Privacy issues in the cloud
-
Upload
constantine-karbaliotis -
Category
Technology
-
view
1.541 -
download
1
description
Transcript of Privacy issues in the cloud
![Page 1: Privacy issues in the cloud](https://reader033.fdocuments.in/reader033/viewer/2022051817/548e3972b479599d2d8b4713/html5/thumbnails/1.jpg)
PrivacyIssuesintheCloudPresenta4ontotheChiefPrivacyOfficersCouncil
Constan4neKarbalio4sDataProtec*on&PrivacyLead
May4,2010 1
![Page 2: Privacy issues in the cloud](https://reader033.fdocuments.in/reader033/viewer/2022051817/548e3972b479599d2d8b4713/html5/thumbnails/2.jpg)
Agenda
PrivacyIssuesintheCloud‐Constan*neKarbalio*s2
Introduc*on1
WhatistheCloud?2
WhatdoSecurityProfessionalsSeeasRisks?3
WhatarethePrivacyIssues?4
WhatistheRealProblem?5
Conclusion/Q&A6
![Page 3: Privacy issues in the cloud](https://reader033.fdocuments.in/reader033/viewer/2022051817/548e3972b479599d2d8b4713/html5/thumbnails/3.jpg)
WhatistheCloud?
3PrivacyIssuesintheCloud‐Constan*neKarbalio*s
![Page 4: Privacy issues in the cloud](https://reader033.fdocuments.in/reader033/viewer/2022051817/548e3972b479599d2d8b4713/html5/thumbnails/4.jpg)
Whatis“theCloud”?
• “Cloudcompu*ng”defini*ons:– Cloudcompu*ngisinterconnectednetworksofITenabledresources(i.e.services)deliveredinadynamicallyscalableandvirtualizedmethod,madeavailabletocustomersforpurchaseviavariablecostmodelsbasedonusage.• Symantec
– justaswithau*lity,enterprisescanpayforinforma*ontechnologyservicesonaconsump*onbasis
PrivacyIssuesintheCloud‐Constan*neKarbalio*s 4
![Page 5: Privacy issues in the cloud](https://reader033.fdocuments.in/reader033/viewer/2022051817/548e3972b479599d2d8b4713/html5/thumbnails/5.jpg)
BenefitsandRisks
Accelera4ngTrend
– Growingmarkettoreach$42billionby2012‐IDC
Rewards
– Takesadvantageofvirtualiza*on– Provideson‐demandservicesforeasyscalability
– Minimizescapitalandopera*ngcostsexpenditures
– Providesaccesstoexper*senotavailablein‐house– Enhancesbusinessagility
Risks
– Currentlackofstandardiza*on– Rela*velyhighswitchingcostsforproprietarysolu*ons– SecurityandPrivacy
5
5PrivacyIssuesintheCloud‐Constan*neKarbalio*s
![Page 6: Privacy issues in the cloud](https://reader033.fdocuments.in/reader033/viewer/2022051817/548e3972b479599d2d8b4713/html5/thumbnails/6.jpg)
WhatdoSecurityProfessionalsSeeasRisks?
