasons. 3.2. IT-Compliance Criteria for Data Security IT-compliance is the verification of data security measures. Therefore, IT-compliance is based on the data security characteristics and in addition, verifiability. Data security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction (44 U.S.C §3542 (b)(1)) [Sch10]. It consists of the characteristics availability, integrity and confidentiality. Verifiability is the characteristic to check the data security characteristics for compliance. The mentioned characteristics build the foundation for more detailed compliance criteria. Definitions of the criteria are often varying in different cases. Therefore, this chapter defines all criteria for clarity reasons. Figure 3.5 illustrates the bigger picture including the mentioned principles and their IT-compliance criteria in a hierarchical order. 64 3. IT-Compliance Figure 3.5.: All identified and sorted IT-compliance criteria with influence on this master’s thesis 65 3. IT-Compliance 3.2.1. Availability Availability is the main characteristic which deals with data protection based on infrastructural measures. It is one of the three supporting pillars of IT-Security. The main goal is the permanent availability of all data required for the business. A definition of availability is as follows: ”availability, which means ensuring timely and reliable access to and use of information (44 U.S.C §3542 (b)(1)(C)) [Sch10].” So, availability is the percentage of time when a system is operational and/or all data is present and ready for processing. Speaking in terms of IT-compliance, the permanent availability of all data, whether for processing, audits or financial control is demanded by law. In terms of IT, the higher availability is desirable and the efforts for a reduction of failures with only minutes or even seconds per year are tremendous. In addition, business continuity demands availability, too. All approaches focus on the same conclusion, the same goal to access required data independent of location, age, and access time. The following sub chapters describe important criteria for availability which are system configuration, physical access control, availability control, indexing and retrieval, data-backup and restart processes and dependence on physical location. 3.2.1.1. System Configuration The reduction of malware risks is done with appropriate configuration of the IT infrastructure according to officially acknowledged security guidelines and mechanisms. Continuous updating of operating systems and applications is included, because it is a fundamental aspect of keeping IT infrastructure safe. Based on the above description, system configuration is defined: ”System configuration is protecting IT infrastructure based on acknowledged security guidelines and mechanisms against malware.” Common aspects of system configuration are for example configuration of the operating system and applications, regular updates, firewalls and anti-virus or -malware software. 66 3. IT-Compliance 3.2.1.2. Physical Access Control Unauthorized access to the IT infrastructure has to be denied. The term access is used in a territorial context. Technical and organizational measures are required for physical access control. IT infrastructure is usually implemented in data centers or separated rooms. The entrance is guarded with systems checking the legitimation or even security guards controlling a person’s identity. A definition for physical access control is: ”Physical access control is checking legitimation to certain territorial facilities.” Security guards and identification systems based on badges for all users are common examples. 3.2.1.3. Availability Control To guarantee the permanent availability of all data requires protection against random destruction or loss. Availability control must combine physical and logical measures for protection. Physical measures include the selection of appropriate facilities, e.g. cooling and fire protection in data centers. The logical measures include activity- and data-monitoring, backup- and restore-systems and disaster recovery. Availability control is a permanent process which needs continuous improvement. The definition of availability control is: ”Availability control is checking on a regular basis with implemented and continuously improved physical and logical protection measures the availability of all stored data.” Common examples of availability control are monitoring applications. 3.2.1.4. Indexing and Retrieval Availability is based on searching and finding data as fast as possible. The implementation of sorting criteria for indexing and retrieval are required to enable direct access. Risks of corrupt indexes and as a result non-traceable data must 67 3. IT-Compliance be minimized. The retrieval mechanisms must present archived or stored data correctly, in good quality and on time. The definition for indexing and retrieval is: ”Indexing and retrieval means applying sorting criteria to index all data with the aim to guarantee timely and correct access for processing.” A good example for indexing and retrieval is indexing content data with unique identifiers in databases. 3.2.1.5. Data-backup and Restart Processes Indexing and retrieval is just as good as the implemented data-backup and restart processes. They form an important part not only for archiving, but especially for disaster recovery. Data-backup processes must include all substantial data. On the other hand, implemented restart processes must restore all data in a catastrophic event and in a timely manner to enable business continuity. The definition for data-backup and restart processes is: ”Data-backup and restore processes store/archive all substantial data and enable correct, complete and timely restoration.” Common examples for data-backup and restart processes are data-backup systems, an overall data-backup strategy and in connection with this, disaster recovery plans. 3.2.1.6. Dependence on Physical Location The dependence on physical location is important for constraining data flow and its duration. It is in the company’s interest (based on strategic decisions and regulatory requirements) to have knowledge about the location of the data. A complete security strategy requires this to be implemented successfully. The definition for dependence on physical location is: ”Dependence on physical location is constraining data to defined and approved geographic locations and to know permanently about the whereabouts.” 68 3. IT-Compliance An example is to prohibit data flow within certain IP subnets which are known to be located outside Germany or the EU. 3.2.2. Integrity The second fundamental characteristic of information security is integrity. Integrity deals with transparency when using and editing data. It has two main goals which are protection against data loss and forgery. Integrity is the prohibition of manipulations from the inside. A definition of integrity is as follows: ”integrity, which means guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity (44 U.S.C §3542 (b)(1)(A)) [Sch10];” Integrity is completeness and consistency of data where real objects comply with their digital representation. Again, integrity has slightly different meanings in different domains. Speaking in terms of IT-compliance, integrity demands transparency for data which means documentation without any gap in the data lifecycle. On the other hand, speaking in terms of IT, integrity is correct and consistent data. Both points of view come to the same conclusion. The following sub chapters describe the important criteria for integrity which are input control and immutability of documents. 3.2.2.1. Input Control There are measures required to control all input according to the ”who-when-what” principle. Input control has to be implemented overall the IT infrastructure to protect data access. The collected input data stores user, date, and the action, e.g. new, edited or deleted data. The definition for input control is: ”Input control enables traceability and later inspection of users, times and executed actions on data.” Examples for input control are version-control applications. 69 3. IT-Compliance 3.2.2.2. Immutability of Documents The regulatory requirements define immutability for storing and archiving of data. All changes to archived data must result in keeping a copy of the original source besides the above mentioned input control measures. The result is transparency throughout the data lifecycle without a gap. Immutability of documents is defined as: ”Immutability of documents is protecting stored and archived data against not traceable changes.” Examples for the immutability of documents are document management systems on the application side and storage systems with restricted data manipulation features for the IT infrastructure. 3.2.3. Confidentiality Completing data security, confidentiality is the third main characteristic. Confidentiality is security of information that only validated entities, employees or data processing systems have access to. A definition of confidentiality is as follows: ”confidentiality, which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information (44 U.S.C §3542 (b)(1)(B)) [Sch10];” Confidentiality is securing that data is accessible only to those with permission. In terms of IT-compliance, confidentiality is a fundamental criterion which must be fulfilled in all economic sectors. With reference to IT, confidentiality is management of users and their rights to provide access to IT infrastructure and the stored data. Both points of view come to the same conclusion regarding the security of data. The following sub chapters describe the important criteria for confidentiality which are logical access control, permission access control, transmission control and isolation control. 70 3. IT-Compliance 3.2.3.1. Logical Access Control Logical access control is the prohibition of unauthorized persons into IT-systems. The difference between physical and logical access control is important. Physical means real persons trying to get access to the physical IT infrastructure. Logical means getting access to operating systems or running applications by logging into IT-systems with stolen identity information or through bugs in the software. A good definition for logical access control is: ”Logical access control is using technical and organizational measures to check identity and authenticity of users.” The combination of username and password for identification and authentication of users is the most common method for IT. Other examples are PIN codes for banking accounts or mobile phones. 3.2.3.2. Permission Access Control Unauthorized actions in operating systems and applications have to be blocked. Permission access control manages permission concepts, access rights and their corresponding logging and observation. A detailed concept for security and within authorized limits is mandatory. The definition for permission access control is: ”Permission access control is checking user access and actions on data according to the provided permission rights.” Examples of permission access control are user management systems. 3.2.3.3. Transmission Control The transport, transfer and transmission or storage on data media have to be controlled to prohibit the unauthorized access or replication of this data. There are measures required to control all actions involving proper transmission. Transmission control is defined as: 71 3. IT-Compliance ”Transmission control is checking integrity of transported data and monitoring integrity checking measures.” A common example for checking integrity of transferred data is encryption or the usage of checksums. 3.2.3.4. Isolation Control Working with several different private data sets requires isolation measures. Each data set is restricted to its own specific assignment. There are technical measures necessary to guarantee appropriation and closed-shop operation. A good definition of isolation control is: ”Isolation control is checking the separation of private data sets and all mechanisms which ensure this.” The operation of different databases is a good and easy example of isolation mechanisms to achieve isolation control. 3.2.4. Verifiability Ensuring IT-compliance is based on the fact that all business transactions are documented. Dealing with private data is even more critical, because all actions have to be documented. This documentation, for purposes of verifiability, covers all aspects where private data is processed for different usage. Transparency of production for liability reasons, immutability and traceability of actions on private data are just two possible examples. Verifiability checks these assumptions for integrity from an external point of view. A definition for verification is as follows: ”Verifiability is checking a statement or circumstance for truth.” Speaking in terms of IT, verifiability is transparency for IT-systems to trace the processing of data. IT-compliance checks the truth of the data which is processed with data processing systems. 72 3. IT-Compliance The following sub chapters describe the important criteria for verifiability which are order control, logging, documentation for development and release processes, and documentation for technical and objective solutions. 3.2.4.1. Order Control Commissioned data processing must follow prescribed instructions. There are technical and organizational measures required for classifying responsibilities of employer and contractor. Order control combines these measures to guarantee the processing of private data according to agreed instructions. Order control is defined as: ”Order control is checking the commissioned data processing according to instructions with appropriate technical and organizational measures.” Examples of order control are hard to find. It relies on trust between the parties involved. In addition, audits help to create clarity. 3.2.4.2. Logging Traceability of data amended is required for regulatory reasons. Logging stores all actions on data with the aim to record the lifecycle of data. The important information, when logging is performed, is user, time, the accessed data and type of action performed on the data. In addition, amended data must be signed as changed to differentiate it from the original source. Logging protocols are required to be stored by law for a defined time period, e.g. ten years. The definition of logging is: ”Logging is securing traceability of data changes, the user performing these, his actions and the time of change.” Logging is performed in every IT-system; common examples are version-control systems or servers offering web services. 73 3. IT-Compliance 3.2.4.3. Documentation for Development and Release Processes There are two different types of documentation. The documentation for development and release processes includes information about the development process of applications or application modules for maintenance and further development. In addition, naming conventions, rules for design principles, or requirements are some parts of the documentation. On the other hand, all processes during development and release, especially the handling of change requests are written down. A good definition of the documentation for development and release processes is: ”Documentation for development- and release processes describes the operational structuring as written down information regarding the process execution during the development and release phase including specifications and rules.” For Germany, the V-model is a good example which was published by the Federal Ministry of Defense to gain transparency. Another common example is IBM’s Rational Unified Process (RUP). 3.2.4.4. Documentation for Technical and Objective Solutions The second type of documentation is for technical and objective solutions. This documentation focuses on detailed descriptions of technical or objective facts and not processes. Therefore, the functionality of a technology or the derivation of a solution is in the foreground. The documentation for technical and objective solutions is defined as: ”Documentation for technical and objective solutions describes technical facts and functionality or objective derivations of solutions.” Patents are the most important and best examples for the documentation of technical and objective solutions. 74 3. IT-Compliance 3.3. Regulatory Requirements on IT-Compliance Criteria Keeping the limitation considerations of chapter 3.1.3 in mind, this master’s thesis focuses on accounting, liability, data privacy and their admissible evidence and influence on IT infrastructure. Figure 3.6 shows the different points of view and their associated laws and regulations. All laws are described in detail in the following subchapters, adding and classifying the IT-compliance criteria of chapter 3.2. Figure 3.6.: Structure of laws with influence on IT-compliance [Hae08, 7] 3.3.1. Data Protection Directive 95/46/EC The Data Protection Directive 95/46/EC is a set of European requirements for the handling of private data and its transfer within the EU. The directive is derived from the European Convention on Human Rights (ECHR) where ”private and family life, his home and his correspondence” is defined as an individual’s private sphere [Uni10]. It is necessary to mention the Data Protection Directive, because directives of the EU are mandatory for all EU countries to convert into national law. The directive describes the boundaries within which the legislature has to regulate national law. In the case of data privacy, the EU combines the aspects of information security, integrity and confidentiality in the Data Protection Directive. 75 3. IT-Compliance The legislation in all EU countries is based on national law. This is important to know, because all cases are subject only to the national law of the country, where an incident occurs. Further examination of EU legislation is not the intention and goal of this master’s thesis. 3.3.2. Admissible Evidence Legal compliance is based on evidence. Usually this evidence is concrete, but in the IT sector that is not the case. Information is only available as virtual data where deducing evidence is hard. Several laws include sections on the definition of evidence and even on the digital background. The German Civil Code (B¨ urgerliches Gesetzbuch - BGB) is the first place to look for leads. The first paragraph of § 126 BGB binds the writer of a document to sign it personally or by an attesting notary (§ 126 par. 1 BGB). That is possible for printed media, but not with virtual data. Therefore, the legislature added § 126a par. 1 BGB, saying that a digital signature is valid, too. This paragraph extends the process of signing personally as demanded with an appropriate digital signature (§ 126a par. 1 BGB). A document, whether signed personally or digitally is valid evidence. The next term to clarify is how a document is defined. According to the definition of the conventional principle of German law, it is a hardcopy form of an original document. An additional aggravating factor for digital information is the legal inspection by viewing the information. The Code of Civil Procedure (Zivilprozeßordnung ZPO) defines the audit of digital documents. The digital document must be shown or transferred to the court or judge in an appropriate way (§ 371 par. 1 ZPO). However, it is not obligatory for German judges to accept digital documents as evidence. The ZPO defines the duties of judges for accepting digital evidence. It says that it is the judge’s discretion to accept or reject it (§ 286 par. 1 ZPO). He just has to record his decision for the exclusion of evidence. So it is imperative for the authenticity of a digital document to verify its secure and immutable electronic recording, storage and reproduction without gap. Only this can be accepted as evidence. The legislature provides an act like a framework for the requirements of digital signatures called German Signature Act (Gesetz u ur ¨ber Rahmenbedingungen f¨ elektronische Signaturen - SigG). The act provides extensive guidance for digital 76 3. IT-Compliance signatures, certification service providers, voluntary accreditation, and technical security for legal validity. 