Defined Categories of Service 2011 - Cloud Security Alliance
Defined Categories of Service 2011 - Cloud Security Alliance
Defined Categories of Service 2011 - Cloud Security Alliance
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE <strong>2011</strong><br />
Category #9: Business Continuity and Disaster Recovery<br />
Description: Business Continuity and Disaster Recovery are the measures designed and<br />
implemented to ensure operational resiliency in the event <strong>of</strong> any service interruptions.<br />
BCDR provides flexible and reliable failover for required services in the event <strong>of</strong> any service<br />
interruptions, including those caused by natural or man-made disasters or disruptions. <strong>Cloud</strong>centric<br />
BCDR makes use <strong>of</strong> the cloud’s flexibility to minimize cost and maximize benefits. For<br />
example, a tenant could make use <strong>of</strong> low specification guest machines to replicate applications<br />
and data to the cloud, but with the provision to quickly ramp up the CPU and RAM, etc. <strong>of</strong><br />
these machines in a BCDR scenario.<br />
Class: Reactive, Protective, Detective<br />
CORE FUNCTIONALITIES<br />
Flexible infrastructure<br />
Secure backup<br />
Monitored operations<br />
Third party service connectivity<br />
Replicated infrastructure components<br />
Replicated data (core / critical systems)<br />
Data and/or application recovery<br />
Alternate sites <strong>of</strong> operation<br />
Tested and measured processes and operations to ensure<br />
Geographically distributed data centers / infrastructure<br />
Network survivability<br />
OPTIONAL FEATURES<br />
Support for BC and DR compliance monitoring and/or<br />
reporting or testing flexible infrastructure<br />
Authorized post disaster privileged account management<br />
Enable DR Policy management (incl. authorization<br />
management, role management, compliance management)<br />
CHALLENGES<br />
Over-centralization <strong>of</strong> data<br />
Lack <strong>of</strong> approved and tested policies, processes, and<br />
procedures<br />
Legal constraints on transportation <strong>of</strong> data outside affected<br />
region<br />
Network connectivity failures<br />
Identification <strong>of</strong> Recovery Time Objectives / Recovery Point<br />
Objectives / SLAs<br />
Agreed definition between vendor and client <strong>of</strong> what DR /<br />
BCP means<br />
<strong>Security</strong> – Data in multiple locations<br />
Continued on the following page…<br />
SERVICES<br />
Includes: File recovery provider, File<br />
backup provider, Cold site, Warm site,<br />
Hot site, Insurance, Business partner<br />
agreements, Replication (e.g.<br />
Databases)<br />
Related <strong>Service</strong>s: Fail-back to live<br />
systems, Encryption <strong>of</strong> data in transit,<br />
Encryption <strong>of</strong> data at rest, Field level<br />
encryption, Realm-based access control<br />
Related Technologies and Standards:<br />
ISO/IEC 24762:2008, BS25999<br />
<strong>Service</strong> Model: IaaS, SaaS<br />
CSA Domains (v2.1): 7<br />
THREATS ADDRESSED<br />
Natural disaster<br />
Fire<br />
Power outage<br />
Terrorism/sabotage<br />
Data corruption<br />
Data deletion<br />
Pandemic/biohazard<br />
Copyright © <strong>2011</strong> <strong>Cloud</strong> <strong>Security</strong> <strong>Alliance</strong> 24