6PrivacyIssuesintheCloud‐Constan*neKarbalio*s
![Page 7: Privacy issues in the cloud](https://reader033.fdocuments.in/reader033/viewer/2022051817/548e3972b479599d2d8b4713/html5/thumbnails/7.jpg)
PrivacyIssuesintheCloud‐Constan*neKarbalio*s 7
TopSecurityThreatstoCloudCompu4ng
• AbuseandNefariousUseofCloudCompu*ng• InsecureApplica*onProgrammingInterfaces• MaliciousInsiders• SharedTechnologyVulnerabili*es• DataLoss/Leakage• Account,Service&TrafficHijacking• UnknownRiskProfile
• Source:TopThreatstoCloudCompu*ng,Version1.0
CloudSecurityAlliance
hbp://www.cloudsecurityalliance.org/topthreats
![Page 8: Privacy issues in the cloud](https://reader033.fdocuments.in/reader033/viewer/2022051817/548e3972b479599d2d8b4713/html5/thumbnails/8.jpg)
PrivacyIssuesintheCloud‐Constan*neKarbalio*s 8
GovernanceConcerns
PERCEIVEDRISKSINCLOUDCOMPUTING
Uncertainabilitytoenforcesecuritypoliciesataprovider
23percent
InadequatetrainingandITaudi*ng 22percent
Ques*onableprivilegedaccesscontrolatprovidersite
14percent
Uncertainabilitytorecoverdata 12percent
Proximityofdatatoanothercustomer’s 11percent
Uncertainabilitytoauditprovider 10percent
Uncertaincon*nuedexistenceofprovider 4percent
Uncertainproviderregulatorycompliance 4percent
Source:PriceWaterhouseCooper/CISO‐CIOMagazineSurvey,2010
![Page 9: Privacy issues in the cloud](https://reader033.fdocuments.in/reader033/viewer/2022051817/548e3972b479599d2d8b4713/html5/thumbnails/9.jpg)
WhatarethePrivacyRisks?
9PrivacyIssuesintheCloud‐Constan*neKarbalio*s
![Page 10: Privacy issues in the cloud](https://reader033.fdocuments.in/reader033/viewer/2022051817/548e3972b479599d2d8b4713/html5/thumbnails/10.jpg)
PrivacyIssuesintheCloud‐Constan*neKarbalio*s 10
PrivacyRiskswithCloudCompu4ng
• Certaintypesofdatamaytriggerspecificobliga*onsunderna*onalorlocallaw
• Vendorissues:– Organiza*onsmaybeunawaretheyareevenusingcloud‐basedvendors
– Duediligences*llrequiredasinanyvendorrela*onship– Datasecurityiss*lltheresponsibilityofthecustomer– ServiceLevelagreementsneedtoaccountforaccess,correc*onandprivacyrights
• DataTransfer:– Cloudmodelsmaytriggerinterna*onallegaldatatransferrequirements
Source:Hunton&Williams,“Outsourcingtothecloud:datasecurityandprivacyrisks”,March15,2010
![Page 11: Privacy issues in the cloud](https://reader033.fdocuments.in/reader033/viewer/2022051817/548e3972b479599d2d8b4713/html5/thumbnails/11.jpg)
WhatistheRealProblem?
11PrivacyIssuesintheCloud‐Constan*neKarbalio*s
![Page 12: Privacy issues in the cloud](https://reader033.fdocuments.in/reader033/viewer/2022051817/548e3972b479599d2d8b4713/html5/thumbnails/12.jpg)
PonemonStudyforSymantec:Summary
• Businessapplica*ons,solu*onstacksandstoragearethemostpopularcloudcompu*ngapplica*ons,plaiormsandinfrastructureservices
• Feworganiza*onstakeproac*vestepstoprotectboththeirownsensi*vebusinessinforma*onandthatoftheircustomers,consumersandemployeeswhentheystorethatinforma*onwithcloudcompu*ngvendors
• Organiza*onsareadop*ngcloudtechnologieswithouttheusualvekngprocedures
• EmployeesaremakingdecisionswithouttheirITdepartments’insightsorfullknowledgeofthesecurityrisksinvolved
• Twoyearsfromnow,mostrespondentsplantousecloudcompu*ngmuchmoreintensivelythantheydotoday
• Yetevenasmomentumforcloudcompu*ngbuilds,doubtsaboutsecuritydifficul*esofcloudcompu*ngpersist
• Organiza*onsmostfrequentlyprotectthemselvesthroughtradi*onalITsecuritysolu*onsandlegalorindemnifica*onagreementswithvendors.