3.3.3. Accounting There are several individual acts with influence on accounting and therefore on IT-compliance. • German Commercial Code (Handelsgesetzbuch - HGB): includes the mandatory laws for trading and its organization. • Generally Accepted Accounting Principles (Grunds¨ atze ordnungsm¨ aßiger Buchf¨ uhrung - GoB): describe the structure and best practices of financial bookkeeping and its appropriate implementation. • Tax Code (Abgabenordnung - AO): forms the basis of German tax laws and describes their administration. • Value Added Tax Act (Umsatzsteuergesetz - UstG): controls the taxation between suppliers and other service providers as long as they are registered as a company in Germany. These acts have the biggest influence on IT-compliance, because some sections describe the required conditions for proper accounting. 3.3.3.1. German Commercial Code The German Commercial Code is the core act for trade and business in Germany. The focus is the ostensible existence of a legal situation which regulates business transactions. In addition, rules for general, limited and silent partnerships are codified including their legal implementation of closings and statements. Some supplementary recommendations for insurance companies, financial institutions and cooperatives are defined, too. A few criminal offences are also included which add the HGB to the criminal law statutes, in addition to those of the Penal Cod. Not all sections of the HGB are applicable to IT-compliance, except a few, which deal with obligation to bookkeeping and documentation. These sections describe the modality for creation, management and safekeeping of documents according to legal. As illustrated in chapter 3.3.2 it is fundamental to have transparency for 77 3. IT-Compliance data processing, storage and archiving to increase the chances of the probability of legal IT-compliance when on trial. In general, bookkeeping is obligatory for all companies (§ 238 par. 1 HGB). The paragraph demands bookkeeping in a way that a competent third person can reproduce all business transactions and assess the current financial status of a company. It is explicitly noted in the last sentence that all business transactions have to be traceable to their origin and during processing. Again, this last sentence of the paragraph punctuates the importance of transparency for documents and digital information respectively. In terms of IT-compliance criteria, indexing and retrieval and logging are identified. Both criteria are required to fulfill the demands of this law. Indexing and Retrieval enables sorting and quick finding of data, e.g. for audits, while logging helps to show the lifecycle with all changes to data. The following section, § 239 HGB, adds information on how bookkeeping has to be implemented properly. A proper item must be complete, correct, timely and sorted (§ 239 par. 2 HGB). This paragraph describes the state of information to be acknowledged as a correct entry. There is no difference between a hardcopy form and a digital one. These documents as well as digital information must have these attributes mentioned in § 239 HGB to fulfill correct bookkeeping. The second paragraph deals just with the format of an entry for bookkeeping. It is supplemented with the third paragraph illustrating the requirement that all changes to information must be logged and the original information has to be archived as well (§ 239 par. 3 HGB). The result is a rising complexity with electronic bookkeeping, because it is quite easy to edit digital information. Therefore, it is necessary to establish a version control system for transparency when changing documents. It is illegal to conceal changes, whether of the original or edited document. All versions of a document and the corresponding changes have to be understandable. Both paragraphs of § 239 HGB identify IT-compliance criteria. Beginning with paragraph two, indexing and retrieval again is the main focus to enable sorting and finding of data. But in addition, paragraph three demands the immutability of documents. This forces the implementation of logging mechanisms to have awareness of all changes. The above section, § 239 HGB, explains the format and traceability of changes for documents. The question of the storage of documents has not been addressed yet. The legislature created § 257 HGB to describe the requirements for the storage of documents and the corresponding respite for archiving (§ 257 par. 3 HGB). Paragraph three states in a clear manner that using digital media is possible when used according to GoB on almost all documents. Opening balance and financial 78 3. IT-Compliance statements are two exceptions which have to be published in hardcopy form. There are two more criteria postulated: first, the digital document must match both picture and content when published; second, the document has to be available at all times during the safekeeping period. Both criteria have to be applied. In addition, digitally created documents can be stored as printouts. The last attribute for documents is the respite for archiving which is regulated by HGB. The obligation to store documents depends on the classification given in § 257 par. 1 HGB and differentiates between six and ten years (§ 257 par. 4 HGB). Documents classified to be stored for 6 years are incoming and outgoing (copies) of business letters. On the other hand, books of accounts, fixed assets, opening balances, annual financial statements, annual accounts and reports, annual consolidated financial statements, group management reports and corresponding instructions necessary for traceability are required to be archived for ten years. § 257 HGB goes more into detail of bookkeeping, but regulates three IT-compliance criteria. Again, indexing and retrieval is essential as a basis for sorted data. Observing the data lifecycle, the above section demands data-backup and restartprocesses for audit reasons and transparency. As a result of data-backup and restart processes, immutability of documents is necessary. To sum this chapter up, the HGB clearly defines how and what is required for proper bookkeeping, amendments of documents, and storage on digital media and safekeeping periods for trade in Germany. It refers several times to GoB for more detail. Identified IT-compliance criteria in the HGB are focused on indexing and retrieval, immutability of documents, logging and data-backup and restart processes. All criteria support traceability, changeability and storage of data. 3.3.3.2. Generally Accepted Accounting Principles Generally Accepted Accounting Principles are a set of unwritten rules for bookkeeping and reporting procedures. It is based on recommendations of the economy, practical experience and adjudication. The purpose is to apprehend the owner of a company and the person responsible for delivering misleading data. Therefore, it is not defined in the HGB, because there is not one solution, but several to follow and technology is changing all the time. This was intended by the legislature to stay flexible. Basically, GoB is divided into five main sections/criteria which deduce from the HGB. These characteristics or the sections of the HGB where already mentioned in parts in chapter 3.3.3.1. 79 3. IT-Compliance • Integrity : All obligatory bookkeeping and business transactions must be documented properly (§ 239 par. 2 HGB, § 246 par. 1 HGB). • Verifiability : Bills and receipts document all business transactions (§ 257 par. 1 HGB, § 257 par. 4 HGB). • Orderliness : All business transactions are assigned to their corresponding account. It is not possible to change the content without retaining a copy of the original transaction (§ 239 par. 3 HGB). • Correctness : All content information is legitimate (§ 239 par. 2 HGB). • Facility of inspection : A competent third person has to be able to understand in a moderate timeframe business transactions and financial assets and liabilities of a company (§ 238 par. 1 HGB, § 243 par. 2 HGB). These five sections/characteristics of GoB and their appropriate implementation are essential when using digital media with business transactions. 3.3.3.3. Tax Code The German Tax Code is the fundamental act of the German fiscal law. The basic and valid rules for all tax types are included. The AO defines the evaluation of the tax basis, accumulation, levy and enforcement of taxes. In addition, the AO includes legal remedies for out of court settlements and criminal and regulatory offences. While the individual tax laws, e.g. Income Tax Act (Einkommenssteuergesetz EStG) or Value Added Tax Act (Umsatzsteuergesetz - UstG), regulate the concrete clauses for the evaluation and development of a tax as substantive recommendations of the tax law, the AO includes the basic rule of accumulating a tax and when to pay it. The AO also includes some information regarding the handling of documents, whether in a hardcopy or digital form. § 147 AO combines and is arranged similar to the different sections mentioned already in chapter 3.3.3.1.The focus now shifts from pure bookkeeping to taxation. The AO describes the documents a company has to keep in safe custody for taxation purposes (§ 147 par. 1 AO). Similarities to § 257 par. 1 HGB are recognizable. So, the documents are not only required just for bookkeeping, but as a basis for taxation too. § 147 par. 1 Nr. 5 AO uses the term supplementary data (”sonstige Unterlagen”) which is critical, because it contains everything which influences costs or affects turnover. This covers almost all relevant business data. Summing up, billing, 80 3. IT-Compliance materials logistics, time registration, claim for travel expenses, bill of charges and performance accounting are just focal points on the list. In addition, spreadsheets of calculations, agreements of appointments, payments, discounts and prices are included, too. Supplementary data even includes electronic mails containing this data which leads to company email policies and email archiving for the required time period. § 147 AO also refers to digital media. The second paragraph introduces the usage of digital media and the corresponding principles for digital media based on GoB (§ 147 par. 2 AO). Again, similarities to § 257 Abs. 3 HGB are recognizable and underline the common objective of the law. Reading § 147 AO and looking at IT-compliance criteria, the parallel to the HGB is evident. Indexing and retrieval, data-backup and restart processes, immutability of documents and logging are demanded. However, the difference between the HGB and AO is the difference in perspective: the AO is focused on transparency for audits of the tax authorities while the HGB is more general for business transactions. To sum this chapter up, the AO is a good example to show the necessity to have a transparent and comprehensive approach for bookkeeping in terms of taxation for a company and audits for the tax authorities. All identified criteria are similar to those of the HGB, indexing and retrieval, data-backup and restart processes, immutability of documents and logging, but yet have another focus. 3.3.3.4. Value Added Tax Act The Value Added Tax Act is a special section of the AO for companies. The UStG regulates the taxation of supplies and other services for an employer in Germany. In addition, the import of items is regulated for national and intra-community purchase for value, too. The UStG addresses the handling of digital documents with a focus on security during the transfer. All digitally transferred bills must secure authenticity of origin and content (§ 14 par. 3 UStG). They are only valid when digitally signed according to the SigG or accredited vendors. The processing of the digital signature includes the proof of authenticity, logging of the proof and storage of the signature keys according to the SigG (§ 17 SigG). It is quite easy to identify IT-compliance criteria in this section. § 14 UStG regulates the condition of data during the transfer. First, immutability of documents is required for all content data to be transferred. Second, the identity of the sender 81 3. IT-Compliance must be guaranteed and the manipulation of content must be prohibited by using appropriate digital signatures during transfer. Transmission control is demanded to show the correct and unmanipulated data. Both criteria together, enable trusted transfer of business transactions between companies or even a company and the tax authorities. 3.3.3.5. Other Regulation for Accounting There are two other main documents, no acts, but with high influence on accounting with computer systems. Both ”explanations” are distributed by the Federal Ministry of Finance in Germany for the practice rules for financial management. The first document is called Principles of Proper EDP-supported Accounting Systems (Grunds¨ atze ordnungsm¨ aßiger DV-gest¨ utzter Buchf¨ uhrungssysteme - GoBS). GoBS is an extension of GoB with the focus on electronic data processing. It is based on the same principles of GoB which originate from the HGB. Like GoB, facility of inspection, integrity, verifiability, orderliness and correctness (q.v. 3.3.3.2) are the main characteristics. GoBS defines extensive requirements for the documentation of business procedures and responsibilities of the organization, especially for IT. The second document is called Principles of Data Access and Audibility of Digital Documents (Grunds¨ atze zum Datenzugriff und zur Pr¨ ufbarkeit digitaler Unterlagen - GDPdU). The GDPdU is an explanatory extension for the AO. Therefore, the main focus is on direct access via data processing systems (§ 147 par. 5 AO) and supply of automated evaluations and/or data mediums (§ 147 par. 6 sentence 2 AO). The GDPdU was mainly intended to provide a better integration of tax authorities. The GDPdU as an extension of the AO has the same IT-compliance criteria as the AO, indexing and retrieval, data-backup and restart processes, immutability of documents and logging, but adds another one. The documentation for technical and objective solutions facilitates the possibility to follow all implemented measures mentioned before. 3.3.3.6. Laws and Technological Responsibility Taking a look at the different acts we find that certain technologies are not mentioned at all. The legislature does not regulate the technology for storing documents on digital media. All taxable companies are responsible on their own 82 3. IT-Compliance for the appropriate arrangement of technology as long as it is within the statutory period. For example, the journal ”Der Archivar” describes the efforts of readability and data backup within important archives. The technical progress is so fast that data stored on today’s digital medium of choice will not be readable in 10 years and as a result of this we have to consider it as lost [K¨ ol02]. Companies have to consider this in their strategy for storing documents on digital media with reference to recommendations of the law. It is exclusively the company’s responsibility. 3.3.4. Liability Liability in terms of law is divided into two sub domains. The first domain is product liability which focuses on products and the second is manufacturer’s liability. Both are required to illustrate IT-compliance issues. 3.3.4.1. Product Liability The product liability is defined in the Product Liability Act (Produkthaftungsgesetz - ProdHaftG). This act explicitly deals only with questions of liability. The most important question is if a faulty product resulted in damage to property or life. The ProdHaftG states in the first section the definition of a damage by a faulty product (§ 1 par. 1 ProdHaftG). There is a differentiation between human injury and death or damage to another object. In both cases the product manufacturer is liable for the resulting damage. The paragraph also restricts the liability, because it is explicitly mentioned that the ProdHaftG is only valid for business to consumer interactions. The burden of proof is described in paragraph four. The injured person is usually responsible for the burden of proof. With the absence of clarity, the producer, assembler, importer or even the supplier, if the above named are not determinable, is responsible for the burden of proof (§ 1 par. 4 ProdHaftG). The producer or supplier has to be careful, because he might be in the position for the burden of proof in special situations. He must develop and prepare preventive measures. Product liability, as stated in § 1 ProdHaftG, identifies documentation for development and release processes and documentation for technical and objective 83 3. IT-Compliance solutions as IT-compliance criteria. On the one hand, the documentation for development and release processes traces the creation / production of a product and all involved processes. On the other hand, the documentation for technical and objective solutions secures all technical aspects and the usage of the product. Both documentations are supplementary and show the development and production process and the working product itself. When product liability issues occur, both documentations help to resolve any questions faster and the probability is reduced that it is the company’s fault. The ProdHaftG even names the period in which a product liability is possible. The title depends on § 1 ProdHaftG and is valid for ten years, beginning with the moment the product was manufactured (§ 13 par. 1 ProdHaftG). This is a quite long time where the producer must store information about the product, especially in the case of extending any legal action. Identifying IT-compliance criteria for § 13 ProdHaftG is not clear. The period for archiving data according to this section requires data-backup and restart processes. Only these enable security for stored data over long periods. This IT-compliance criterion is mandatory today in big companies, mostly not with a focus on compliance, but move on business continuity. Summing up product liability, a producer cannot rely on the injured person’s burden of proof. He has to document as evidence the complete product lifecycle during the period where a customer was entitlement to damages. The documentation must include the production process with all product attributes. In particular, this also implicates the measures for making the product safe, e.g. testing, and proper archiving and backup processes. 3.3.4.2. Manufacturer’s Liability Manufacturer’s liability has three focal points: first, a general point on documents as evidence for production processes and product attributes, second, liability for executives and boards of management and third, duties of the executive management and employees. Documents as Evidence for the Production Process and Product Attributes The BGB regulates the avoidance of negligent practices for life and property. Liability becomes due when the person or company who is responsible for damage to property or life must pay compensation (§ 823 par. 1 BGB). Liability has a degree of negligence, but the legislature sets the burden of proof on the producer. It 84 3. IT-Compliance is in the producer’s interest to ensure documentation of the complete lifecycle of a product. This includes the development, construction, production, instruction, and duty of product surveillance, disposal and quality control. Contrary to the product liability the focus here is directly on the company and their employees which offer a product. The documentation must include business transactions, project agreements, verifications, validations and changes which are all authenticated. The limitation period for personal injury is thirty years and for all other matters the standard limitation of two years (§ 197 BGB). Documentation as a security for evidence based on principles described in chapter 3.3.2 is critical for this line of arguments. IT-compliance criterion is documentation for development and release processes. It is used to demonstrate all measures taken by a company and the responsible persons to secure the production and release processes. Liability of Executives and Boards of Management The liability of executives and boards of management are regulated by different acts, because both are different parts of responsibility in the company. However, the result for both is similar in terms of liability. The Limited Liability Company Act (GmbH Gesetz - GmbHG) regulates the basic constitution of the GmbH, its construction, institution and status in terms of legal relations. The liability of executives is stated in the GmbHG. They have to work in the company’s interest and according to the principles of a proper businessman (§ 43 par. 1 GmbHG). Executives not following these principles will be accused of criminal action for the subsequent damage to the company (§ 43 par. 2 GmbHG). Admitting to wrong doing for their actions results in the maximum sentencing of five years (§ 43 par. 4 GmbHG) by the prosecution. Interestingly, this period is shorter than the period for a product. The German Stock Corporations Act (Aktiengesetz - AktG) regulates construction, constitution, accounting, annual shareholders’ meetings and liquidation of partnerships limited liability corporations. In addition, the German Law on consolidation of companies (Konzernrecht) is included, too. The rights and duties of corporations described in the AktG are summed up with the recommendations in the HGB and BGB. The AktG is known as criminal law statutes in addition to those of the Penal Code, because it describes administrative fines and penal provisions too. The penal provisions become more importance in terms of the law related to business violations. 