Hyperlipidaemia Education & Atherosclerosis Research Trust UK
In Cloud, We Trust A Research Perspective - ETSI · In Cloud, We Trust A Research Perspective Dr...
Transcript of In Cloud, We Trust A Research Perspective - ETSI · In Cloud, We Trust A Research Perspective Dr...
In Cloud, We Trust A Research PerspectiveDr Jean-Christophe PazzagliaDirector SAP RESEARCH SOPHIA ANTIPOLISSECURITY & TRUST
Sophia-Antipolis, September 2011
SAP RESEARCH
Is it only About Cloud ?
Customer Needs are Driving Market TrendsOn Premise, On Demand and Cloud Co-Existence
• Hybrid business solutions and networks are becoming the norm
• Companies will choose services • for different purposes• from both public and private clouds• integrated with on-premise solutions
• Openness and ecosystem strength will be key success factors for providers
• Orchestration of hybrid solution landscapes will become key
• Collaboration is central aspect of cloud applications
• Significant TCO reduction through migration of existing ERP installations to the cloud
Public Cloud
PrivateCloud
PartnerCloud
Local / OnPremise
© 2011 SAP AG. All rights reserved. 3
Is Security Different ?
© 2011 SAP AG. All rights reserved. 5
Security : the Last Barrier for Cloud Adoption ?
Major concern for deployment of business critical data on the cloud
Security (but also Dependability, Resilience, …) is intrinsically difficult to evaluate
Functional testing :
what you test is what you get !
Security testing :
what you test is what you get …
… what you hope …
… what you believe about your attacker …
… and something else will happen !
Are Geeks Enough to Secure your Cloud ?
© 2011 SAP AG. All rights reserved. 7
The Cloud Stack
Different Delivery, Offer and Consumption Models
New Ways to Sell & Buy
New Ways to Sell & Buy
Co-innovation & Ecosystem
Co-innovation & Ecosystem
ResellersSolution PartnersService partners
SAP Store at the core of an e-channel for SAPConsistent E2E experience
Cloud Ops. & InfrastructureCloud Ops. & Infrastructure
On Demand Solutions
On Demand Solutions
• SAP Business ByDesignas OD suite
• LOB Solutions• Analytics; Collaboration
In-memory ready cloudBest service at Lowest CostGlobal – 7x24
© 2011 SAP AG. All rights reserved. 9
Our Strategy for SuccessFour Key Areas of Innovation and Investment
© 2011 SAP AG. All rights reserved. 10
Solution Partner
Customer
SAP Store
Community
ApplicationPlatform (PaaS)
Solutions and Serv ices (SaaS)
Add-ons
Bill ing & Collection
Consume Remote Services
Integrate Remote Services
Publish
Cloud Computing Infrastructure
On Demand Lifecycle Management & Operations
External Web Services
Core
Edge
BuildCertify & Publish Use
Sell & Deploy
| Sales OnDemand
Find & Subscribe
Core Solutions
Pay & Usage
A Platform for Partners to Build and Sell Cloud Add-onsCovering development through sales and customer support
© 2011 SAP AG. All rights reserved. 11
Open questions
Should we trust blindly the hardware provider / sofware vendor / solution provider / add-ons developer / etc ?
Where are my data and which legal system apply ?
Are my data protected (on-line version – backup) ?
Are the data only used for the original intent?
Are the management processes documented and implemented ?
How often is patched the system ?
What is the latency for security fixes ?
Establishing trust:Compliance to Certification Standards is a must have
© 2011 SAP AG. All rights reserved. 13
Cloud Operations & InfrastructureContinuous Investment into SAP Cloud
Highest Compliance StandardsISO 27001, SAS 70 Type II, ISAE 3402 certificate
SAP Data Centers SAP data center location in GermanyUS data center to open in Q2 2011APA in preparation
Scalability and In-Memory ReadyScalable operations through full Multi-tenancy enablementLatest blade technology with 144 GB – 2 TB Main memoryIn-memory database will further improve performance and reduce cost
Integration with Service BackboneContinuous, proactive monitoringSAP support network
ISO 27001certif ication
SAS 70 Type II certif ication
Energy eff iciency certif icate
“Premium Standard Data Center"
A journey to our SAP Research S&T related projectsMechanisms to build Trust in the cloud context and adapting your strategy to the trust level
SAP RESEARCH
Assuring Trust: Real time auditing
Maintaining Trust: Establish a Security Policy Chain
Service Provider LandscapeComposition of in-house and outsourced subservices on all architecture layersMultitude of security requirements stemming from different sourcesShared and continuously changing environment
ChallengesSelect efficient and cost-beneficial security controlsMeet new requirementsMaintain security and compliance at operations timeImprove transparency for all stakeholders
Today’s tools and processes hamper compliance, security andprofitability
Project ObjectiveImprove security and complianceLower security management costs
Building the Policy ChainFrom abstract, declarative security requirements down totechnical, imperative configuration settings
Use-cases of the Policy ChainElicitation and analysis of security requirementsMatching and comparison of 3rd party suppliersComparison, selection, and implementation of security enforcement mechanismsPolicy-driven system management by the deployment of generated security configurationsCompliance assessment, through complete, repeatable, and automated system validation
Copyright 2011 by PoSecCoPoSecCo project (project no. 257129) is co-funded by the European Unionunder the ICT theme of the 7th Framework Programme for R&D (FP7).