PrivacyIssuesintheCloud‐Constan*neKarbalio*s 12
![Page 13: Privacy issues in the cloud](https://reader033.fdocuments.in/reader033/viewer/2022051817/548e3972b479599d2d8b4713/html5/thumbnails/13.jpg)
PonemonStudyfindsFewerthanOneinTenCompaniesEvaluateVendorsorTrainEmployeesonCloudSecurity:
• Morethan75percentofrespondentsnotedthatthemigra*ontocloudcompu*ngwasoccurringinaless‐thanidealmanner,duetoalackofcontroloverendusers
• Only27percentofrespondentssaidtheirorganiza*onshaveproceduresforapprovingcloudapplica*onsthatusesensi*veorconfiden*alinforma*on
• 68percentindicatedthatownershipforevalua*ngcloudcompu*ngvendorsresideswithendusersandbusinessmanagers
• Only20percentoftheorganiza*onssurveyedreportedthattheirinforma*onsecurityteamsareregularlyinvolvedinthedecisionmakingprocessandapproximatelyaquartersaidtheyneverpar*cipatedatall
• 69percentoftherespondentsindicatedtheywouldprefertoseetheinforma*onsecurityorcorporateITteamsleadtheclouddecisionmakingprocess
13PrivacyIssuesintheCloud‐Constan*neKarbalio*s
![Page 14: Privacy issues in the cloud](https://reader033.fdocuments.in/reader033/viewer/2022051817/548e3972b479599d2d8b4713/html5/thumbnails/14.jpg)
PolicyandProceduralGaps
PrivacyIssuesintheCloud‐Constan*neKarbalio*s 14
Source:PonemonIns*tutestudyforSymantec:“FlyingBlindintheCloud”,April7,2010
![Page 15: Privacy issues in the cloud](https://reader033.fdocuments.in/reader033/viewer/2022051817/548e3972b479599d2d8b4713/html5/thumbnails/15.jpg)
Ineffec4veReview
PrivacyIssuesintheCloud‐Constan*neKarbalio*s 15
![Page 16: Privacy issues in the cloud](https://reader033.fdocuments.in/reader033/viewer/2022051817/548e3972b479599d2d8b4713/html5/thumbnails/16.jpg)
CloudCompu4ngVendorsReview“Process”
PrivacyIssuesintheCloud‐Constan*neKarbalio*s 16
Source:PonemonIns*tutestudyforSymantec:“FlyingBlindintheCloud”,April7,2010
![Page 17: Privacy issues in the cloud](https://reader033.fdocuments.in/reader033/viewer/2022051817/548e3972b479599d2d8b4713/html5/thumbnails/17.jpg)
Organiza4onalstepstoensuredataprotec4on
PrivacyIssuesintheCloud‐Constan*neKarbalio*s 17
Source:PonemonIns*tutestudyforSymantec:“FlyingBlindintheCloud”,April7,2010
![Page 18: Privacy issues in the cloud](https://reader033.fdocuments.in/reader033/viewer/2022051817/548e3972b479599d2d8b4713/html5/thumbnails/18.jpg)
Conclusion/Q&A
18PrivacyIssuesintheCloud‐Constan*neKarbalio*s
![Page 19: Privacy issues in the cloud](https://reader033.fdocuments.in/reader033/viewer/2022051817/548e3972b479599d2d8b4713/html5/thumbnails/19.jpg)
ManagingPrivacyintheCloud
• Policiesandproceduresmustexplicitlyaddresscloudprivacyrisks
• Informa*ongovernancemustbeputinplacethat:– Providestoolsandproceduresforclassifyinginforma*onandassessingrisk
– Establishpoliciesforcloud‐basedprocessingbaseduponriskandvalueofasset.