85 3. IT-Compliance The due diligence and liability of members of the board management are defined in their own section. Members of the board of management are liable as long as their business decisions are based on common-sense and without bias (§ 93 par. 1 sentence 1 AktG). Violation of this basic rule is regulated by the following paragraph. The board member is liable for the damage caused and burdened by compensation (§ 93 par. 2 AktG). Even when the corporation insures the board member, he is still liable with a minimum of 10 % of the damage and a maximum of one and a half time his salary. Both acts, GmbH and AktG, ensure the liability of higher management corresponding to their company type. This liability leads the management to document their decisions and archive all documentation on which business decisions were made. Therefore, the IT-compliance criterion is again documentation for development and release processes as an essential basis for traceability of management decisions. Duties for the Executive Management and Employee The legislature ensures the influence and duties of the executive management and board of management and thus approved another act. The Corporate Sector Supervision and Transparency Act (Gesetz zur Kontrolle und Transparenz im Unternehmensbereich - KonTraG) is an extensive collection of sections. The aim of the KonTraG is the enhancement of corporate governance in German companies. Therefore it changed several sections in the HGB and AktG to precise and/or extend the liability of the executive management. The core of the act is the establishment of a corporate system for early detection of risks (Risk Management) and the required publishing of measures in general and in financial reports. On the other hand, the KonTraG demands a better teamwork for the board of management and certified annual auditors with a focus on problem- and risk-oriented audits. The duty of the executive management is the establishment, compliance and observation of a working risk management. A practical example was published by the Regional Court of Berlin in the year 2002 (q.v. [Rec08, 7]) and adjudged that ”Fehlendes Risikomanagement berechtigt zur außerordentlichen K¨ undigung des Vorstands [Ber02].” This decision was based on the AktG which regulates such matters. It is clearly defined in the AktG that it is the duty of the board of management to trigger a comprehensive risk management (§ 91 par. 2 AktG). The established risk management is a protection for the board of management in cases of liability. The focus of liability of the higher management lies not only in a company’s products, but, and more importantly, in the future of the company. 86 3. IT-Compliance Figure 3.7 is an example of a working risk management concept. All steps must be properly documented as evidence when liability issues occur. Figure 3.7.: Example of a risk management concept [Hae08, 21] It is not only the higher management which has responsibility, but the employee as well. The duties of the employee are described in the BGB in the chapter service contract. The BGB states that the employee has the obligation to fulfill his service contract (§ 611 par. 1 BGB). It is important to prepare a detailed job description. This is done with a service contract, work instructions and other agreed on rules. The legislature expects an effective security management to enable transparency in terms of liability. There are three cases which differentiate the pro-rata liability: slight, contributory and gross negligence. First, slight negligence implies no liability for the employee, because the fault or damage was not initiated by him or was not within his functional area. Second, contributory negligence includes a pro-rata liability between the employer and employee. Third, gross negligence is complete liability of the employee, because he caused the damage. The IT-compliance criterion documentation for development and restart processes are becoming more and more important for employees too. Liability issues are tracked down in a company to the responsible employee for facilitating of rationale defence and to avoid legal repercussions. In summary of this chapter, manufacturer’s liability is an important aspect for any company, whether from the managements’ or from the employees’ point of view. The legislature demands the recognition and identification of who is responsible and for what specific action. The best way for companies is the documentation of its approach and a continual observation and update. 87 3. IT-Compliance 3.3.5. Data Privacy Data Privacy is an important part of German legislation and the handling of private data within Germany and/or the EU. The German law provides the Federal Data Protection Act (Bundesdatenschutzgesetz - BDSG) for the security and processing of private data. In addition, the EU provides a directive called Data Protection Directive 95/46/EC for data privacy within the countries of the EU. The following subchapters describe the important sections of the BDSG and touch on the EU directive, because it is a higher institution of influence. 3.3.5.1. Federal Data Protection Act The Federal Data Protection Act regulates the processing of personal data in IT and manual work. The requirements for data privacy, data security and evaluation in Germany are described in the BDSG. All information describing an individual person or a person’s objective relations is defined as private data (§ 3 par. 1 BDSG). Private data collection, processing and usage are subject to this definition of § 3 BDSG. The legislature explains in the following section these actions including private data. It is only possible to work with private data on a legal basis, a legal recommendation allowing or commanding it, or when the person concerned agrees (§ 4 par. 1 BDSG). Usually, the person concerned is agreeing by signing a contract with data privacy terms of the contracting party. The person signing a contract grants permission for processing only for certain time period as agreed upon tasks. This is called object oriented storage. After passing the time period of storage or at the end of the contract, all private data must be deleted (§ 20 par. 2 BDSG). The illegal storage of private data entails immediate deletion, too. In the case that a deletion of the private data is not possible, it must be locked (§ 20 par. 3 BDSG). In today’s connected world, a lock of private data is more realistic than deletion, because the technical deletion includes a disproportionate effort, speaking in terms of company’s interests. All the above mentioned requirements demand the security of private data with appropriate technical and organizational measurements. The BDSG uses an overall approach. § 9 BDSG is very important, because it forces companies to build their infrastructure on security and IT-compliance rules when processing private data (§ 9 BDSG). In addition to the abstract law, it provides the catch of technical and organizational measures (”technische und organisatorische Maßnahmen”) for an attachment to the BDSG. This attachment describes in detail several different 88 3. IT-Compliance required characteristics of the technical and organizational measurements. They are the fundamental basis for processing private data in terms of security and IT-compliance in a company’s infrastructure. § 9 BDSG provides another important IT-compliance criterion. Technical measures are the system configuration when speaking of defense and security mechanisms against malware. Proper security is only possible with up to date anti-malware software and a restrictive system configuration. Attachment for BDSG The attachment for § 9 sentence 1 BDSG (Anlage (zu § 9 Satz 1 BDSG), original source: BGBI. I 2003, 88) is a description of the technical and organizational measurements which are required to secure the operation of IT-systems in accordance with IT-compliance criteria. The attachment which is quoted below and commented on names eight principles a company has to obey. The introduction indicates that measurements must adapt to the type of private data or categories (Attachment for § 9 Sentence 1 & 2 BDSG). Adjustments of business processes might be necessary to guarantee the above mentioned approach. It is the government agency’s or company’s responsibility to factor this demand into the development of business processes. The first principle is physical access control. All IT-systems, data centers or simple workstations must be secured in a proper way (Attachment for § 9 Sentence 1, No. 1 BDSG). The security measures must meet state of the art technology. The second principle is logical access control. IT infrastructure must be secured with an authentication system (Attachment for § 9 Sentence 1, No. 2 BDSG). The authentication system should match an overall approach. The third principle is permission access control. Application users are only allowed to process private data for which they have the proper permission, speaking in terms of rights management (Attachment for § 9 Sentence 1, No. 3 BDSG). The definition of rights corresponding to users, different roles and distribution groups prohibits inadmissible reading, copying, editing or deleting. The fourth principle is transmission control. The integrity and consistency of private data must be secured when transmitting (Attachment for § 9 Sentence 1, No. 4 BDSG). In addition, logging and control must be stored when private data is transmitted or stored from one point to another. The fifth principle is input control. Users manipulating private data must be logged (Attachment for § 9 Sentence 1, No. 5 BDSG). This control mechanism 89 3. IT-Compliance integrates transparency for the past processing steps of private data and especially who executed it. The sixth principle is order control. The processing of private data is only valid, if the originally agreed on instructions are followed (Attachment for § 9 Sentence 1, No. 6 BDSG). Processing of different conditions not arranged on in the contract is an offence. Order control is an aspect difficult to monitor. The seventh principle is availability control. There are backup strategies required to secure the storage or archiving of private data (Attachment for § 9 Sentence 1, No. 7 BDSG). All backup measurements must be implemented corresponding to the valid laws for the time period for archiving. The eighth principle is isolation control. Government agencies and companies must process each private data set separately (Attachment for § 9 Sentence 1, No. 8 BDSG). Merging or consolidating private data sets is illegal. All private data must be processed exclusively for its predetermined purpose. The attachment ends with a sentence stating that the technical and organizational measurements under number two to four must be implemented with state of the art encryption technology (Attachment for § 9 Sentence 1, Sentence 3 BDSG). The eight principles are also the required IT-compliance criteria, because they sum up the required control mechanisms where interaction or contact is made with private data. They are essential and build an overall approach with influence on almost all data. The BDSG defines an overall approach for the security and IT-compliance requirements. Figure 3.8 shows the above described technical and organizational measurements and their interaction. 3.3.6. Law and Criteria Table The matching of laws and identification of corresponding IT-compliance criteria leads to the development of table 3.1. This table joins the different acts with the interesting laws on the x-axis and on the y-axis the IT-compliance criteria. Some IT-compliance criteria are identified in several different laws. The table helps to get an overview what is required for IT-compliance even for persons without a legal background and where to start when working on this topic. 90 3. IT-Compliance Figure 3.8.: The eight principles of the attachment for § 9 sentence 1 BDSG [Hae08, 31] 3.4. Cloud Computing IT-Compliance Audit Standards in Germany The German Institute of Auditors (IDW) (http://www.idw.de) publishes audit standard PS 880 (Granting and Application of Software Certificates - Erteilung und Verwendung von Softwarebescheinigungen) contains the requirements for the audit of software products and granting of certificates with relevance to IT-compliance of accounting. The focus of the PS 880 audit is the compliance of software products according to GoB: • Billing and accounting processes • Processing functions of the application system • Security requirements • Application development and maintenance • Data security • Documentation PS 880 addresses audits of software products before integrated into customers IT environment. 91 3. IT-Compliance At the moment, IDW PS 880 seems to be the only audit standard applicable for cloud computing service providers (see [Net09]) while several other audit standards of the IDW address the customers/users point of view: • IDW PS 330 (Audit of Financial Statements in an Information Technology Environment - Abschlusspr¨ ufung bei Einsatz von Informationstechnologie) • IDW RS FAIT 1 (Principles of Proper Accounting When Using Information Technology - Grunds¨ atze ordnungsm¨ aßiger Buchf¨ uhrung bei Einsatz von Informationstechnologie) • IDW RS FAIT 2 (Principles of Proper Accounting for Electronic Commerce Grunds¨ atze ordnungsm¨ aßiger Buchf¨ uhrung bei Einsatz von Electronic Commerce) • IDW RS FAIT 3 (Principles of Proper Accounting When Using Electronic Archiving Processes - Grunds¨ atze ordnungsm¨ aßiger Buchf¨ uhrung beim Einsatz elektronischer Archivierungsverfahren) In conclusion, the critical mass for cloud computing has not yet been reached. Auditors will individually decide the proper way of testing IT-compliance in cloud environments. The above mentioned audit standards are just samples of what popular standards were already used. 92 3. IT-Compliance Table 3.1.: IT-compliance criteria 93 4. Transformation of IT-Compliance Criteria into IT-Requirements ”What we are seeing now is customers shifting their attention from security products like firewalls and intrusion sensors, to the policies that need to be in place, and the technologies that help them enforce policy compliance.” John W. Thompson, Chairman of the Board of Directors of Symantec Corporation 95 4. Transformation of IT-Compliance Criteria into IT-Requirements This chapter describes the transformation of IT-compliance criteria into ITrequirements. There is a huge amount of IT solutions and possible measures which represent the IT-compliance criteria that a limitation is required. So, IT solutions and measures are described in abstract and not in complete detail. Finally, choosing a certain technology depends on the specific underlying case. Nevertheless, this chapter establishes awareness for the complexity of IT and corresponding solutions. 4.1. IT-Requirements based on IT-Compliance Criteria Explanatory Statement The analysis of a cloud service for compliance can consume substantial amount of time. Especially when reading the terms of agreement and the underlying national regulations which host the cloud service provider’s IT infrastructure require time and effort to understand. In addition, SLAs can vary between start-ups, SMEs and large enterprises or end users and their demands. Looking at the responsibility for security and compliance, each service delivery model shifts security and compliance step by step from the cloud service consumer towards the cloud service provider. With each shift of responsibility to the cloud service provider, the cloud service consumer has less control. Compliance and security issues even rise depending on the cloud deployment model intended for implementation. The identified IT-compliance criteria in chapter 3.2 build an abstract set of features for the IT-compliance of a cloud. Nevertheless, these criteria must be converted into concrete IT-requirements and systems which represent the required functionality. IT-requirements are discussed along the cloud service delivery models, because they are the main point of contact between cloud service consumer and provider. The following subchapters describe concrete IT-requirements, whether actively or passively for IT. Naming of vendors or explicit products is not done. 4.2. System Configuration System configuration is a fundamental measure to comply with regulatory and legal requirements. The customized configuration of the IT infrastructure in accordance with all cloud services provides security within the coded limits of the used software. The control and configuration possibilities depend on the cloud service delivery model. 96 4. Transformation of IT-Compliance Criteria into IT-Requirements Looking at IaaS, the customer has the responsibility to secure and configure the operated IT infrastructure to his legal and regulatory obligations. The rule of thumb in general is to deny and restrict all and afterwards allow only required services and permissions. Therefore, IaaS requires a detailed and complete understanding of security and configuration throughout all IT levels. This starts with the configuration of the operating system and goes on with network security measures, e.g. firewalls. Based on this level, the configuration of the platform frameworks to run (web-) applications or installed software requires configuration. Again, a restrictive approach is mandatory. The next higher cloud service delivery model is PaaS, where the platform is already configured by the cloud service provider. Possible customizations and control are less for the customer, but the responsibility for IT-compliance of the underlying layer is shifted away from the customer to the cloud service provider. Here, the customer has to compare the cloud service providers IT-compliance level with his own. It is of highly risky and very critical when the customer’s configuration complies with legal and regulatory requirements, but the underlying cloud service provider’s domain does not. A transparent match of both is critical. The on top cloud service delivery model SaaS shifts almost all responsibility for IT-compliance to the cloud service provider. The decision for a cloud service provider is therefore easier for the customer, because the analysis of the offered application service including its compliance is debt to be discharged at creditor’s domicile. Yet, this does not mean that the cloud service customer should rely on the cloud service provider. It is assumed that the cloud service provider is interested in a trusted and transparent collaboration. The customer’s responsibility for IT-compliance is limited, as long as he configures the used cloud service with all available adjustments. Integral parts of system configuration are updates. Continuous updates of the operating system and all applications and frameworks are within the customer’s liability when using IaaS. PaaS reduces the updates to the operated applications which run on the platform for the customer. The underlying software gets managed and is therefore updated by the cloud service provider. Customers with SaaS have no necessity to install updates, because it is the cloud service provider’s task. 4.3. Physical Access Control Physical access control forms the outer defensive measures to secure data. Data is value and it is of highest importance to secure the physical IT infrastructure which hosts all data. This becomes reflected in the construction and assembly of data 97 4. Transformation of IT-Compliance Criteria into IT-Requirements centers. Modern data centers integrate access control which allows entrance only to employees with authorization. This access control features video surveillance to cover the complete data center and door entrance checking mechanisms like finger print / iris checking or identification cards. In addition, the build-up of data centers has several different prioritized areas for separate authorized personnel. To secure each server rack, each door lock has to be used. When physical administration of the IT infrastructure is necessary, the four-eye principle, meaning two or more administrators are working together, is used for control. 