Question: Most cloud users have no visibility into where their data is located and how it is managed. Their data might be managed using tight controls in highly secure facilities; on the other hand, it might be managed by teenagers in a trailer located in a floodzone parking lot in Uzbekistan. Unless you are a very large client with the necessary security clearances, you just don't know. Cloud vendors are understandably reluctant to reveal the locations of data, and they want (and need) the flexibility to move data where they can provide the best performance to their customers. So, what can users do to protect their data? They can contract with responsible, public companies like Amazon.com, Microsoft, IBM, Oracle, or others and hope. Or they can never use the cloud. But is there something else? Working with a team as instructed by your professor, take a position on this issue by answering the following questions:
1. Search the Internet for ISO 27001. Explain the purpose of this standard.
2. Does compliance with ISO 27001 mean that a data center is secure? Does it mean that no security threat against compliant data centers will be successful? What does it mean?
3. Search the Internet for evidence that Microsoft Azure complies with ISO 27001. Summarize your findings.
4. Search the Internet for evidence that Amazon's EC2 complies with ISO 27001. Summarize your findings. SAS 70 is an auditing standard that provides guidance for an auditor issuing a report about internal controls implemented by a cloud services provider. However, to assess the adequacy of data center controls, it is necessary to read and analyze the report that was prepared in accordance with SAS 70.
5. Search the Internet for evidence that Microsoft's auditors have issued a report in accordance with SAS 70. Summarize your findings.
6. Search the Internet for evidence that Amazon's auditors have issued a report in accordance with SAS 70. Summarize your findings.
7. Compare and contrast your answers to questions 3/4 and 5/6. Does your comparison cause you to believe that there are significant differences with regard to security and control between Azure and EC2?
8. Many small businesses operate with local servers running in storerooms, broom closets, and the like. Summarize the major risks of this situation. How can using a cloud vendor that scores well according to the standards discussed help such companies?
9. Suppose a publicly traded large organization operates its own Web farm and has certifications indicating that it has complied with ISO 27001 and has issued a statement of controls in accordance with SAS 70 that indicates controls are at least adequate. Is there any reason to believe that the organization's data assets on that Web farm are more or less secure than they would be if stored in Azure or EC2? Explain your answer.
10. Based on your answers to these questions, create a general statement as to the desirability, considering only data security, of storing data on Azure and EC2 as compared to storing it on servers managed in-house.