• Evaluatethirdpar*es’securityandprivacycapabili*esbeforesharingconfiden*alorsensi*veinforma*on.– Thoroughreviewandauditofvendors– Independentthirdpartyverifica*on
• Trainemployeesandstaffaccordinglytomi*gatesecurity/privacyrisksincloudcompu*ng– Addressfrommul*‐departmentalperspec*ve
19PrivacyIssuesintheCloud‐Constan*neKarbalio*s
![Page 20: Privacy issues in the cloud](https://reader033.fdocuments.in/reader033/viewer/2022051817/548e3972b479599d2d8b4713/html5/thumbnails/20.jpg)
ModelforManagingCloudRisks‐Governance
• Strategy:– Whatkindsofdatawillyouasamaberofcoursenotallowtogotothecloud?Whatkindofcloudisappropriateforcertaintypesofdata?
– Implicit:youhaveadataclassifica*onsystemthatyoufollowandknowthevalueofyourdataassets
• Educa*on&training– Trainusers/businessunitsthatthisrequiresvendorreviewjustasanyothervendor
• Resources&Ownership– Academictohavenicepolicies,contractuallanguagepermikngauditrights,ifyoudon’thavestafftodoit
– EveryonewantsInforma*onSecurityorITtoownthis–equipthem
PrivacyIssuesintheCloud‐Constan*neKarbalio*s 20
![Page 21: Privacy issues in the cloud](https://reader033.fdocuments.in/reader033/viewer/2022051817/548e3972b479599d2d8b4713/html5/thumbnails/21.jpg)
ModelforManagingCloudRisks–FormalRiskManagement
• PrivacyRisk/ImpactAssessment
– Documentownershipofrisks,mi*ga*ons
• DataFlowDiagram– Iden*fytypesofPIIinflow,aswellaswhatsystems,en**esandjurisdic*onsthatdataflowsthrough
• SecurityAssessments&Measures
– Appropriatemeasurestoensureadequateapplica*onsecurity,developmentprocessesandpenetra*on/vulnerabilitytes*ng
– Requireregulartes*ngaswellasatoutsetofrela*onship– Considerstrategiesbasedonencryp*on,dataobfusca*on
PrivacyIssuesintheCloud‐Constan*neKarbalio*s 21
![Page 22: Privacy issues in the cloud](https://reader033.fdocuments.in/reader033/viewer/2022051817/548e3972b479599d2d8b4713/html5/thumbnails/22.jpg)
ModelforManagingCloudRisks–Contract&Audit• LegalModels– Developappropriatecontractualtermstoensureprotec*onofthetypesofdatayouwanttoprocess:• Recordsreten4on&lawfulaccess• Access• Datasharingrisks/commingling• Jurisdic4onalrisks• Flow‐downofrequirementsforsecurity,audit,evidenceofcomplianceforsub‐contractors
– Revisit/revisecustomerprivacyno*ces,agreements:dotheyreflectwhatyouaredoingwiththedata?
• Monitoring– Ensurethattherearemechanismstechnicalandorganiza*onaltoassessandauditcloudvendor’suseofdata
• AuditandThirdPartyCer*fica*on– Ensureyouhavetheabilitytoaudit–anddoit– Thirdpartycer*fica*onsasaminimum
PrivacyIssuesintheCloud‐Constan*neKarbalio*s 22
![Page 23: Privacy issues in the cloud](https://reader033.fdocuments.in/reader033/viewer/2022051817/548e3972b479599d2d8b4713/html5/thumbnails/23.jpg)
Thankyou!
Copyright©2010SymantecCorpora4on.Allrightsreserved.SymantecandtheSymantecLogoaretrademarksorregisteredtrademarksofSymantecCorpora*onoritsaffiliatesintheU.S.andothercountries.Othernamesmaybetrademarksoftheirrespec*veowners.
Thisdocumentisprovidedforinforma*onalpurposesonlyandisnotintendedasadver*sing.Allwarran*esrela*ngtotheinforma*oninthisdocument,eitherexpressorimplied,aredisclaimedtothemaximumextentallowedbylaw.Theinforma*oninthisdocumentissubjecttochangewithoutno*ce.
PrivacyIssuesintheCloud‐Constan*neKarbalio*s 23
Constan*neKarbalio*s,J.D.,CIPP/C/ITconstan*ne_karbalio*[email protected]