4.4. Availability Control The operation of a data center does not only include IT infrastructure, but also cooling systems and emergency power supplies. Cooling systems are necessary for adequate operation of the IT infrastructure, because heat might damage computing systems and this can result in data loss. The emergency power supplies are necessary to keep up operation. Sudden power drops or even failures can result in data loss. In addition, availability is not only limited to these two points. It also demands redundant network connections to have continuous service availability via the Internet. Furthermore, the human component, e.g. administrators, to maintain the IT infrastructure has a big impact on availability. This is not only for maintenance reasons, but also in case of emergency. Therefore, availability control is required to supervise appropriate management tools. These tools must be configured to meet most of the above mentioned points. In addition, they need constant observation to react on fulminating emergencies. To create trust between a cloud service provider and its customers, the implementation of a status system into the availability management tools is a good idea to keep customers up to date with maintenance and emergency situations. Availability control is not only necessary as a fundamental basis for the equipment, but IT infrastructure itself, too. IaaS, PaaS and SaaS make a profit on the levels of implemented solutions including monitoring and control availability. The focus of the different availability controlling systems depends on the cloud service delivery model. IaaS requires monitoring tools for hardware, e.g. storage, backup archives and virtual machines. Common factors for observation are CPU, memory and network performance or remaining hard drive capacity. Furthermore, PaaS as the next cloud service delivery model requires monitoring of the platform and framework performance and on the top executed applications. Last, SaaS availability control observes the performance of the application, because a slow reacting application e.g. hinders work and is therefore assumed as not available. 98 4. Transformation of IT-Compliance Criteria into IT-Requirements 4.5. Indexing and Retrieval Indexing and retrieval is a required feature for storage, because accounting and financial documents provide substantial information for tax authorities. Cloud computing in general provides the cloud service customer with a variety of locations where data is stored, executed and archived. Whether it is IaaS, PaaS or SaaS, the indexing of the data has to be ensured by the implemented software in the cloud IT infrastructure. In addition, the process of indexing and retrieval of data in the cloud must perform in a timely manner without the need for waiting too long. Cloud service customers interested in using cloud services should see to sorting and searching mechanisms. The index information itself is handled as metadata. This metadata provides information about the indexed data and is therefore considered as private data, too. Cloud service providers must take serious actions like encryption to safeguard this data. Secondary, customers should inform themselves about the further processing of the metadata by the cloud service provider. 4.6. Data-Backup and Restart-Processes Data-backup is required for all service delivery models of cloud computing. The cloud service delivery models differentiate only on the type of data that is backed up. IaaS needs the backup of all sizes of unsorted data; PaaS might require the backup of coded and tested data, and SaaS content information. The integration of a multi-tiered backup architecture in the data center’s IT infrastructure is the best way to prevent data loss. The first tier is the backup of the productive cloud’s IT infrastructure content data to a backup medium in the same data center. This tier is followed by a redundant mirrored backup to a similarly or equally built up data center. This backup data center is located in a different geographical region, e.g. other country or continent. The next step when taking backup very seriously is even to instruct another cloud service provider with backup measures. Here, other compliance issues might occur and must be subject of further investigation. Data-backup always requires restart- and recovery-processes. Recovery time is critical for the restart-process and continuous training is required. Therefore, simulations of these processes have to be executed on a regular basis. The responsible administrators must be trained and have to know the backup- and restart-processes. These processes must be enhanced to stay up to date with the development and maintenance of the IT infrastructure and the offered cloud services. 99 4. Transformation of IT-Compliance Criteria into IT-Requirements 4.7. Dependence on Physical Location The most critical criterion for IT-compliance of cloud services is the physical, i.e. geographic al, location of data in the cloud. Especially private data is not allowed or only under certain precautions to leave national borders. The laws in Germany demand the provision of data with interest for tax authorities to be kept available. During the last years and in the process of standardization of the EU a step by step easing has taken place. The EU Data Protection Directive 95/46/EC allows the transfer of private data to other EU countries. Speaking in terms of IT-compliance, customers of cloud services have to know the location of data which is transferred into clouds. Several points of interest are necessary to agree on in SLAs between the cloud service provider and customer. First, the geographic location of the cloud service provider’s data centers must be known. The possibility to agree on a certain data center in a certain location which provides the used cloud services is mandatory in all contracts. Cloud customers in Germany depend on locations in Germany or within other EU countries. The German BITKOM even proposed that Germany has an advantage of location, because of the strict private data regulations [Com10a]. Second, the IT infrastructure must allow the customer to identify and monitor the physical location of his data. Besides the consumed cloud services, the cloud service provider must offer an interface for these monitoring tasks. This interface has to show the access channel of the customer’s private data in the cloud service provider’s data centers. Third, the cloud service provider must reveal all of his subcontractors to whom he outsources operations. Cloud service provider and customer define and agree in the SLA if and what private data is subject to transfer to a third party. The tracking of the physical location of private data which is transferred to a subcontractor has to be included in the monitoring interface to guarantee complete transparency. 4.8. Input Control The simple question for input control is: Who did what to which data and when? Therefore, the IT infrastructure must allow logging (see chapter 4.15 afterwards) for the appropriate information. This means that four types of information are collected: 100 4. Transformation of IT-Compliance Criteria into IT-Requirements • User credentials of the logged in user. A unique username or number is required to identify the performing user. • Type of action which was performed, e.g. create, edit, delete, up- & download etc. • The data on which the action was performed, e.g. path to document and name. • Timestamp, when the action was performed. A complete controlling approach for cloud services (IaaS, PaaS and SaaS) is required to have information about all inputs. This includes maintenance, update and error correction actions of the cloud service provider and all working actions of the customer. In addition, customers must analyze the legal requirements for input control. For example, the financial sector may add a transaction number to all inputs. So, the cloud service provider has to provide a common set of input control attributes and must allow auxiliary definable attributes by the customer. Speaking in general, input controlling and monitoring software must allow flexibility, transparency and completeness for the customer to obey legal and custom requirements. Additionally, customers gain ”control” and knowledge (traceability) for the lifecycle of private data in the cloud. And lastly, the input control must handle its work depending on the cloud service delivery model. 4.9. Immutability of Documents The immutability of documents is a difficult to realize IT-compliance criterion, because the presentation of the complete data lifecycle is mandatory. All IT-systems which provide manipulation features for data must implement several attributes. A versioning system is preferable, because all states of data are presentable and in case of emergency recoverable. In addition, versioning systems provide vital information on the time of change and the user who manipulated data. Next, the versioning system must allow the custom configuration for different industry sectors, time periods and depending on type of data (e.g. with interest only for company or tax authorities). The same is valid for a versioning system as when using databases. An additional flag for immutability and version of data is a matter of database design. 101 4. Transformation of IT-Compliance Criteria into IT-Requirements As a final note, the creation of a process that describes what happens to data after the configured time period of versioning is in general a good idea. Usually, the comprehension and consultation with the cloud service provider might display a solution in the customer’s interest (e.g. latest backup version of each data set). 4.10. Logical Access Control The connection of cloud computing to broadband network access makes all cloud services vulnerable to attacks, e.g. phishing [Mic06]. Here, fraudulent obtaining of usernames and passwords marks a critical weakness for cloud services. The implementation of a strong and secure authentication system is necessary for the operation of a cloud service. The common approach is a username with a self-selected password by the user. It is the cloud service provider’s task to specify a restrictive rule set for the choice of passwords. A good rule set demands the use of an alphanumerical (lower and upper case letters plus numbers and special characters) combination with at least eight digits. However, reality shows that users try as long as needed to set an easy to remember password which consists of a combination which is faster to cipher with enough computing power. Therefore, the implementation of a far more complex approach is required to secure logical access to cloud services. First, a maximum number of access attempts (usually three to five attempts) in a defined time period is helpful. Next, splitting the password into two parts creates better security; the first part consists of a password of user’s choice (still the rule set for creating passwords is enabled) and the second part is a randomly generated number which is only valid for 60 seconds. A small device generates the numbers and is adjusted to the login system. This approach has two big benefits. The user can still set a password of his choice, but he is forced, in addition to use the randomly generated number. Getting the number is done without network consultation and therefore is not vulnerable to attacks. The next challenge for logical access control is the rising number of services and systems which all need different usernames and passwords. The development and operation of Single Sign-On (SSO) systems, even as another cloud service, is inevitable. There are already some promising projects and approaches in the process of development or active use (see Kerberos (http://web.mit.edu/kerberos/www/) or OpenID (http://openid.net/)), but it will still demand great efforts to create trustworthy and secure SSO services. 102 4. Transformation of IT-Compliance Criteria into IT-Requirements 4.11. Permission Access Control Permission access is working together with logical access, because permissions are bound to a defined user group, department or an individual user. Possible permissions to set are different between every application. Usual operating systems and applications might enable the configuration of permissions for read, write and execute (see Linux [Coo10]). A more complex approach is database applications which offer a great variety of permissions. However, the correct and up-to-date configuration of the permission access to private data is critical for cloud applications, because a multi-tenant cloud environment provides access for many customers and users on the same IT infrastructure. Depending on the cloud service delivery model, each service requires a fine grained permission hierarchy which interacts with the logical access. Looking at IaaS, a rudimentary permission hierarchy with read, write, execute might be acceptable. Going on to PaaS, more factors sum up and add to the permission hierarchy, because infrastructure and platform need different permissions. Last, SaaS deals again with a more horizontal permission hierarchy which is already part of the used application. Going up the cloud service delivery models, each model provides less flexibility in terms of permission access. Permission access control is hard to realize, because every cloud service delivery model uses unique, only for its purpose implemented, permissions. The result is a confusing mix of different permission lists depending on operating system and applications. Cloud service customers should always analyze the possibilities for permission access control and if they fit their needs. A global and unified permission access control interface or monitoring tool is not available at the moment. This field in application and cloud architecture requires more research and development. It might be subject to another academic research. 4.12. Transmission Control The dependence of cloud computing on working networks makes transmission control inevitable. There are several points to consider when planning the transmission control. In the event of a network failure of a specific connection, backup connections are required to compensate the loss. The implementation of an automated failsafe mechanism helps to reduce the risk. So, the status of the network must be monitored by appropriate tools constantly. Next, all traffic requires protection 103 4. Transformation of IT-Compliance Criteria into IT-Requirements against criminal actions. Strong and up to date encryption protects all connections and the transferred private data. In addition, the access to the data centers IT infrastructure must be protected by firewalls and intrusion detection systems. The firewall has to be configured restrictively and allows only connections for the offered services. The intrusion detection systems monitor the network connections for any criminal action and alerts violations. All implemented transmission controls must be subject to regular security audits to keep up with upcoming threats. 4.13. Isolation Control Cloud computing offers the best capacity utilization for computing resources. This result is created through the consolidation of several customers’ IT needs towards the integrated and standardized IT infrastructure of the cloud service provider. The consolidation brings the risk of mixing data in general, but especially private data, of different customers. Customers recognize this threat and therefore demand the encapsulation of the IT infrastructure used by them. It is the cloud service provider’s task to implement and make the best use of isolation mechanisms for the IT infrastructure. Looking at the three different cloud service delivery models, all require isolation control in different specification. IaaS as the lowest cloud service delivery layer has easier possibilities to implement isolation mechanisms. For example, cloud storage services might automatically configure shares only for the one customer with the help of encryption. The private key to decrypt stored data lasts at the customer’s IT. Other customers which use the same cloud storage service have no access because of the encryption and a missing private key. PaaS provides customers with virtualized computing resources which reside inside a virtual machine. The use of virtualization requires a detailed configuration of the virtualization environment, the virtual machine and the hosted operating system and applications. Before agreeing to PaaS offers, customers should analyze the isolation mechanisms, measures and tools of the cloud service provider. The isolation control for SaaS involves the implementation of a management interface to check and observe all actions on the application and data. With SaaS as the highest cloud service delivery model, customers have few control mechanisms and are dependent on the efforts of the cloud service provider. Nevertheless whichever cloud service delivery model is used, cloud service providers create trust with the possibility for audits through the isolation of data. If the customer has enough experience, the internal IT department can handle the audit; otherwise the introduction of a third party with expertise is helpful. A focused audit depending on the service and therefore some common control mechanisms, but also different, are required for the hardware and especially the configuration 104 4. Transformation of IT-Compliance Criteria into IT-Requirements of subscribed applications. This audit should reoccur in an agreed on and in the SLAs signed time period regularly. 4.14. Order Control Order control deals with the handling of private data at the cloud service provider. This includes all content data and the metadata. Metadata is all information which is collected and analyzed by the cloud service provider for its own purpose. Yet, it might reveal sensitive information about the cloud service provider’s customers and theirs data. Customers need to know what metadata is collected, what is done with it and how it is secured. So, order control requires transparency for customers to audit the cloud service providers processes and mechanisms for the protection of the data. It is in the cloud service provider’s best interest to ensure audit possibilities for the order control processes. The main point of interest for customers is always the deletion of their data when data is not required anymore or a contract ends. A secure one-time deletion or cleanup of private data is therefore enough [Spr08]. Additionally, there must be an agreement about the deletion of private data stored in all backups. Another point of interest for order control is what happens when old hardware is discarded. For security reasons this hardware should be physically destroyed. As a result of the above weaknesses, it is required to agree on certain measures for order control in the SLAs. The goal is a precise definition of what is done around the transmitted and executed private data. Transparency of the cloud service provider and the implemented measures is therefore fundamental. 