On Location-determined Cloud Management for Legally Compliant Outsourcing

Abstract

When organisations are outsourcing their data processing to clouds, the cloud providers have to support them in achieving legal compliance. This is particular challenging in globally distributed clouds where the data centres are located in multiple countries with different legislation. Here, the cloud providers have to implement technical constraints based on the legal requirements which apply individually for each cloud customer. In this paper, the legal requirements of cloud customers and their corresponding technical constraints are modelled in a technically decidable and enforceable manner, using information flow control in virtual resource management, and a solution to implement the support of legal requirements in cloud environments is proposed. The solution proposed covers the translation of legal requirements of cloud customers into technical security policies which are applied in virtual resource management of clouds. For these purposes an information model, denoted as the Cloud Security Matrix, is defined using the methods of information flow control. In the model, cloud resources (virtual and hardware) are classified and the allowed information flows are defined. The information model is capable to express both location and security constraints including authenticity, integrity and availability. The technical feasibility of a location-based assignment of virtual resources is shown in a proof-of-concept implementation based on OpenStack.