Programmatic Way to Establish Trust“Can a Program believe ?”
© 2011 SAP AG. All rights reserved. 20
Trusted Environment: Distribute your Data Together with their Policy
© 2011 SAP AG. All rights reserved. 22
Sticky Policy: Distribute Your Data Together with Their Policy
Business web relies on transmission of (personal) data across services, players, geographiesRisks:
Original conditions of collection (e.g., purpose) may get lostCompliance with regional privacy regulationsUsers or data collectors lose control
Sticky Policy: attaching data handling conditions to the dataPolicy follows the data from collection (B2C) and all along the chain (B2B)
Partial trust:How to Evaluate the Risk to Share Data ?
© 2011 SAP AG. All rights reserved. 24
Data Disclosure Risk Evaluation
Problem StatementHow to transform original data records so that no sensitive personal data are disclosed, whereas preserving the maximum amount of relevant information (anonymity vs.utility trade off), data integrity and consistency.
MechanismsTransform the original dataset to preserve privacy: data perturbation, scrabbling, generalization, suppression Risk Assessment: Score resulting data set & inference risk
ScenariosSoftware Testing, Providing Data to Researchers, Outsourced processes
recordshabledistinguis
ofSs s
distrunif
SssRH
Ss
sRH
ICM
k
E
#
..
)|(
)|(
,
112
121
“No trust, let’s Party ”Privacy Preserving Computing
© 2011 SAP AG. All rights reserved. 26
Privacy-Preserving Computing
Collaboration without TrustCollaborative business applications often require the need to trust partners with sensitive data. Privacy-Preserving Computing enables collaboration while preserving the privacy of one’s data.
ScenariosGlobal Benchmarking ServiceSecureSCM Supply Chain PlanningSecure Cloud Computing
Conclusion
© 2011 SAP AG. All rights reserved. 28
Conclusion
OnPremise, Private and Public cloud will coexist to support IT solution for businesses (at least for the next decade(s?))
Professional cloud providers deliver High Quality IT security
New security concerns exist but may be overhyped
Different data sharing strategies depending on processes and Trust between actors
Proper Trust Management is key to reduce the exposure of business data
Standards should support a way to convey information about Certification, Data handling policy, Reputation, Trust within the cloud (but not limited to).
Thank You!Dr Jean-Christophe Pazzaglia Security & Trust Engineering ManagerDirector SAP Research Sophia-Antipolis
SAP Labs France805, Avenue du Docteur Maurice DonatBP 1216 - 06254 Mougins Cedex, France
© 2011 SAP AG. All rights reserved. 30
No part of this publication may be reproduced or transmitted in any form or f or any purpose without the express permission of SAP AG. The inf ormation contained herein may be changed without prior notice.
Some sof tware products marketed by SAP AG and its distributors contain proprietary sof tware components of other software v endors.
Microsof t, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsof t Corporation. IBM, DB2, DB2 Univ ersal Database, System i, System i5, System p, System p5, Sy stem x, System z, Sy stem z10, Sy stem z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServ er, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Serv er, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, Sy stem Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sy splex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netf inity, Tiv oli and Informix are trademarks or registered trademarks of IBM Corporation.
Linux is the registered trademark of Linus Torv alds in the U.S. and other countries.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries.
Oracle and Jav a are registered trademarks of Oracle and/or its affiliates.UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.
HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.
© 2011 SAP AG. All rights reserved.
SAP, R/3, SAP NetWeav er, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, and other SAP products and services mentioned herein as well as their respectiv e logos are trademarks or registered trademarks of SAP AG in Germany and other countries.
Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Cry stal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and serv ices mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects is an SAP company .
Sy base and Adaptiv e Server, iAnywhere, Sybase 365, SQL Any where, and other Sy base products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase, Inc. Sybase is an SAP company .
All other product and serv ice names mentioned are the trademarks of their respectiv e companies. Data contained in this document serves informational purposes only . National product specifications may vary.
The inf ormation in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or f or any purpose without the express prior written permission of SAP AG.