4.15. Logging IT-Compliance requires documentation of all operations on private data. This must be executed independent of the cloud service delivery model, operating system and application. The result is large quantities of metadata, because logging documents information about all actions that took place in the actual content data. The detail level is and all logged attributes are configurable and customizable in a traditional environment. With cloud computing, control and customization management becomes less. Therefore, it is important for customers to speak with their cloud service provider about measures to realize IT-compliance by logging all transactions on the data. On the other hand, cloud service providers must think about their services and potential and existing customers and their industry sector. So, the identification of legal aspects and frameworks can be integrated into the IT infrastructure and used as a sales argument. 105 4. Transformation of IT-Compliance Criteria into IT-Requirements Three more aspects are vital for logging. All logged data must be backed up for a certain time period. This time period depends on the regulatory demands and varies, e.g. documents for tax authorities require 10 years. Second, the logged data must be secured, because it allows inference on the content data. It is preferred to apply the same security measures to logged data like content data. And last, the prompt evaluation of logged data is required for tax authorities and in case of emergency (hacking, disaster, etc.). Cloud service providers are advised to implement complete logging measures and the necessary interfaces for configuration, customization and evaluation. A complete approach offers customers a counter balance to the loss of control with cloud computing, because tracking of all transactions and the data lifecycle is possible. In return, customers should set up a list of requirements what needs logging and the appropriate time period. This list is compared to the cloud service provider’s capability and should match completely. 4.16. Documentation for Development and Release Processes Cloud computing offers flexibility and especially the cloud IT infrastructure must fulfill this promise. However, flexibility demands great efforts by changing the IT infrastructure to market demands. In addition, cloud applications implement numerous interfaces for different technologies. The documentation of the development and executed release processes must convey clarity. This is of special interest for development processes of an IT infrastructure or even a single application that is far from standardized environments, e.g. a tailored IT infrastructure to a certain industry sector. Nevertheless, even IT infrastructures designed with standardized components (hardware and software) require during the development a detailed documentation for several reasons. First, the development and release process documentation is fundamental as a complete record of the development ”as-is” situation, for error and disaster descriptions, and as a guideline of all intended goals. Second, the documentation is the starting point for analyses and optimizations of the development and release processes for continuous improvement. And third, the documentation is useable for audits, because it answers requirements of regulatory questions. Versioning the documentation of the development and release processes is a favorable approach to display the evolution and to have access to all states of the described processes. It is a prerequisite for a well-arranged IT-compliance audit. 106 4. Transformation of IT-Compliance Criteria into IT-Requirements 4.17. Documentation for Technical and Objective Solutions The documentation for technical and objective solutions depends on the results of the documentation for development and release processes, because it describes the integration of all and mostly heterogeneous IT-systems into one integrated IT landscape. This includes hardware and software, which depend on certain requirements to deliver services. The documentation for technical and objective solutions therefore delivers a detailed overview of the current status (speaking of IT-systems and their physical and virtual integration) and the history of the IT infrastructure. Again, the versioning of the documentation is favorable to have access to the lifecycle and of all changes to the IT infrastructure. Integral part of the documentation for technical and objective solutions is the result of standard operation, performance, security and compliance audits. They offer valuable clues to risks, weaknesses and as a result future investments into a better more suited IT infrastructure. 107 5. Enquiry of Facts on Popular Cloud Services ”At the bottom, the elimination of spyware and the preservation of privacy for the consumer are critical goals if the Internet is to remain safe and reliable and credible.” Cliff Stearns, US American Politician 109 5. Enquiry of Facts on Popular Cloud Services This chapter deals with the appliance of the identified IT-compliance criteria on exemplary cloud services. The diversity of cloud services and cloud service delivery models requires a selection. Therefore, choosing three examples, one of each service delivery model (IaaS, PaaS and SaaS), is a good idea. Enquiry of facts is done on Amazon’s S3 (IaaS), Google’s AppEngine (PaaS) and Salesforce.com’s CRM (SaaS). The selected cloud services were chosen, because they are popular and widely known to the public. 5.1. Amazon S3 (IaaS) S3 (http://aws.amazon.com/de/s3/) is a part of Amazon’s collection of Web Services (AWS) which was started in 2002. All web services are available via the Amazon.com web page. Most services are transported via Hyper Text Transfer Protocol (HTTP) with Representational State Transfer (REST) and Simple Object Access Protocol (SOAP). S3 itself is a ”key-value” based file hosting service. Stored data (ranging from 1 Byte to 5 GB) is organized in buckets with a maximum amount of 100 buckets for a user. The addressing of buckets with a URL is possible. Today, Amazon offers three interfaces (REST, SOAP and BitTorrent) to access data, whereas more interfaces are in development. With this information in mind, the system configuration uses a minimalist functionality approach [Ama10g] and is transparent for the user. Amazon offers storage in different geographic locations. The geographic location in Ireland as an EU country is of interest for Germany and the regulatory requirements which are therefore fulfilled. There is even the feature of restricting data flow only within the EU (as area of interest for this enquiry of facts). Data transmission to other geographic areas lies in the customer’s responsibility as a part of transmission control. Both IT-compliance criteria are described with Amazon’s S3 functionality [Ama10g]. Logical and permission access control is implemented by Amazon for the file hosting service, too. As a general feature, data can be set to public or private by the customer. In addition, the customer is able to manage (create, modify, delete) users and grant permissions on data. Amazon describes this on their functionality page [Ama10g] and therefore the IT-compliance criteria for logical and permission access control are available, too. Amazon describes its data protection measures quite in detail [Ama10d]. All customer data is redundantly stored in the IT infrastructure and thereby transfers (PUT & COPY) are protected. Additionally, some integrity features check all data 110 5. Enquiry of Facts on Popular Cloud Services in regular intervals for corruption via checksums. These checksums are used for indexing reasons and to protect data which is stored and in transfer. Secondary data protection is offered with versioning. All data (including all versions) in a bucket is backed up and retrieval is possible [Ama10d]. The availability of versioning adds immutability to the list of IT-compliance criteria. The standard retrieval is set to the current version of the data. Amazon has implemented some availability control mechanism to react to the fulfillment of the S3 SLA [Ama10h], but has no direct monitoring interface for the customer to check on service non availability. The customer depends on his own experience so that he becomes aware when the service fails, and has proof of the failure in the provided logs. A special algorithm, described in the SLA, then calculates the service credits which will be placed to the customer’s credit. This approach is not customer-friendly and creates additional work and expense. The availability control IT-compliance criterion is therefore not sufficiently fulfilled. In contrast, information about logging is provided in detail for the S3 file hosting service. The Amazon Privacy Notice [Ama10c] is valid for all services that are offered. There are two things of interest for the IT-compliance criteria. First, Amazon uses third parties to carry out tasks (e.g. credit card payment). The customer has no influence on these third parties nor does he know in detail what personal information is transferred. Good will and corrective information by Amazon [Ama10a] does not change this issue. On the other hand, Amazon describes some more measures. Secure transmission is done via encryption through the Secure Socket Layer (SSL) to fulfill the transmission control IT-compliance criterion [Ama10b]. And input control by logging can be switched-on with the help of the Amazon S3 Developer Guide [Ama10f]. This feature is currently (since 01.03.2006) in beta stage and should be handled with care. Its availability at a beta stage is welcome but inappropriate for working productively. Amazon provides a development guide [Ama10e] which describes the functionality and possibilities for developers. The integration of this guide into release processes is part of the developer’s job and not Amazon’s. Therefore, the responsibility to document the release process after a successful development lies within the developer’s domain. Dividing the development and the release aspects, Amazon provides information about the requirements of the IT-compliance criteria. Proceeding to the documentation for technical and objective solutions, Amazon does not provide standalone documentation. Nevertheless, looking at the content of the above mentioned developer’s guide, technical solutions and facts about the functionality are written down in the developer’s guide. In addition, examples of the functionality are given to provide initial help. A separated documentation for 111 5. Enquiry of Facts on Popular Cloud Services technical and objective solutions might look better for the identification of the IT-compliance criterion, but bringing both documents together in the developer’s guide helps users to depend on it. As a result, the IT-compliance criterion is available, too. Amazon’s efforts to create transparency have merit. However, two IT-compliance criteria are not mentioned on the published web pages of Amazon and its AWS. First, nothing is mentioned about the physical access controls which are implemented by Amazon to secure their data centers and the physical hardware. Second, isolation is performed by the build-up and configuration of the IT infrastructure. However, information about ”how it works” and what control measures to verify isolation are not available. As a result, both IT-compliance criteria, physical access control and isolation control, cannot be answered positively. Summing up S3, Amazon is on the right trace to create transparency for its cloud service. This might be correct for other offered cloud services, like EC2 too, but was not the subject of the enquiry of these facts. There is still work to be done to ensure that IT-compliance is guaranteed. Companies should look at a detailed analysis and their sector, technical and process background for which they want to use S3. Finally, Amazon should provide audits and standards on which they can be checked for security and compliance. Table 5.1.: Amazon S3’s compliance status according to identified IT-compliance criteria 112 5. Enquiry of Facts on Popular Cloud Services 5.2. Google AppEngine (PaaS) AppEngine (http://code.google.com/intl/de/appengine/) is Google’s platform (PaaS) to develop and host web applications. Available platform languages are Java and Python. AppEngine is hosted completely on Google’s IT infrastructure. This enables customers to develop, deploy and administer their web applications very flexibly according to their needs and IT-requirements. Customers are not concerned about the underlying hardware, operating system and update process, because this is Google’s responsibility. To increase the acceptance and usage of AppEngine, Google now offers AppEngine for Business [Goo10g]. This business oriented offer features SSL and SQL as additional appeal. Starting the identification of IT-compliance criteria on the Google AppEngine web page is quite difficult. A dedicated web page for compliance issues does not exist. The identification needs investigation throughout the complete Google web page. The introduction of AppEngine provides a detailed overview of the platform and its configuration [Goo10i]. Transparency for the IT-compliance criterion system configuration is for this reason fulfilled. Google provides no explicit SLA for the AppEngine, but a first draft of their Business AppEngine. The SLA is detailed and explains all terms when failures and non-availability occur [Goo10b]. As it is still a draft, it is subject to change in the future, but the direction to go is clear: Google will provide a detailed SLA. Google speaks of benefits when using AppEngine for Business. Data-backup, patches and monitoring the IT infrastructure is managed for the customer by Google [Goo10j]. The data-backup aspect is documented by Google, but there is no detailed information about the backup measures. Two IT-compliance criteria, immutability of documents and input control, are stated in Google’s Terms of Service under section three and result in the handling of the application developer. The developer or provider of the application is responsible for adequate implementations of measures to secure the privacy when inputting data and for the integrity of stored data [Goo10c]. Each AppEngine account offers companies the possibility to configure logical and permission access control via the administration console [Goo10a]. Access control list relieves the management of access to application data and deployment of a new code. This is guaranteed, because all developers require an account in the company’s AppEngine domain [Goo10d]. 113 5. Enquiry of Facts on Popular Cloud Services Google’s approach for transmission control for the business AppEngine version is done by granting access to applications only for users who are registered in the Google Apps domain [Goo10h]. In addition, Google will implement in the business version the standard use of SSL for a secure communication between a company and its Google App domain [Goo10h]. Isolation control for AppEngine is doable by the customer: internal or external applications [Goo10j]. Internal applications are only available for specified users, teams or a company. External applications on the contrary have public access. The above mentioned AppEngine administration console provides more valuable features of interest to the IT-compliance criteria. The customer can view the accessed data, logs and the utilized traffic. These features contribute to input control and logging. Second, the administration console allows managing (including browsing) the application’s data store and indices. Indexing and retrieval of content data is possible without using the corresponding web application. Google provides an extensive developer’s guide [Goo10f]. This documentation explains in detail the development and release process features. Additionally, information about the management of developed web applications and related instructions are added to round up the developer’s guide. Information about the technical and objective solutions is included, too. Google handles the documentation for development and release processes and the documentation of technical and objective solutions in the same way as Amazon does by incorporating them into one document. So, both IT-compliance documentation criteria are successfully published for customers. Google does not provide any information about physical access control to their data centers. However, Google is a global player and cannot risk a break in, but as a call for transparency, information about appropriate measures is welcome for compliance reasons. There are two web sites (see [Dat08] and [Pin08]) which collect information about Google’s data centers, but information is vague and not in any state complete. The next IT-compliance criterion on which Google does not provide any information is the dependence on physical location of customer data. Unlike Amazon, Google offers no feature to restrict data to Germany or the EU. This might be related to the company’s philosophy, but is not helpful for customers in the geographic areas mentioned already. Though, the assumed amount of data centers in Germany and the EU would provide a great basis to comply with this IT-compliance criterion. Again transparency is missing and counts as an unfulfilled criterion. The third unfulfilled IT-compliance criterion is order control. Google states in the terms of service for the AppEngine under section 3.3 that customer data is 114 5. Enquiry of Facts on Popular Cloud Services available to Google [Goo10c]. There is no reason for this given, but the recent data security affairs (e.g. see Google Streetview [Hei10]) cast a negative light on Google and compliance issues. In conclusion, Google and its AppEngine, compliance does not seem to be playing an important part at the moment. Google provides several web pages with information about compliance questions and its Data Security Center web page with information about the handling and use of private data [Goo10e], but there are numerous alternatives to work around data privacy and security questions (e.g. look for ”better / improved services”). In addition, Google’s efforts look random and not managed by one source. However, Google’s decision to extend AppEngine for business execution with more features, displays the right direction. As AppEngine is growing through an evolutionary process, the time for compliance might come, but not in the near future. Table 5.2.: Google AppEngine’s compliance status according to identified ITcompliance criteria 5.3. Salesforce.com (SaaS) Salesforce.com is a software developer and provider for development platforms for cloud computing business applications. The focus lies on its Customer Relationship Management (CRM) SaaS application. Additionally, Salesforce.com provides with force.com a platform for the development of business SaaS applications. Both offers are provided via the Internet. Salesforce.com is market leader and one of the fastest growing technology enterprises. They realized early the importance 115 5. Enquiry of Facts on Popular Cloud Services of cloud computing and especially security and compliance requirements as a success factor for business. Therefore, Salesforce.com provides an extra web page called trust.Salesforce.com (www.trust.salesforce.com) with detailed information and appropriate security, privacy and policy accreditations. Salesforce.com describes quite in detail the system configuration measures to safeguard their customer information. Therefore, they provide information about environmental