• 12.1 User Responsibility vs. Cloud Provider Responsibility
• 12.2 Attacks Against Cloud Data
• 12.3 Cloud Encryption
• 12.4 Data Sanitization for the Cloud
• 12.5 Summary

Cloud platform providers such as Amazon, Google, Microsoft, Rackspace, and hundreds of others of IaaS providers should all be able to document and demonstrate their own data sanitization processes. But keep in mind that security of data is a shared responsibility.

12.1 User Responsibility vs. Cloud Provider Responsibility

A cloud provider is responsible for the following:

• All hardware and physical security for hosting the data repository. The responsibility for hardware includes the requirements to properly sanitize storage media when it is being removed for upgrades or replacement.
• Licensing and ensuring software updates and patches are available for the operating systems, database solutions, etc., that they sell on-demand.
• Logging access.

The user of a cloud data service is responsible for the following:

• Discovering and classifying all data stores
• Setting access controls, privileges, and authorizations
• Monitoring access for malicious or unintended use, and compliance purposes
• Alerting on anomalous or malicious activity
• Building systems that allow the organization to respond rapidly and effectively to alerts
• Generating audit reports to demonstrate compliance
• Sanitizing data when a regulation or security concerns call for it

These user responsibilities need to be layered on ...