cloud computing - data security lifecycle in the cloud

1© 2008�KPMG�Advisory,�a�Dutch�limited�liability�company�and�member�firm�of�the�KPMG�network�of�independent�member�firms�affiliated�with�KPMG�International,�a�Swiss�cooperative.�All�rights�

reserved.

Data Security Lifecycle versus Cloud Computing

What questions are relevant concerning data security lifecycle in the cloud?

drs. Mike Chung RE

© (2010)�KPMG�Advisory�N.V.,�lid�van�KPMG�International,�een�Zwitserse�coöperatie.�Alle�rechten�voorbehouden.�

KPMG�and�the�KPMG�logo�are�registered�trademarks�of�KPMG�International,�a�Swiss�cooperative.2

Cloud computing as phenomenon

• Cloud computing is considered as the most important IT service model for 2010 and beyond

– Over 50% of all Fortune 500 enterprises are already using cloud computing services

– More than 10 million companies will be using cloud computing services by 2012

– Spendings on cloud computing services will grow almost threefold, reaching $42 billion by 2012 (Source: IDC)

• All major software vendors and IT integrators are investing heavily on cloud computing offerings

• Increasing bandwidth of the internet is paving the way for ‘reliable’ online services

• Demand for cloud computing services is growing rapidly due to the economic downturn



Definition of cloud computing 2/2

• Hosted service from the (inter)net, metaphorically depicted as a cloud

• ‘ASP 2.0’

• Examples:

– Software-as-a-Service (Salesforce.com, Gmail, Microsoft Online)

– Platform-as-a-Service (GoogleApps, Force.com, 3tera AppLogic)

– Infrastructure-as-a-Service (Amazon EC2, Citrix Cloud Centre)

‘On-premise’ versus cloud computing

Hardware, software + data

Users

Customer

‘On-premise’ Cloud computing

Users

IT services

Cloud vendor

Customer

Hardware, software + data

Software vendor

Software licences +

support costs

Subscription or

‘pay as you go’

Internet

IT services

Internal IT



Security issues are real

• Google Web Service vulnerability leaked database usernames and passwords (2007)

• Hackers stole credentials of Salesforce.com’s customers via phishing attacks (2007)

• Thousands of customers lost their data in the cloud due to the ‘Sidekick disaster’ of Microsoft/T-Mobile (2009)

• Botnet incident at Amazon EC2 infected customer’s computers and compromised their privacy (2009)

• Thousands of hotmail accounts were hacked due to technical flaws in Microsoft’s software (2010)



Specific risk factors concerning the cloud 1/2

• External data storage

- Weak control over data (failing backup & recovery)

- Legal complications (violation on privacy, conflicting legislations)

- Viability uncertain (insufficient guarantee on continuity and availability of services)

• Multi-tenancy architecture

- Inadequate segregation of data

- Poor Identity and Access Management (IAM)

- Insufficient logging and monitoring

- Weakest link is decisive (virtualisation, shared databases)



Specific risk factors concerning the cloud 2/2

• Use of the public internet

- Vague and/or non-existing accountability and ownership

- Loss, misuse and theft of data

- No access to data and/or services

• Integration with the internal IT environment

- Unclear perimeters

- No connection and/or alignment with internal security

- Complexity of integration



Data Security Lifecycle: phases

Create

Store

Use

Share

Archive

Destroy



Data Security Lifecycle versus the cloud: phase ‘create’

• Data classification

- What data is valuable/confidential?

- How should the data be classified?

- What data can be disclosed freely?

• Assignment of rights to create

- What rights/permissions must be assigned to individuals/accounts?

- What rights/permissions must be assigned or limitations enforced to different devices/media and/or locations?

• Integer creation

- How to assure that a specific individual/group has created the data?

- How to assure that specific data instances have been merged?



Data Security Lifecycle versus the cloud: phase ‘store’ 1/2

• Access Management

- What access controls and processes have been effectuated on the externally hosted systems?

- What access controls have been effectuated on organizations (the customer(s)and the cloud provider(s))?

• Data integrity & confidentiality

- On what (geographic) location(s) is/are my data stored?

- How is my data segregated/separated/compartmented from other customer data?

- How to assure that my data cannot be commingled with other customer data?

- How to assure that my data does not get inferred, contaminated and/oraggregated inadvertently?



Data Security Lifecycle versus the cloud: phase ‘store’ 2/2

• Encryption in rest

- What mechanisms are in place for data encryption?

- What data should be encrypted?

- Who is responsible for key management?

- Single key or multiple keys?

• Compliance

- Does external storage influence regulations and legislations?

- Are third parties or government bodies able to seize your data?

• Data recovery

- What is the recovery mechanism?

- What is the backup schedule?



Data Security Lifecycle versus the cloud: phase ‘use/share’ 1/2

• Availability

- How to assure that my data is available for use in the cloud?

- What are the SLAs and penalties?

• Logging & Monitoring

- What activities are logged and monitored (real-time, periodic)?

- What logging & monitoring reports are required and available?

• Discovery

- How can specific data be discovered?

- How can specific data be retrieved?



Data Security Lifecycle versus the cloud: phase ‘use/share’ 2/2

• Assignment of rights to use/share

- Who is responsible for Identity & Access Management?

- What rights/permissions must be assigned to individuals/accounts?

- What rights/permissions must be assigned or limitations enforced to different devices/media and/or locations?

- What are the permissible methods to share?

• Non-repudiation

- How to assure that someone or some instance has sent/provided the data?

• Encryption in transit

- What mechanisms are in place for secure transfer?


- Who is responsible for the connection?



Data Security Lifecycle versus the cloud: phase ‘archive’

• Media

- On what type of media (tape, disk) must the data be archived?

- What are the physical requirements regarding archiving?

• Encryption in rest

- What mechanisms are in place for data encryption?


- Who is responsible for key management?

• Asset management and tracking



Data Security Lifecycle versus the cloud: phase ‘destroy’

• Data destruction

- How to assure that not only the content but also all key material will be destroyed?

- How to assure that the data is unrecoverable?

- How to assure that the data and all backups have been erased completely?

• Confirmation

- How does the cloud provider confirm the destruction process?



Conclusion

• Questions concerning the Data Security Lifecycle for cloud computing are similar from the ones for on-premise IT, yet emphasizing different elements such as location of your data, data recovery and data destruction

• Data Security Lifecycle Management must an essential part of cloud computing governance

• Do not assume that cloud providers have superior security measures and processes

• You can phase out your IT, but not your data

• You can transfer complexity to the cloud, but you’ll still bear the risks



Contact information

Drs. Mike Chung RE

Manager/Lead Auditor

Risk & Compliance

+31 (0)6 1455 9916

[email protected]

cloud computing - data security lifecycle in the cloud

Technology

kpmg advisory

kpmg logo

lid van kpmg international

cloud computing services

theft of data

data classification

cloud computing offerings

phenomenon cloud computing