controls, power, and network and its protection, fire detection and suppression [Sal10e]. A third party company scans regularly the baseline configuration to identify unwanted changes quickly. The physical access control for Salesforce.com’s data centers is transparent: ”24hour manned security, ... biometric scanning for access, ... video surveillance” are just a few of the mentioned security measures [Sal10e]. So, it is good to see that a lot of effort for data security starts at physical boundaries around the data centers. Salesforce.com invests a lot in availability control. This starts with geographically distributed data centers around the globe, redundant network connections, replication between data centers and disaster recovery data centers [Sal10e]. In addition, Salesforce.com monitors the status of the IT infrastructure and all running applications 24 hours 7 days a week to guarantee a smooth execution of its production environment. The status of the IT infrastructure with information is available to the public [Sal10f]. Backup and restart processes for disaster recovery precautionary measures are tested and continuously improved. The dependence on physical location is a rather difficult topic for Salesforce.com, because there is no data center in Europe at this time (although it is planned!). A work around for European customers is done by backpedaling of the US EU & Swiss Safe Harbor (see [Exp09]) agreement. Each company interested in Salesforce.com’s offers has to decide on its own, if the Safe Harbor agreement is enough for security and compliance. Interactions and completed transactions on the Salesforce.com applications are logged with creator, last updater, timestamps and originating IP address [Sal10g]. Therefore, input control and logging are performed in a transparent way to reconstruct the life cycle of all content data. Accompanied with this information are customizable settings for the logical and permission control. Each user requires a username and password and is assigned to a certain permission level. The username / password combination is standard, while the configuration of the permission and password rules is part of the customer’s responsibility [Sal10g, Sal10e]. Transmissions are secured with state of the art technologies like SSL 3.0 / TLS 1.0, globally verified signatures and individual user sessions for a concrete separation 116 5. Enquiry of Facts on Popular Cloud Services of each transactions [Sal10e]. Again, all information is monitored and logged for potential traceability. Another important part is the separation of data in a multi-tenant environment and the isolation control. Salesforce.com provides logical separation that each customer has only access to his data. Some implemented measures are hardware and software configuration, non-predictable session timeout values, password policies and user profile [Sal10g]. Order control and the transmission of private data to third parties is a critical part of cloud computing. Salesforce.com does not transmit any private or personal identifiable information for marketing or financial aspects. The only exceptions are sub-contractors who work on Salesforce.com’s behalf [Sal10d]. Information about third parties which have a business or contractor relationship with Salesforce.com are not mentioned. This is a disadvantage which needs further investigation for potential customers as it might result in a security and privacy issue. The documentation for development and release processes and secondly for technical and objective solutions is provided by Salesforce.com with a Question & Answer and Development community module on the webpage [Sal10a]. A more detailed resource for information about development on the force.com platform is implemented, too. This documentation is intentionally separated and called developer.force.com [Sal10c]. So, the documentation for both IT-compliance criteria is fulfilled. Salesforce.com achieves great efforts for security and compliance, but there are still some open questions. There is no, or only vague, information published about indexing and retrieval or the immutability of documents. A possible answer for this is the cloud service model SaaS, because information is stored in the background in databases. The customer has no influence on this database or on the configuration of the underlying IT infrastructure when using the SaaS service model. Figure 5.1.: Salesforce.com’s certifications [Sal10h] Despite three unfulfilled IT-compliance criteria, Salesforce.com offers detailed and extensive information about their security and compliance measures. The often apparent gap between security and compliance is recognized by Salesforce.com. Additionally, local and geographic differences of political and regulatory nature are identified and subject to continuous improvement. Furthermore, they accomplish the most important international accreditations linked with cloud computing for security and compliance like SAS 70 Type II or ISO 27001 (see figure 5.1). 117 5. Enquiry of Facts on Popular Cloud Services Table 5.3.: Salesforce.com’s compliance status according to identified IT-compliance criteria 5.4. General Result of the Enquiry of Facts for Cloud Computing Services The enquiry of facts displays different results for each investigated cloud service provider. In general, all three cloud service providers describe data security and IT-compliance features in ”some” way. However, there is a big difference between Amazon, Google and Salesforce.com. Depending on the investigated cloud services, when ranking all three cloud service providers from bottom to top draws the following picture: Google disregards data security and IT-compliance and is more focused on unlocking new business opportunities and markets; Amazon on the other hand, has reached already a higher maturity level where data security and IT-compliance are starting to affect their cloud service business; last, and ranked highest, Salesforce.com has recognized the importance of trust which is earned with IT-compliant data security. Figure 5.2 displays the coherence between the data security IT-compliance maturity level and the corresponding demand for it. In addition, it divides the data Security IT-compliance maturity level into three domains: • No IT-compliance and no accreditations • Partial IT-compliance and accreditations 118 5. Enquiry of Facts on Popular Cloud Services • Complete IT-compliance including accreditations Google and Amazon range in the first domain without current IT-compliance. Salesforce.com already made a big step towards complete IT-compliance, but is still stuck in the second domain. Figure 5.2.: The maturity level of the three different analysed cloud services and the appropriate customer demand Google provides with its AppEngine and its business extension a platform cloud service, which is oriented towards the technologically best possible. In doing so, Google AppEngine forms a queue in the steadily growing product and service portfolio of Google. IT-security, IT-compliance or even standalone data security plays a subordinated role in this business model. Available information about the mentioned IT aspects is distributed along the different Google web pages and based on a very technological and administrative level to offer a foundation for working in a multi-tenant IT infrastructure via the Internet. Business to Consumer (B2C) requires only the approval of a private person (see §4a BDSG) and is not bound to other regulatory frameworks. Here, Google AppEngine provides a great deal for private persons or start-ups to use an appropriate IT infrastructure for development and offering a web application on demand. On the other hand, Business to Business (B2B) requires not only the applicable law but depending on the sector, special regulations. So, the requirements are more complex and therefore not fulfilled. At the moment, Google is presumably pursuing two goals. First, the already above mentioned unlocking of new businesses and markets and second a public road map to identify new and existing challenges for improvement. When an extensive 119 5. Enquiry of Facts on Popular Cloud Services maturity level is reached, Google will implement the demands of business customers into Google AppEngine, in terms of of data security and IT-compliance. A first step towards this direction has already been taken with the announcement of Google AppEngine for Business. Looking at current possible fields of operation, Google AppEngine is applicable for development and working with web applications which incorporate no private and sensitive data. Here Google’s AppEngine trumps up with cloud computing advantages and benefits. Amazon’s infrastructure service Amazon S3 has already reached a certain technological maturity level. Basically, this originates in the cloud service delivery level and Amazon S3’s classification. However, the alignment of Amazon S3 to IT-compliance is still at a starting level. The awareness that customers don’t trust public cloud services makes the implementation of security and IT-compliance features necessary. Nevertheless, Amazon S3 is more advanced than Google’s AppEngine. This is displayed in the consolidation of information in a common place and clear arrangement around the service. Additionally, Amazon describes the need for IT-compliance with a rough concept. A good example is Amazon’s feature implementation to restrict data transmission within the EU with their data center in Ireland. Again like Google’s AppEngine, a differentiation between B2C and B2B is necessary. The usage of Amazon S3 is, with approval of a private person, possible. On the other hand, B2B requires IT-compliance and this is not guaranteed at the moment. In the long run, Amazon has already analyzed and identified customer’s demand for data security and reacts according to it. The revised version of a compliant Amazon S3 service will still need some time for realization, but pressure of business customers will shorten this process. Summing up, Amazon will still face many obstacles before being data security IT-compliant. Despite all negative aspects, a possible area of application for B2B is still given when no private or sensitive data is stored on Amazon’s S3, too. This applies e.g. for huge amounts of unsorted test / development results or documents, presentations, whitepapers, etc. The enquiry of facts for Salesforce.com was on the contrary to Google and Amazon very positive. Salesforce.com’s business model of cloud services and already having ten years of experience created more understanding for IT-compliance. The need and demand of customers for compliance is recognized and Salesforce.com invests a lot to offer compliant services which are easy to integrate into a customer’s business. Therefore Salesforce.com has two strategies: first, the accreditation with international (VeriSign Secured, TRUSTe Certified Privacy, SysTrust, US-EU Safe Harbor, ISO 27001) and national (SAS 70 Type II) standards to have a known 120 5. Enquiry of Facts on Popular Cloud Services and accepted basis for security and compliance; second, Salesforce.com provides as much transparency as possible. This combination enables customers to get in touch easily with Salesforce.com and the cloud service provider changes from an anonymous entity to a trusted supplier of (critical) services. As trust between a cloud service provider and a customer is a key enabler for cloud computing, Salesforce.com has already earned a good reputation (see list of customer success stories [Sal10b]). However, despite all these transparency efforts and awarded accreditations Salesforce.com still requires some more investments in IT-compliance. But there is no doubt that Salesforce.com is determined to reach complete IT-compliance in the near future. Summing up the enquiry of facts, the analysis of Google, Amazon and Salesforce.com displays a mixed picture of data security IT-compliance for the selected cloud services. Cloud computing is an interesting and seminal topic which offers lots of potential for businesses. However, the two big questions for security of private data and hence the resulting IT-compliance of all measures are still evaluated differently across cloud service providers. A possible reason for this progress is the alignment of the offered cloud services either towards B2C or B2B. At the moment, Google is more B2C oriented, because the distinct impression is that IT-compliance plays only a secondary role. Nevertheless, they will start a business version of their cloud service in the near future which is B2B oriented and might be used as an accelerator for the implementation of IT-compliance. On the other hand, Amazon has already taken IT-compliance to the next level with the creation of higher transparency for their compliance efforts. Proceeding further, Salesforce.com is well on its way to be compliant with international and national regulations and has a huge head start. Despite all efforts and today’s results, the implementation of the investigated cloud services does not answer the question of IT-compliance positively for Germany. The technological advance of cloud computing is still suffering by a lack of trust [Com10c]. Businesses with high IT-compliance requirements are advised to analyse alternative cloud services in detail. The following chapter 6 gives a recommendation for being compliant with current data security regulations. Nevertheless, the future is cloud computing, because it is the industrialization of IT; but it will take some time to establish an adequate IT-compliance level throughout clouds. 121 6. IT-Compliance Recommendations for Cloud Computing ”I don’t have a particular recommendation other than that we base decisions on as much hard data as possible. We need to carefully look at all the options and all their ramifications in making our decisions.” Dorothy E. Denning, Information Security Researcher 123 6. IT-Compliance Recommendations for Cloud Computing The enquiry of facts in chapter 5 revealed IT-compliance deficiencies in cloud services. However, cloud computing will be an important part of further usage of IT for business on a strategic, tactical and technological level. Hence, this chapter gives some recommendations to merge cloud computing and IT-compliance. These recommendations are split into three sub domains. First, some recommendations are made which are applicable for cloud computing in general and help to gain experience. Second, choosing the correct cloud deployment model to start with offers security and compliance. And third, the step to integrate external cloud services demands the detailed agreement on SLAs. 6.1. General Recommendations The introduction of IT-compliant business processes is a complex matter. Furthermore, the introduction of a new technological architecture or design, particularly of cloud computing, raises the complexity even more. Designing a system to master this challenge is difficult and not unique, but the approach to it might be different with every business. Nevertheless, some features of this system can be discovered in general and used to enhance the development process. During research and writing of this master’s thesis, some general recommendations were identified. These are described below. 1. Legal Norms Legal norms play an important part in today’s commerce and their identification and impact on their IT is required as a first step. Classifying the applicable legal norms for businesses in accordance with their legal form, industry sector and geographic location helps to identify relevant laws. 2. Corporate- & IT-Governance Each company has developed a business and moral code (company philosophy) and agrees on guidelines, frameworks and best-practices. The identification and clarification of these aims displays the targeted scope in which the business operates. Apart from legal norms, these are the auxiliary boundaries of a business. 3. Affected Business Processes & IT-Services Cloud computing offers the integration of cloud IT-services with -support into business processes. The identification of IT-supported business processes and comprehensive IT-services and their requirements build the basis for the integration of cloud services. In addition, their impact on related business processes becomes clear. 124 6. IT-Compliance Recommendations for Cloud Computing 4. Risk Management Changing business and IT processes demands the assessment of risks and their damage potential to the affected business processes as a consequence of missing or deficient compliance. The results of this assessment play not only a critical part for the integration of cloud computing, but also provide vital information for its prevention. 5. IT-Compliance Requirements of Cloud Service Providers The fulfillment of IT-compliance requirements forms an integral part of each external and internal cloud service provider as well as technical groups. Therefore, the business has to list all necessary IT-compliance requirements and has to match them with the already fulfilled cloud service provider’s IT-compliance features. Only the complete fulfillment of IT-compliance requirements is acceptable. 6. Enduring IT-Compliance The analysis of measures for an enduring IT-compliance plays an important role right from the initial phase of considerations for the integration of cloud computing. In doing so, technical, organizational, personnel and contractual measures need analysis and description. These measures have great influence on the selection of cloud service providers. 7. Success Consolidation Planning the introduction of IT-compliant cloud computing demands further measures if the initial case is successful. A process, similar to best practices in security and risk management, has to be established and ensured to provide a standardized environment for further cloud computing enhancements. 8. Conclusions Based on a Continuous Optimization Process The results of the continuous optimization process have to be discussed and implemented in future steps. Moreover, a documentation which describes optimizations, follow-up measures and reviews provides an adequate overview. On the other hand, the documentation provides evidence on IT-compliance efforts. Summing up the general recommendations for IT-compliant cloud computing, a systematic approach ensures help, better results of the implementation and the benefits of the adaption of cloud services into business. The IT-compliance criteria, defined in chapter 3.2, build a basis for merging legal and IT knowledge to understand and contribute to IT-compliance. 125 6. IT-Compliance Recommendations for Cloud Computing 6.2. Migration Strategy for Cloud Computing The enquiry of facts in chapter 5 reveals weaknesses in IT-compliant data security of the popular cloud services of Amazon, Google and Salesforce.com, but these cloud services are offered via public cloud deployment models. An alternative to focus on IT-compliance and still use the benefits of cloud computing is the private cloud deployment model. The transformation of the traditional IT infrastructure towards a private cloud demands several preparatory steps, beginning with virtualization of the IT infrastructure. In addition, the approach towards a Service-Oriented-Architecture (SOA) has gained acceptability in terms of easy, transparent and manageable application landscapes. Other features for cloud computing and especially a private cloud are discussed in chapter 2.7.2. The technical results of the private cloud implementation as a first step is maintaining the IT infrastructure on premise and having full control. Additionally, data security in the private cloud corresponds to the traditional IT infrastructure, because no data leaves its business boundaries and is therefore protected. Finally, companies transforming their IT infrastructure into a private cloud gain experience and create knowledge about pros and cons and further opportunities in cloud computing. The next few paragraphs are a general forecast about the possibility of cloud computing evolving and reaching a mature stage. As cloud computing has already passed being ”just another hype”, work on compliance and data security issues is now starting. Yet, no satisfactory solutions have been published or implemented. A time period of at least upto five years is required to develop frameworks and solutions for these issues. In any case, companies can go on after implementing the private cloud by replacing internal services, where no private data is required, to public cloud service providers. This step transforms the private cloud to a hybrid cloud (again see chapter 2.7.3) and still avoids noncompliance. When provisioning public cloud services, SLAs become very important as contracts for service performance. 