Cloud Computing - Data Security Lifecycle In The Cloud
-
Upload
mike-c -
Category
Technology
-
view
6.501 -
download
0
description
Transcript of Cloud Computing - Data Security Lifecycle In The Cloud
1© 2008�KPMG�Advisory,�a�Dutch�limited�liability�company�and�member�firm�of�the�KPMG�network�of�independent�member�firms�affiliated�with�KPMG�International,�a�Swiss�cooperative.�All�rights�
reserved.
Data Security Lifecycle versus Cloud Computing
What questions are relevant concerning data security lifecycle in the cloud?
drs. Mike Chung RE
© (2010)�KPMG�Advisory�N.V.,�lid�van�KPMG�International,�een�Zwitserse�coöperatie.�Alle�rechten�voorbehouden.�
KPMG�and�the�KPMG�logo�are�registered�trademarks�of�KPMG�International,�a�Swiss�cooperative.2
Cloud computing as phenomenon
• Cloud computing is considered as the most important IT service model for 2010 and beyond
– Over 50% of all Fortune 500 enterprises are already using cloud computing services
– More than 10 million companies will be using cloud computing services by 2012
– Spendings on cloud computing services will grow almost threefold, reaching $42 billion by 2012 (Source: IDC)
• All major software vendors and IT integrators are investing heavily on cloud computing offerings
• Increasing bandwidth of the internet is paving the way for ‘reliable’ online services
• Demand for cloud computing services is growing rapidly due to the economic downturn
© (2010)�KPMG�Advisory�N.V.,�lid�van�KPMG�International,�een�Zwitserse�coöperatie.�Alle�rechten�voorbehouden.�
KPMG�and�the�KPMG�logo�are�registered�trademarks�of�KPMG�International,�a�Swiss�cooperative.3
Definition of cloud computing 2/2
• Hosted service from the (inter)net, metaphorically depicted as a cloud
• ‘ASP 2.0’
• Examples:
– Software-as-a-Service (Salesforce.com, Gmail, Microsoft Online)
– Platform-as-a-Service (GoogleApps, Force.com, 3tera AppLogic)
– Infrastructure-as-a-Service (Amazon EC2, Citrix Cloud Centre)
‘On-premise’ versus cloud computing
Hardware, software + data
Users
Customer
‘On-premise’ Cloud computing
Users
IT services
Cloud vendor
Customer
Hardware, software + data
Software vendor
Software licences +
support costs
Subscription or
‘pay as you go’
Internet
IT services
Internal IT
© (2010)�KPMG�Advisory�N.V.,�lid�van�KPMG�International,�een�Zwitserse�coöperatie.�Alle�rechten�voorbehouden.�
KPMG�and�the�KPMG�logo�are�registered�trademarks�of�KPMG�International,�a�Swiss�cooperative.4
Security issues are real
• Google Web Service vulnerability leaked database usernames and passwords (2007)
• Hackers stole credentials of Salesforce.com’s customers via phishing attacks (2007)
• Thousands of customers lost their data in the cloud due to the ‘Sidekick disaster’ of Microsoft/T-Mobile (2009)
• Botnet incident at Amazon EC2 infected customer’s computers and compromised their privacy (2009)
• Thousands of hotmail accounts were hacked due to technical flaws in Microsoft’s software (2010)
© (2010)�KPMG�Advisory�N.V.,�lid�van�KPMG�International,�een�Zwitserse�coöperatie.�Alle�rechten�voorbehouden.�
KPMG�and�the�KPMG�logo�are�registered�trademarks�of�KPMG�International,�a�Swiss�cooperative.5
Specific risk factors concerning the cloud 1/2
• External data storage
- Weak control over data (failing backup & recovery)
- Legal complications (violation on privacy, conflicting legislations)
- Viability uncertain (insufficient guarantee on continuity and availability of services)
• Multi-tenancy architecture
- Inadequate segregation of data
- Poor Identity and Access Management (IAM)
- Insufficient logging and monitoring
- Weakest link is decisive (virtualisation, shared databases)
© (2010)�KPMG�Advisory�N.V.,�lid�van�KPMG�International,�een�Zwitserse�coöperatie.�Alle�rechten�voorbehouden.�
KPMG�and�the�KPMG�logo�are�registered�trademarks�of�KPMG�International,�a�Swiss�cooperative.6
Specific risk factors concerning the cloud 2/2
• Use of the public internet
- Vague and/or non-existing accountability and ownership
- Loss, misuse and theft of data
- No access to data and/or services
• Integration with the internal IT environment
- Unclear perimeters
- No connection and/or alignment with internal security
- Complexity of integration
© (2010)�KPMG�Advisory�N.V.,�lid�van�KPMG�International,�een�Zwitserse�coöperatie.�Alle�rechten�voorbehouden.�
KPMG�and�the�KPMG�logo�are�registered�trademarks�of�KPMG�International,�a�Swiss�cooperative.7
Data Security Lifecycle: phases
Create
Store
Use
Share
Archive
Destroy
© (2010)�KPMG�Advisory�N.V.,�lid�van�KPMG�International,�een�Zwitserse�coöperatie.�Alle�rechten�voorbehouden.�
KPMG�and�the�KPMG�logo�are�registered�trademarks�of�KPMG�International,�a�Swiss�cooperative.8
Data Security Lifecycle versus the cloud: phase ‘create’
• Data classification
- What data is valuable/confidential?
- How should the data be classified?
- What data can be disclosed freely?
• Assignment of rights to create
- What rights/permissions must be assigned to individuals/accounts?