6.3. Customized Service Level Agreements SLAs are very popular to document the agreed on details of IT services. Looking at cloud computing, one promise is self-provisioning in which standard SLAs are used as contracts between customer and cloud service provider. Usually, these SLAs display a stark contrast between the cloud service provider’s interests and the 126 6. IT-Compliance Recommendations for Cloud Computing customer’s needs. The cloud service provider likes to have as little responsibility and liability as possible and vice versa for the customer. However, customers agreeing to these SLAs, endanger their business and the continuity of their IT services. Trust and transparency build a basis for cloud computing and this is displayed in SLAs, too. Customers should not hesitate to discuss their requirements. A good start is the recommendations made in chapter 6.1. Hence, the recommendation for companies with interest in external cloud services is the negotiation of customized SLAs. A good start is the use of the standard SLA provided by the cloud service provider. Based on the standard SLA, customizations answer in detail questions about technical performance, backup, risks, liability, legal issues, escalation and sub providers. It is important to work out detailed and customized SLAs to answer all open customer questions. Customers should turn their attention especially to legal and compliance issues. Professional cloud service providers will publish background information about implemented security measures. In addition, they even allow audits not only once, but on a regular basis (see chapter 5.3 for Salesforce.com’s efforts in doing so). This should be documented in the SLA for clarity as well. 127 7. Conclusion ”A person with a new idea is a crank until the idea succeeds.” Mark Twain, Writer 129 7. Conclusion This chapter sums up the research results of the master’s thesis and comes to a conclusion. In addition, a forecast for further research work is done at the end. Interested readers could use the provided basic approaches to their needs. 7.1. Achieved Results Cloud computing is a recent, but very promising design and architectural concept for business and IT. Numerous questions for development and implementation have not been answered, yet. Especially, issues concerning governance, risk and compliance are difficult to answer. Not answering open questions of interested companies might result in the failure of cloud computing. This master’s thesis helps to contribute to its success. The chosen topic of IT-compliant data security is an integral part where research is required. This master’s thesis provides an analysis of the current state of IT-compliance for cloud computing. The first chapter starts with a short introduction to the current state of business and IT. Governance, risk and compliance are becoming more and more important and can determine a company’s success. As a result of this extensive domain, focusing on motivation towards IT-compliance is provided as it is one of the contemporary main concerns. Next, chapter 2 describes and defines cloud computing. In doing so, a comprehensive collection of information about cloud computing is achieved. This collection describes key technologies, a definition of cloud computing, drivers to cloud adoption, service delivery models, deployment models and the impact of cloud computing. In addition, adoption barriers to cloud computing account for the motivation of this master’s thesis and lists future challenges. The following chapter 3 introduces the impact of IT-compliance and restricts the compliance issues to data security. This focus was difficult to achieve as IT-compliance in combination with cloud computing is at the moment, a question without any satisfying answers. Nevertheless, building up a collection of data security and IT-compliance criteria is done by investigating the four main columns availability, integrity, confidentiality and verifiability. At the end, a quick overview about German audit standards which deal with cloud computing is provided. Tying in with the above mentioned Chapter, chapter 4 creates a translation of the defined IT-compliant data security criteria into abstract IT-requirements. This transformation process is rather elementary, but provides useful information, because it connects legal and IT interests. This allows further research on both levels which has become of interest in practice. 130 7. Conclusion Next, chapter 5 applies the research results in an enquiry of facts to Amazon’s S3, Google’s AppEngine and Salesforce.com’s CRM cloud services for analysis of IT-compliance. The result is disillusioning and confirms the motivation of this master’s thesis. None of the three above mentioned popular cloud service providers offer compliant cloud services according to German laws. However, there is a difference between all three cloud service providers.Salesforce.com performs best and shows the way to go for offering data security IT-compliance with cloud computing in the near future. In spite of this negative enquiry of facts, cloud computing is still available when some recommendations are applied. The last chapter 6 summarizes the lessons learned during research and gives recommendations. These recommendations include some general information about approaching compliance and cloud computing, choosing a private cloud as preference and the composition of customized SLAs. Summarizing, the motivation of this master’s thesis, it is confirmed that ITcompliance, especially in data security concerns, is not guaranteed, yet. There is no standard certification, audit, process or approach which deals with privacy and compliance. However, following the Latin saying ”divide et impera”, it is possible by slicing the complete topic cloud computing into smaller parts which are already researched and provide IT-compliance. This master’s thesis attempts to deliver appropriate recommendations for these positive cases. In addition, going a step back, the required IT-compliant data security criteria are named and offer the possibility to build up on individual and case to case bases. For this reason, this master thesis provides a fundamental benefit for IT as well as business related persons who operate in the governance, risk and compliance domain and get exposures to cloud computing. 7.2. Forecast Despite the cloud computing hype and its related expectations, it is difficult to picture a common future. Cloud computing enables worldwide IT to interact together in a very flexible and rapid way. This demands complete governance and permanent compliance depending on national circumstances and geographic location. It is this master’s thesis’ concern to provide a substantial starting point on which further research on IT-compliance can be based for cloud computing. Having researched IT-compliance for cloud computing and drawing a conclusion in the form of recommendations for Germany, the next step might be the development of a framework to manage, support and control efforts of companies when implementing IT-compliance. This framework has to be integrated in all governance, 131 7. Conclusion risk and compliance strategies to reach and complete all aspects of data security. A good start is to focus on Germany and at a later stage the EU, because awareness and the intention for data security are provided in commonly through legislation. Building on the experience of this German and EU data security IT-Compliance framework, expansion to other nations and geographic locations is mandatory to fulfill cloud computing’s international requirements. The achieved benefit is not only useful in a business environment, but in general for everyone. Better data security, which is also transparent for compliance reasons, is a great achievement for IT in times where information requires only a few seconds to travel around the world, thus becoming more complex and as a result vulnerable to cyber-crime. 132 A. Appendix A.1. Table of Laws There is no comprehensive translation into English available for all German laws. Nevertheless, the Federal Ministry of Justice provides a website with some translations of different source and quality [dJ10]. Interested readers must be aware of language and meaning differences. A.1.1. German Civil Code (Bu ¨ rgerliches Gesetzbuch - BGB) § 126 par. 1 BGB§ / 126 Abs. 1 BGB (1) Ist durch ein Gesetz schriftliche Form vorgeschrieben, so muss die Urkunde von dem Aussteller eigenh¨ andig durch Namensunterschrift oder mittels notariell beglaubigtem Handzeichens unterzeichnet werden. § 126a par. 1 BGB / § 126a Abs. 1 BGB (1) Soll die gesetzlich vorgeschriebene schriftliche Form durch die elektronische Form ersetzt werden, so muss der Aussteller der Erkl¨ arung dieser seinen Namen hinzuf¨ ugen und das elektronische Dokument meiner qualifizierten elektronischen Signatur nach dem Signaturgesetz versehen. § 197 BGB (1) In 30 Jahren verj¨ ahren, soweit nicht ein anderes bestimmt ist, 1. Herausgabeanspr¨ uche aus Eigentum, anderen dinglichen Rechten, den §§ 2018, 2130 und 2362 sowie die Anspr¨ uche, die der Geltendmachung der Herausgabeanspr¨ uche dienen, 2. (weggefallen) 3. rechtskr¨ aftig festgestellt Anspr¨ uche, 4. Anspr¨ uche aus vollstreckbaren Vergleichen oder vollstreckbaren Urkunden, I A. Appendix 5. Anspr¨ uche, die durch die im Insolvenzverfahren erfolgte Feststellung vollstreckbar geworden sind, und 6. Anspr¨ uche auf Erstattung der Kosten der Zwangsvollstreckung. (2) Soweit Anspr¨ uche nach Absatz 1 Nr. 3 bis 5 k¨ unftig f¨ allig werdende regelm¨ aßig wiederkehrende Leistungen zum Inhalt haben, tritt an die Stelle der Verj¨ ahrungsfrist von 30 Jahren die regelm¨ aßige Verj¨ ahrungsfrist § 611 par. 1 BGB / § 611 Abs. 1 BGB (1) Durch den Dienstvertrag wird derjenige, welcher Dienste zusagt, zur Leistung der versprochenen Dienste, der andere Teil zu Gew¨ ahrung der vereinbarten Verg¨ utung verpflichtet. § 823 par. 1 BGB / § 823 Abs. 1 BGB (1) Wer vors¨ atzlich oder fahrl¨ assig das Leben, den K¨ orper, die Gesundheit, die Freiheit, das Eigentum oder ein sonstiges Recht eines anderen wiederrechtlich verletzt, ist dem anderen zum Ersatz des daraus entstehenden Schadens verpflichtet. A.1.2. Code of Civil Procedure (Zivile Prozessordnung - ZPO) §286 par. 1 ZPO / §286 Abs. 1 ZPO (1) Das Gericht hat unter Ber¨ ucksichtigung des gesamten Inhalts der Verhandlungen ¨ und des Ergebnisses einer etwaigen Beweisaufnahme nach freier Uberzeugung zu entscheiden, ob eine tats¨ achliche Behauptung f¨ ur wahr oder f¨ ur nicht wahr zu erachten sei. In dem Urteil sind die Gr¨ unde anzugeben, die f¨ ur die richterliche ¨ Uberzeugung leitend gewesen sind. § 371 par. 1 ZPO / § 371 Abs. 1 ZPO (1) Der Beweis durch Augenschein wird durch Bezeichnung des Gegenstandes des Augenscheins und durch die Angabe der zu beweisenden Tatsachen angetreten. Ist ein elektronisches Dokument Gegenstand des Beweises, wird der der Beweis durch ¨ Vorlegung oder Ubermittlung der Datei angetreten). A.1.3. German Commercial Code (Handelsgesetzbuch - HGB) § 238 par. 1 HGB / § 238 Abs. 1 HGB (1) Jeder Kaufmann ist verpflichtet, B¨ ucher zu f¨ uhren und in diesen seine Handelsgesch¨ afte und die Lage seines Verm¨ ogens nach den Grunds¨ atzen ordnungsm¨ aßiger Buchf¨ uhrung ersichtlich zu machen. Die Buchf¨ uhrung muss so beschaffen sein, dass II A. Appendix ¨ sie einem sachverst¨ andigen Dritten innerhalb angemessener Zeit einen Uberblick u aftsvorf¨ alle und u ¨ber die Gesch¨ ¨ber die Lage des Unternehmens vermitteln kann. Die Gesch¨ aftsvorf¨ alle m¨ ussen sich in ihrer Entstehung und Abwicklung verfolgen lassen. § 239 par. 2 HGB / § 239 Abs. 2 HGB (2) Die Eintragungen in B¨ uchern und die sonst erforderlichen Aufzeichnungen m¨ ussen vollst¨ andig, richtig, zeitgerecht und geordnet vorgenommen werden. § 239 par. 3 HGB / § 239 Abs. 3 HGB (3) Eine Eintragung oder eine Aufzeichnung darf nicht in einer Weise ver¨ andert werden, dass der urspr¨ ungliche Inhalt nicht mehr feststellbar ist. Auch solche Ver¨ anderungen d¨ urfen nicht vorgenommen werden, deren Beschaffenheit es ungewiss l¨ asst, ob sie urspr¨ unglich oder erst sp¨ ater gemacht worden sind. § 243 par. 2 HGB / § 243 Abs. 2 HGB (2) Er muss klar und u ¨bersichtlich sein. § 246 par. 1 HGB / § 246 Abs. 1 HGB (1) Der Jahresabschluss hat s¨ amtliche Verm¨ ogensgegenst¨ ande, Schulden, Rechnungsabgrenzungsposten sowie Aufwendungen und Ertr¨ age zu enthalten, soweit gesetzlich nichts anderes bestimmt ist. Verm¨ ogensgegenst¨ ande sind in der Bilanz des Eigent¨ umers aufzunehmen; ist ein Verm¨ ogensgegenstand nicht dem Eigent¨ umer, sondern einem anderen wirtschaftlich zuzurechnen, hat dieser ihn in seiner Bilanz auszuweisen. Schulden sind in die Bilanz des Schuldners aufzunehmen. Der Un¨ terschiedsbetrag, um den die f¨ ur alle Ubernahme eines Unternehmens bewirkte Gegenleistung den Wert der einzelnen Verm¨ ogensgegenst¨ ande des Unternehmens ¨ abz¨ uglich der Schulden im Zeitpunkt der Ubernahme u bersteigt (entgeltlich erwor¨ bener Gesch¨ afts- oder Firmenwert), gilt als zeitlich begrenzt nutzbarer Verm¨ ogensgegenstand. § 257 par. 1 HGB / § 257 Abs. 1 HGB (1) Jeder Kaufmann ist verpflichtet, die folgenden Unterlagen geordnet aufzubewahren: 1. Handelsb¨ ucher, Inventare, Er¨ offnungsbilanzen, Jahresabschl¨ usse, Einzelabschl¨ usse nach § 235 Abs. 2a, Lageberichte, Konzernabschl¨ usse, Konzernlageberichte sowie die zu ihrem Verst¨ andnis erforderlichen Arbeitsanweisungen und sonstigen Organisationsunterlagen, 2. die empfangenen Handelsbriefe, 3. Wiedergaben der abgesandten Handelsbriefe, III A. Appendix 4. Belege f¨ ur Buchungen in den von ihm nach § 238 Abs. 1 zu f¨ uhrenden B¨ uchern (Buchungsbelege). § 257 par. 3 HGB / § 257 Abs. 3 HGB (3) Mit Ausnahme der Er¨ offnungsbilanzen und Abschl¨ usse k¨ onnen die in Absatz 1 aufgef¨ uhrten Unterlagen auch als Wiedergabe auf einem Bildtr¨ ager oder auf anderen Datentr¨ agern aufbewahrt werden, wenn dies den Grunds¨ atzen ordnungsm¨ aßiger Buchf¨ uhrung entspricht und sichergestellt ist, dass die Wiedergabe oder die Daten 1. mit den empfangenen Handelsbriefen und den Buchungsbelegen bildlich und mit den anderen Unterlagen inhaltlich u ¨bereinstimmen, wenn sie lesbar gemacht werden, 2. w¨ ahrend der Dauer der Aufbewahrungsfrist verf¨ ugbar sind und jederzeit innerhalb angemessener Frist lesbar gemacht werden k¨ onnen. Sind Unterlagen auf Grund des § 239 Abs. 4 Satz 1 auf Datentr¨ agern hergestellt worden, k¨ onnen statt des Datentr¨ agers die Daten auch ausgedruckt aufbewahrt werden; die ausgedruckten Unterlagen k¨ onnen auch nach Satz 1 aufbewahrt werden. § 257 par. 4 HGB / § 257 Abs. 4 HGB (4) Die in Absatz 1 Nr. 1 und 4 aufgef¨ uhrten Unterlagen sind zehn Jahre, die sonstigen in Absatz 1 aufgef¨ uhrten Unterlagen sechs Jahre aufzubewahren. A.1.4. Tax Code (Abgabenordnung - AO) § 147 par. 1 AO / § 147 Abs. 1 AO (1) Die folgenden Unterlagen sind geordnet aufzubewahren: 1. B¨ ucher und Aufzeichnungen, Inventare, Jahresabschl¨ usse, Lageberichte, die Er¨ offnungsbilanz sowie die zu ihrem Verst¨ andnis erforderlichen Arbeitsanweisungen und sonstigen Organisationsunterlagen, 2. die empfangenen Handels- oder Gesch¨ aftsbriefe, 3. Wiedergaben der abgesandten Handels- oder Gesch¨ aftsbriefe, 4. Buchungsbelege, 4a. Unterlagen, die einer mit Mitteln der Datenverarbeitung abgegebenen Zollanmeldung nach Artikel 77 Abs. 1 in Verbindung mit Artikel 62 Abs. 2 Zollkodex beizuf¨ ugen sind, sofern die Zollbeh¨ orden nach Artikel 77 Abs. 2 IV A. Appendix Satz 1 Zollkodex auf ihre Vorlage verzichtet oder sie nach erfolgter Vorlage zur¨ uckgegeben haben, 5. sonstige Unterlagen, sowie sie f¨ ur die Besteuerung von Bedeutung sind. § 147 par. 2 AO / § 147 Abs. 2 AO (2) Mit Ausnahme der Jahresabschl¨ usse, der Er¨ offnungsbilanz und der Unterlagen nach Absatz 1 Nr. 4a k¨ onnen die in Absatz 1 aufgef¨ uhrten Unterlagen auch als Wiedergabe auf einem Bildtr¨ ager oder auf anderen Datentr¨ agern aufbewahrt werden, wenn dies den Grunds¨ atzen ordnungsm¨ aßiger Buchf¨ uhrung entspricht und sichergestellt ist, dass die Wiedergabe oder die Daten 1. mit den empfangenen Handels- oder Gesch¨ aftsbriefen und den Buchungsbelegen bildlich und mit den anderen Unterlagen inhaltlich u ¨bereinstimmen, wenn sie lesbar gemacht werden, 2. w¨ ahrend der Dauer der Aufbewahrungsfrist jederzeit verf¨ ugbar sind, unverz¨ uglich lesbar gemacht du maschinell ausgewertet werden k¨ onnen. § 147 par. 5 AO / § 147 Abs. 5 AO (5) Wer aufzubewahrende Unterlagen in der Form einer Wiedergabe auf einem Bildtr¨ ager oder auf anderen Datentr¨ agern vorlegt, ist verpflichtet, auf seine Kosten diejenigen Hilfsmittel zur Verf¨ ugung zu stellen, die erforderlich sind, um die Unterlagen lesbar zu machen; auf Verlangen der Finanzbeh¨ orde hat er auf seine Kosten die Unterlagen unverz¨ uglich ganz oder teilweise auszudrucken oder ohne Hilfsmittel lesbare Reproduktionen beizubringen. § 147 par. 6 AO / § 147 Abs. 6 AO (6) Sind die Unterlagen nach Absatz 1 mit Hilfe eines Datenverarbeitungssystems erstellt worden, hat die Finanzbeh¨ orde im Rahmen einer Außenpr¨ ufung das Recht, Einsicht in die gespeicherten Daten zu nehmen und das Datenverarbeitungssystem zur Pr¨ ufung dieser Unterlagen zu nutzen. Sie kann im Rahmen einer Außenpr¨ ufung auch verlangen, dass die Daten nach ihren Vorgaben maschinell ausgewertet oder ihr die gespeicherten Unterlagen und Aufzeichnungen auf einem maschinell verwertbaren Datentr¨ ager zur Verf¨ ugung gestellt werden. Die Kosten tr¨ agt der Steuerpflichtige. V A. Appendix A.1.5. Value Added Tax Act (Umsatzsteuergesetz - UstG) § 14 par. 3 UStG / § 14 Abs. 3 UStG (3) Bei einer auf elektronischem Weg u ussen die Echtheit ¨bermittelten Rechnung m¨ der Herkunft und die Unversehrtheit des Inhalts gew¨ ahrleistet sein durch 1. eine qualifizierte elektronische Signatur oder eine qualifizierte elektronische Signatur mit Anbieter-Akkreditierung nach dem Signaturgesetz vom 16. Mai (BGBI. I S. 876), das durch Artikel 2 des Gesetzes vom 16. Mai 2001 (BGBI. I S. 876) ge¨ andert worden ist, in der jeweils geltenden Fassung, oder 2. elektronischen Datenaustausch (EDI) nach Artikel 2 der Empfehlung 94/820/EG der Kommission vom 19. Oktober 1994 u ¨ber die rechtlichen Aspekte des elektronischen Datenaustauschs (ABI. EG Nr. L 338 S. 98), wenn in der Vereinbarung u ¨ber diesen Datenaustausch der Einsatz von Verfahren vorgesehen ist, die die Echtheit der Herkunft und die Unversehrtheit der Daten gew¨ ahrleisten. A.1.6. German Signature Act (Gesetz u ¨ ber Rahmenbedingungen fu ¨ r elektronische Signaturen - SigG) § 17 SigG (1) F¨ ur die Speicherung von Signaturschl¨ usseln sowie f¨ ur die Erzeugung qualifizierter elektronischer Signaturen sind sichere Signaturerstellungseinheiten einzusetzen, die F¨ alschungen der Signaturen und Verf¨ alschungen signierter Daten zuverl¨ assig erkennbar machen und gegen unberechtigte Nutzung der Signaturschl¨ ussel sch¨ utzen. Werden die Signaturschl¨ ussel auf einer sicheren Signaturerstellungseinheit selbst erzeugt, so gilt Absatz 3 Nr. 1 entsprechend. (2) F¨ ur die Darstellung zu signierender Daten sind Signaturanwendungskomponenten erforderlich, die die Erzeugung einer qualifizierten elektronischen Signatur vorher eindeutig anzeigen und feststellen lassen, auf welche Daten sich die Signatur ¨ bezieht. F¨ ur die Uberpr¨ ufung signierter Daten sind Signaturanwendungskomponenten erforderlich, die feststellen lassen, 1. auf welche Daten sich die Signatur bezieht, 2. ob die signierten Daten unver¨ andert sind, 3. welchem Signaturschl¨ ussel-Inhaber die Signatur zuzuordnen ist, VI A. Appendix 4. welche Inhalte das qualifizierte Zertifikat, auf dem die Signatur beruht, und zugeh¨ orige qualifizierte Attribut-Zertifikate aufweisen und ufung von Zertifikaten nach § 5 Abs. 1 Satz 5. zu welchem Ergebnis die Nachpr¨ 3 gef¨ uhrt hat. Signaturanwendungskomponenten m¨ ussen nach Bedarf auch den Inhalt der zu signierenden oder signierten Daten hinreichend erkennen lassen. Die Signaturschl¨ usselInhaber sollen solche Signaturanwendungskomponenten einsetzen oder andere geeignete Maßnahmen zur Sicherheit qualifizierter elektronischer Signaturen treffen. (3) Die technischen Komponenten f¨ ur Zertifizierungsdienste m¨ ussen Vorkehrungen enthalten, um ¨ 1. bei Erzeugung und Ubertragung von Signaturschl¨ usseln die Einmaligkeit und Geheimhaltung der Signaturschl¨ ussel zu gew¨ ahrleisten und eine Speicherung außerhalb der sicheren Signaturerstellungseinheit auszuschließen, aß § 5 Abs. 1 Satz 3 nachpr¨ ufbar oder 2. qualifizierte Zertifikate, die gem¨ abrufbar gehalten werden, vor unbefugter Ver¨ anderung und unbefugtem Abruf zu sch¨ utzen sowie 3. bei Erzeugung qualifizierter Zeitstempel F¨ alschungen und Verf¨ alschungen auszuschließen. (4) Die Erf¨ ullung der Anforderungen nach den Abs¨ atzen 1 und 3 Nr. 1 sowie der Rechtsverordnung nach § 24 ist durch eine Stelle nach § 18 zu best¨ atigen. Zur Erf¨ ullung der Anforderungen nach den Abs¨ atzen 2 und 3 Nr. 2 und 3 gen¨ ugt eine Erkl¨ arung durch den Hersteller des Produkts f¨ ur qualifizierte elektronische Signaturen. Der Hersteller hat sp¨ atestens zum Zeitpunkt des Inverkehrbringens des Produkts eine Ausfertigung seiner Erkl¨ arung in schriftlicher Form bei der Bundesnetzagentur f¨ ur Elektrizit¨ at, Gas, Telekommunikation, Post und Eisenbahnen zu hinterlegen. Herstellererkl¨ arungen, die den Anforderungen des Gesetzes und der Rechtsverordnung nach § 24 entsprechen, werden im Amtsblatt der Bundesnetzagentur f¨ ur Elektrizit¨ at, Gas, Telekommunikation, Post und Eisenbahnen ver¨ offentlicht. VII A. Appendix A.1.7. Product Liability Act (Produkthaftungsgesetz ProdHaftG) § 1 par. 1 ProdHaftG / § 1 Abs. 1 ProdHaftG (1) Wird durch den Fehler eines Produkts jemand get¨ otet, sein K¨ orper oder seine Gesundheit verletzt oder eine Sache besch¨ adigt, so ist der Hersteller des Produkts verpflichtet, dem Gesch¨ adigten den daraus entstehenden Schaden zu ersetzen. Im Falle der Sachbesch¨ adigung gilt dies nur, wenn eine andere Sache als das fehlerhafte Produkt besch¨ adigt wird und diese andere Sache ihrer Art nach gew¨ ohnlich f¨ ur den privaten Ge- oder Verbrauch bestimmt und hierzu von dem Gesch¨ adigten haupts¨ achlich verwendet worden ist. § 1 par. 3 ProdHaftG / § 1 Abs. 3 ProdHaftG (3) Die Ersatzpflicht des Herstellers eines Teilprodukts ist ferner ausgeschlossen, wenn der Fehler durch die Konstruktion des Produkts, in welches das Teilprodukt eingearbeitet wurde, oder durch die Anleitungen des Herstellers des Produkts verursacht worden ist. Satz 1 ist auf den Hersteller eines Grundstoffs entsprechend anzuwenden. § 1 par. 4 ProdHaftG / § 1 Abs. 4 ProdHaftG (4) F¨ ur den Fehler, den Schaden und den urs¨ achlichen Zusammenhang zwischen Fehler und Schaden tr¨ agt der Gesch¨ adigte die Beweislast. Ist streitig, ob die Ersatzpflicht gem¨ aß Absatz 2 oder 3 ausgeschlossen ist, so tr¨ agt der Hersteller die Beweislast. § 13 par. 1 ProdHaftG / § 13 Abs. 1 ProdHaftG (1) Der Anspruch nach § 1 erlischt zehn Jahre nach dem Zeitpunkt, in dem der Hersteller das Produkt, das den Schaden verursacht hat, in den Verkehr gebracht hat. Dies gilt nicht, wenn u ¨ber den Anspruch ein Rechtsstreit oder ein Mahnverfahren anh¨ angig ist. A.1.8. Limited Liability Company Act (GmbH Gesetz - GmbHG) § 43 par. 1 GmbHG / § 43 Abs. 1 GmbHG (1) Die Gesch¨ aftsf¨ uhrer haben in den Angelegenheiten der Gesellschaft die Sorgfalt eines ordentlichen Gesch¨ aftsmannes anzuwenden. § 43 par. 2 GmbHG / § 43 Abs. 2 GmbHG (2) Gesch¨ aftsf¨ uhrer, welche ihre Obliegenheiten verletzen, haften der Gesellschaft solidarisch f¨ ur den entstandenen Schaden. VIII A. Appendix § 43 par. 4 GmbHG / § 43 Abs. 4 GmbHG (4) Die Anspr¨ uche auf Grund der vorstehenden Bestimmungen verj¨ ahren in f¨ unf Jahren. A.1.9. German Stock Companies Act (Aktiengesetz - AktG) § 91 par. 2 AktG / § 91 Abs. 2 AktG ¨ (2) Der Vorstand hat geeignete Maßnahmen zu treffen, insbesondere ein Uberwachungssystem einzurichten, damit den Fortbestand der Gesellschaft gef¨ ahrdende Entwicklungen fr¨ uh erkannt werden. § 93 par. 1 Satz 1 AktG / § 93 Abs. 1 Satz 1 AktG (1) Die Vorstandsmitglieder haben bei ihrer Gesch¨ aftsf¨ uhrung die Sorgfalt eines ordentlichen und gewissenhaften Gesch¨ aftsleiters anzuwenden. [...] § 93 par. 2 AktG / § 93 Abs. 2 AktG (2) Vorstandsmitglieder, die ihre Pflichten verletzen, sind der Gesellschaft zum Ersatz des daraus entstehenden Schadens als Gesamtschuldner verpflichtet. Ist streitig, ob sie die Sorgfalt eines ordentlichen und gewissenhaften Gesch¨ aftsleiters angewandt haben, so trifft sie die Beweislast. Schließt die Gesellschaft eine Versicherung zur Absicherung eines Vorstandsmitglieds gegen Risiken aus dessen beruflicher T¨ atigkeit f¨ ur die Gesellschaft ab, ist ein Selbstbehalt von mindestens 10 Prozent des Schadens bis mindestens zur H¨ ohe des Eineinhalbfachen der festen j¨ ahrlichen Verg¨ utung des Vorstandsmitglieds vorzusehen. A.1.10. Federal Data Protection Act (Bundesdatenschutzgesetz BDSG) § 3 par. 1 BDSG / § 3 Abs. 1 BDSG (1) Personenbezogene Daten sind Einzelangaben u onliche oder sachliche ¨ber pers¨ Verh¨ altnisse einer bestimmten oder bestimmbaren nat¨ urlichen Person (Betroffene). § 4 par. 1 BDSG / § 4 Abs. 1 BDSG (1) Die Erhebung, Verarbeitung und Nutzung personenbezogener Daten sind nur zul¨ assig, soweit dieses Gesetz oder eine andere Rechtsvorschrift dies erlaubt oder anordnet oder der Betroffene eingewilligt hat. § 9 BDSG ¨ Offentliche und nicht-¨ offentliche Stellen, die selbst oder im Auftrag personen- IX A. Appendix bezogene Daten erheben, verarbeiten oder nutzen, haben die technischen und organisatorischen Maßnahmen zu treffen, die erforderlich sind, um die Ausf¨ uhrung der Vorschriften dieses Gesetzes, insbesondere die in der Anlage zu diesem Gesetz genannten Anforderungen, zu gew¨ ahrleisten. Erforderlich sind Maßnahmen nur, wenn ihr Aufwand in einem angemessenen Verh¨ altnis zu dem angestrebten Schutzzweck steht. § 20 par. 2 BDSG / § 20 Abs. 2 BDSG (2) Personenbezogene Daten, die automatisiert verarbeitet oder in nicht automatisierten Dateien gespeichert sind, sind zu l¨ oschen, wenn 1. ihre Speicherung unzul¨ assig ist oder 2. ihre Kenntnis f¨ ur die verantwortliche Stelle zur Erf¨ ullung der in ihrer Zust¨ andigkeit liegenden Aufgaben nicht mehr erforderlich ist. § 20 par. 3 BDSG / § 20 Abs. 3 BDSG (3) An die Stelle einer L¨ oschung tritt eine Sperrung, soweit 1. einer L¨ oschung gesetzliche, satzungsm¨ aßige oder vertragliche Aufbewahrungsfristen entgegenstehen, 2. Grund zur Annahme besteht, dass durch eine L¨ oschung schutzw¨ urdige Interessen des Betroffenen beeintr¨ achtigt w¨ urden, oder osung wegen der besonderen Art der Speicherung nicht oder nur mit 3. eine L¨ unverh¨ altnism¨ aßig hohem Aufwand m¨ oglich ist. A.1.11. Attachment (for § 9 sentence 1 BDSG / zu § 9 Satz 1 BDSG) Werden personenbezogene Daten automatisiert verarbeitet oder genutzt, ist die innerbeh¨ ordliche oder innerbetriebliche Organisation so zu gestalten, dass sie den besonderen Anforderungen des Datenschutzes gerecht wird. Dabei sind insbesondere Maßnahmen zu treffen, die je nach der Art der zu sch¨ utzenden personenbezogenen Daten oder Datenkategorien geeignet sind, 1. Unbefugten den Zutritt zu Datenverarbeitungsanlagen, mit denen personenbezogene Daten verarbeitet oder genutzt werden, zu verwehren (Zutrittskontrolle), X A. Appendix 2. zu verhindern, dass Datenverarbeitungssysteme von Unbefugten genutzt werden k¨ onnen (Zugangskontrolle), 3. zu gew¨ ahrleisten, dass die zur Benutzung eines Datenverabeitungssystems Berechtigten ausschließlich auf die ihrer Zugriffsberechtigung unterliegenden Daten zugreifen k¨ onnen, und dass personenbezogene Daten bei der Verarbeitung, Nutzung und nach der Speicherung nicht unbefugt gelesen, kopiert, ver¨ andert oder entfernt werden k¨ onnen (Zugriffskontrolle), ¨ 4. zu gew¨ ahrleisten, dass personenbezogene Daten bei der elektronischen Ubertragung oder w¨ ahrend ihres Transports oder ihrer Speicherung auf Datentr¨ ager nicht unbefugt gelesen, kopiert, ver¨ andert oder entfernt werden k¨ onnen, und dass u berpr¨ u ft und festgestellt werden kann, an welche Stellen eine ¨ ¨ Ubermittlung personenbezogener Daten durch Einrichtungen zur Daten¨ ubertragung vorgesehen ist (Weitergabekontrolle), 5. zu gew¨ ahrleisten, dass nachtr¨ aglich u uft und festgestellt werden kann, ¨berpr¨ ob und von wem personenbezogene Daten in Datenverarbeitungssysteme eingegeben, ver¨ andert oder entfernt worden sind (Eingabekontrolle), 6. zu gew¨ ahrleisten, dass personenbezogene Daten, die im Auftrag verarbeitet werden, nur entsprechend den Weisungen des Auftraggebers verarbeitet werden k¨ onnen (Auftragskontrolle), 7. zu gew¨ ahrleisten, dass personenbezogene Daten gegen zuf¨ allige Zerst¨ orung oder Verlust gesch¨ utzt sind (Verf¨ ugbarkeitskontrolle), 8. zu gew¨ ahrleisten, dass zu unterschiedlichen Zwecken erhobene Daten getrennt verarbeitet werden k¨ onnen. Eine Maßnahme nach Satz 2 Nummer 2 bis 4 ist insbesondere die Verwendung von dem Stand der Technik entsprechenden Verschl¨ usselungsverfahren. XI Bibliography [Akt07] Info Aktuell. Outsourcing - historie und begriffserkl¨ arung. Info Aktuell, 2007. [Ama10a] Amazon. Examples of information collected. http://www.amazon. com/gp/help/customer/display.html/?ie=UTF8&nodeId=468496# examples, 2010. [Last visit: 10.06.2010]. How secure is information about me? [Ama10b] Amazon. //www.amazon.com/gp/help/customer/display.html/?ie= UTF8&nodeId=468496#secure, 2010. [Last visit: 10.06.2010]. http: [Ama10c] Amazon. Privacy notice. http://www.amazon.com/gp/help/ customer/display.html/?ie=UTF8&nodeId=468496, 2010. [Last visit: 10.06.2010]. [Ama10d] Amazon. S3 datensicherung. http://aws.amazon.com/de/s3/ #protectdata, 2010. [Last visit: 10.06.2010]. [Ama10e] Amazon. S3 developer guide. http://docs.amazonwebservices.com/ AmazonS3/latest/index.html, 2010. [Last visit: 10.06.2010]. [Ama10f] Amazon. S3 developer guide: Logging. http://docs. amazonwebservices.com/AmazonS3/latest/index.html? LoggingHowTo.html, 2010. [Last visit: 10.06.2010]. [Ama10g] Amazon. S3 funktionalitaet. http://aws.amazon.com/de/s3/ #functionality, 2010. [Last visit: 10.06.2010]. [Ama10h] Amazon. S3 sla. http://aws.amazon.com/de/s3-sla/, 2010. [Last visit: 10.06.2010]. [Ber02] LG Berlin. Urteil vom 3. juli 2002, az: 2 o 358/01. LG Berlin, 2002. [BIT09] BITKOM. Cloud computing - evolution in der technik, revolution im business. BITKOM, 2009. XIII Bibliography [Blo06] Nicholas Carr’s Blog. Here comes haas. http://www.roughtype. com/archives/2006/03/here_comes_haas.php, 2006. [Last visit: 05.02.2010]. [Cen10] Grid Computing Info Centre. Grid infoware. gridcomputing.com, 2010. [Last visit: 12.07.2010]. http://www. [Clo09] Cloudscaling.com. Virtual, cloud, datacenters? http://cloudscaling. com/blog/technology/virtual-cloud-datacenters, 2009. [Last visit: 01.08.2010]. [CNE08] CNET. The new geek chic: Data centers. http://news.cnet.com/ 8301-13953_3-9977049-80.html, 2008. [Last visit: 05.02.2010]. [Com09] Computerwoche. Vor- und nachteile der virtualisierung f¨ ur sap-anwender. http://www.computerwoche.de/software/ software-infrastruktur/1893666/, 2009. [Last visit: 01.08.2010]. [Com10a] Computerwoche. Brauchen wir eine deutsche cloud? http: //www.computerwoche.de/management/cloud-computing/1931681/ index3.html, 2010. [Last visit: 25.05.2010]. [Com10b] Computerwoche. Server f¨ ur die cloud immer mehr gefragt. http://www. computerwoche.de/management/cloud-computing/1938977/, 2010. [Last visit: 12.07.2010]. [Com10c] Computerwoche. User misstrauen google und amazon. http://www. computerwoche.de/management/cloud-computing/1938019/, 2010. [Last visit: 17.06.2010]. [Coo10] The Linux Cookbook. Sharing files. http://dsl.org/cookbook/ cookbook_9.html, 2010. [Last visit: 31.05.2010]. [Dat08] DataCenterKnowledge. Google data center faq. //www.datacenterknowledge.com/archives/2008/03/27/ google-data-center-faq/, 2008. [Last visit: 14.06.2010]. http: [dJ10] Bundesministerium der Justiz. Translations. http://bundesrecht. juris.de/Teilliste_translations.html, 2010. [Last visit: 01.07.2010]. [Ela09] Elasticvapor. cloud computing. The us federal government defines http://elasticvapor.com/2009/05/ XIV Bibliography us-federal-government-defines-cloud.html, 2009. 12.02.2010]. [Last visit: [Exp09] Export.gov. Us - eu & swiss safe harbor. http://www.export.gov/ safeharbor/, 2009. [Last visit: 15.06.2010]. [For09] John R. Rymer Forrester. Platform-as-a-service is here; can it help you? http://www.forrester.com/rb/Research/ platform-as-a-service_is_here%3B_can_it_help_you/q/id/ 47335/t/2, 2009. [Last visit: 10.02.2010]. [Gar07] Gartner. Magic quadrant for crm customer service contact centers. Gartner, 2007. [Goo10a] Google. The administration console. http://code.google.com/ intl/de/appengine/docs/theadminconsole.html, 2010. [Last visit: 11.06.2010]. [Goo10b] Google. Appengine for business sla. http://code.google.com/intl/ de/appengine/business/sla.html, 2010. [Last visit: 14.06.2010]. [Goo10c] Google. Appengine terms of service. http://code.google.com/intl/ de/appengine/terms.html, 2010. [Last visit: 14.06.2010]. [Goo10d] Google. Central development management. http://code.google.com/ intl/de/appengine/business/#admin, 2010. [Last visit: 11.06.2010]. [Goo10e] Google. Datenschutz-center. http://www.google.com/privacypolicy. html, 2010. [Last visit: 14.06.2010]. [Goo10f] Google. Developer’s guide. http://code.google.com/intl/de/ appengine/docs/, 2010. [Last visit: 14.06.2010]. [Goo10g] Google. Introducing appengine for business. http://code.google. com/intl/de/appengine/business/, 2010. [Last visit: 11.06.2010]. [Goo10h] Google. Run your web apps on google’s infrastructure. http://code. google.com/intl/de/appengine/, 2010. [Last visit: 14.06.2010]. [Goo10i] Google. What is google appengine? http://code.google.com/intl/ de/appengine/docs/whatisgoogleappengine.html, 2010. [Last visit: 11.06.2010]. XV Bibliography [Goo10j] Google. Who should use appengine for business? http://code.google. com/intl/de/appengine/kb/business.html#whositfor, 2010. [Last visit: 11.06.2010]. [Hae08] Dr. H. Haessig. Rechtliche rahmenbedingungen fuer information lifecycle management. EMC, 2008. [Hei10] Heise. Google stoppt sammlung von wlan daten. http://www.heise.de/newsticker/meldung/ Google-stoppt-Sammlung-von-WLAN-Daten-1000683.html, 2010. [Last visit: 14.06.2010]. [IDC07] IDC. Enterprise class virtualization 2.0 application mobility, recovery, and management. IDC, 2007. Doc.-No. DR 20075MEW. [IDC09] IDC. Enterprise panel 3q09. IDC, 2009. [Inc07] Gartner Inc. Gartner says agility will become the primary measure of data centre excellence by 2012. Gartner Inc., 2007. [Inc08] Gartner Inc. Gartner says cloud computing will be as influential as e-business. http://www.gartner.com/it/page.jsp?id=707508, 2008. [Last visit: 12.02.2010]. [Inf09a] Infoworld.com. What cloud computing really means. http://www.infoworld.com/d/cloud-computing/ what-cloud-computing-really-means-031?page=0,0, 2009. [Last visit: 12.02.2010]. Developers are bullish [Inf09b] Mark Everett Hall Infoworld.com. on paas. http://www.infoworld.com/d/applications/ developers-are-bullish-paas-748, 2009. [Last visit: 17.04.2010]. [Inv10] Investopedia. Market crashes: The dotcom crash. http://www. investopedia.com/features/crashes/crashes8.asp, 2010. [Last visit: 17.04.2010]. [K¨ ol02] Bundesarchiv K¨ oln. Der archivar, jg 55, 2002, h2. http://www.archive. nrw.de/archivar/hefte/2002/Archivar_2002-2.pdf, 2002. [Last visit: 23.02.2010]. [Mic06] Microsoft. Erkennen von phishingbetrug und betruegerischen emails. http://www.microsoft.com/germany/protect/yourself/ phishing/identify.mspx, 2006. [Last visit: 28.05.2010]. XVI Bibliography [Net09] Netsuite. Netsuite oneworld wird als erste saas business-suite in deutschland zertifiziert. http://www.netsuite.com/portal/de/ press/nlpr06-29-09.shtml, 2009. [Last visit: 24.03.2010]. [NIS09] NIST. The nist definition of cloud computing, version 15. NIST, 2009. [NIS10] NIST. Definition of cloud computing v15. http://csrc.nist. gov/groups/SNS/cloud-computing/index.html, 2010. [Last visit: 12.02.2010]. [Onl09] Onlinekosten.de. Eu beraet im sommer u ¨ber netzneutralit¨ at. http://www.onlinekosten.de/news/artikel/38836/0/ EU-beraet-im-Sommer-ueber-Netzneutralitaet, 2009. [Last visit: 27.04.2010]. [PCM10] PCMag.com. Definition of sla. http://www.pcmag.com/encyclopedia_ term/0,2542,t=SLA&i=51448,00.asp, 2010. [Last visit: 07.07.2010]. [PE06] PG and E. Press release. http://www.pge.com/about/news/ mediarelations/newsreleases/q4_2006/061108.shtml, 2006. [Last visit: 05.02.2010]. [Pin08] Pingdom. Map of all google data center locations. http://royal.pingdom.com/2008/04/11/ map-of-all-google-data-center-locations/, 2008. [Last visit: 14.06.2010]. [Rec08] Luther Rechtsanw¨ alte. Newsletter 1. quartal 2008. http:// www.luther-lawfirm.com/download_newsletter_de/153.pdf, 2008. [Last visit: 25.02.2010]. [Sal10a] Salesforce.com. Community. http://sites.force.com/answers/ ideaHome?c=09a30000000D9y3, 2010. [Last visit: 15.06.2010]. [Sal10b] Salesforce.com. Customer success stories. http://www.salesforce. com/customers/, 2010. [Last visit: 17.06.2010]. [Sal10c] Salesforce.com. developerforce. http://developer.force.com/, 2010. [Last visit: 15.06.2010]. [Sal10d] Salesforce.com. Privacy preview. http://www.salesforce.com/ company/privacy.jsp, 2010. [Last visit: 15.06.2010]. XVII Bibliography [Sal10e] Salesforce.com. Security. http://www.trust.salesforce.com/trust/ security/, 2010. [Last visit: 15.06.2010]. [Sal10f] Salesforce.com. System status. https://trust.salesforce.com/ trust/status/, 2010. [Last visit: 15.06.2010]. [Sal10g] Salesforce.com. Tools that support privacy compliance. http:// trust.salesforce.com/trust/privacy/tools/, 2010. [Last visit: 15.06.2010]. [Sal10h] Salesforce.com. Trust. [Last visit: 15.06.2010]. http://www.trust.salesforce.com, 2010. [Sch10] Cornell University Law School. U.s. code. http://www.law.cornell. edu/uscode/44/3542.html, 2010. [Last visit: 30.03.2010]. [Sea09] SearchCloudComputing.com. Vmware to tout ’redwood’ cloud computing project. http://searchcloudcomputing.techtarget.com/news/ article/0,289142,sid201_gci1364785,00.html#, 2009. [Last visit: 15.04.2010]. [SMG10] Luther RA GmbH Sun Microsystems GmbH. Cloud computing - ein hype oder nur eine wolke? Sun Microsystems GmbH, Luther RA GmbH, 2010. [Spr08] SpringerLink. Overwriting hard drive data: The great wiping controversy. http://www.springerlink.com/content/408263ql11460147/, 2008. [Last visit: 18.05.2010]. [Tec00] Techtarget. Virtualization. http://searchservervirtualization. techtarget.com/sDefinition/0,,sid94_gci499539,00.html, 2000. [Last visit: 01.08.2010]. [Tec04] SearchDataManagement / Techtarget. Definition of compliance. http://searchdatamanagement.techtarget.com/sDefinition/0, ,sid91_gci947237,00.html, 2004. [Last visit: 31.03.2010]. [Uni10] European Union. European convention on human rights: Article 8 privacy. http://conventions.coe.int/treaty/en/Treaties/Html/ 005.htm, 2010. [Last visit: 16.05.2010]. [VMw10] VMware. Serverkonsolidierung. http://www.vmware.com/de/ solutions/consolidation, 2010. [Last visit: 05.02.2010]. XVIII Bibliography [Wik10a] Wikipedia. Cloud computing. http://en.wikipedia.org/Cloud_ computing, 2010. [Last visit: 12.02.2010]. [Wik10b] Wikipedia. Co-location facility. http://en.wikipedia.org/wiki/ Co-location_facility, 2010. [Last visit: 13.04.2010]. Dsl. http://de.wikipedia.org/wiki/Digital_ [Wik10c] Wikipedia. Subscriber_Line, 2010. [Last visit: 01.08.2010]. [Wik10d] Wikipedia. Isdn. http://de.wikipedia.org/wiki/ISDN, 2010. [Last visit: 01.08.2010]. [ZDN10] ZDNet. Cloud computing in deutschland. http://www. zdnet.de/bildergalerien_cloud_computing_in_deutschland_ story-39002381-41005206-1.htm, 2010. [Last visit: 01.08.2010]. XIX