- What rights/permissions must be assigned or limitations enforced to different devices/media and/or locations?
• Integer creation
- How to assure that a specific individual/group has created the data?
- How to assure that specific data instances have been merged?
© (2010)�KPMG�Advisory�N.V.,�lid�van�KPMG�International,�een�Zwitserse�coöperatie.�Alle�rechten�voorbehouden.�
KPMG�and�the�KPMG�logo�are�registered�trademarks�of�KPMG�International,�a�Swiss�cooperative.9
Data Security Lifecycle versus the cloud: phase ‘store’ 1/2
• Access Management
- What access controls and processes have been effectuated on the externally hosted systems?
- What access controls have been effectuated on organizations (the customer(s)and the cloud provider(s))?
• Data integrity & confidentiality
- On what (geographic) location(s) is/are my data stored?
- How is my data segregated/separated/compartmented from other customer data?
- How to assure that my data cannot be commingled with other customer data?
- How to assure that my data does not get inferred, contaminated and/oraggregated inadvertently?
© (2010)�KPMG�Advisory�N.V.,�lid�van�KPMG�International,�een�Zwitserse�coöperatie.�Alle�rechten�voorbehouden.�
KPMG�and�the�KPMG�logo�are�registered�trademarks�of�KPMG�International,�a�Swiss�cooperative.10
Data Security Lifecycle versus the cloud: phase ‘store’ 2/2
• Encryption in rest
- What mechanisms are in place for data encryption?
- What data should be encrypted?
- Who is responsible for key management?
- Single key or multiple keys?
• Compliance
- Does external storage influence regulations and legislations?
- Are third parties or government bodies able to seize your data?
• Data recovery
- What is the recovery mechanism?
- What is the backup schedule?
© (2010)�KPMG�Advisory�N.V.,�lid�van�KPMG�International,�een�Zwitserse�coöperatie.�Alle�rechten�voorbehouden.�
KPMG�and�the�KPMG�logo�are�registered�trademarks�of�KPMG�International,�a�Swiss�cooperative.11
Data Security Lifecycle versus the cloud: phase ‘use/share’ 1/2
• Availability
- How to assure that my data is available for use in the cloud?
- What are the SLAs and penalties?
• Logging & Monitoring
- What activities are logged and monitored (real-time, periodic)?
- What logging & monitoring reports are required and available?
• Discovery
- How can specific data be discovered?
- How can specific data be retrieved?
© (2010)�KPMG�Advisory�N.V.,�lid�van�KPMG�International,�een�Zwitserse�coöperatie.�Alle�rechten�voorbehouden.�
KPMG�and�the�KPMG�logo�are�registered�trademarks�of�KPMG�International,�a�Swiss�cooperative.12
Data Security Lifecycle versus the cloud: phase ‘use/share’ 2/2
• Assignment of rights to use/share
- Who is responsible for Identity & Access Management?
- What rights/permissions must be assigned to individuals/accounts?
- What rights/permissions must be assigned or limitations enforced to different devices/media and/or locations?
- What are the permissible methods to share?
• Non-repudiation
- How to assure that someone or some instance has sent/provided the data?
• Encryption in transit
- What mechanisms are in place for secure transfer?
- What data should be encrypted?
- Who is responsible for the connection?
© (2010)�KPMG�Advisory�N.V.,�lid�van�KPMG�International,�een�Zwitserse�coöperatie.�Alle�rechten�voorbehouden.�
KPMG�and�the�KPMG�logo�are�registered�trademarks�of�KPMG�International,�a�Swiss�cooperative.13
Data Security Lifecycle versus the cloud: phase ‘archive’
• Media
- On what type of media (tape, disk) must the data be archived?
- What are the physical requirements regarding archiving?
• Encryption in rest
- What mechanisms are in place for data encryption?
- What data should be encrypted?
- Who is responsible for key management?
• Asset management and tracking
© (2010)�KPMG�Advisory�N.V.,�lid�van�KPMG�International,�een�Zwitserse�coöperatie.�Alle�rechten�voorbehouden.�
KPMG�and�the�KPMG�logo�are�registered�trademarks�of�KPMG�International,�a�Swiss�cooperative.14
Data Security Lifecycle versus the cloud: phase ‘destroy’
• Data destruction
- How to assure that not only the content but also all key material will be destroyed?
- How to assure that the data is unrecoverable?
- How to assure that the data and all backups have been erased completely?
• Confirmation
- How does the cloud provider confirm the destruction process?
© (2010)�KPMG�Advisory�N.V.,�lid�van�KPMG�International,�een�Zwitserse�coöperatie.�Alle�rechten�voorbehouden.�
KPMG�and�the�KPMG�logo�are�registered�trademarks�of�KPMG�International,�a�Swiss�cooperative.15
Conclusion
• Questions concerning the Data Security Lifecycle for cloud computing are similar from the ones for on-premise IT, yet emphasizing different elements such as location of your data, data recovery and data destruction
• Data Security Lifecycle Management must an essential part of cloud computing governance
• Do not assume that cloud providers have superior security measures and processes
• You can phase out your IT, but not your data
• You can transfer complexity to the cloud, but you’ll still bear the risks
© (2010)�KPMG�Advisory�N.V.,�lid�van�KPMG�International,�een�Zwitserse�coöperatie.�Alle�rechten�voorbehouden.�
KPMG�and�the�KPMG�logo�are�registered�trademarks�of�KPMG�International,�a�Swiss�cooperative.16
Contact information
Drs. Mike Chung RE
Manager/Lead Auditor
Risk & Compliance
+31 (0)6 1455 9916