privacy issues in the cloud
DESCRIPTION
Privacy Issues in the Cloud Presentation to the Chief Privacy Officers Council of Canada, May 4, 2010 Ponemon Institute paper at: http://tinyurl.com/3a3pqglTRANSCRIPT
PrivacyIssuesintheCloudPresenta4ontotheChiefPrivacyOfficersCouncil
Constan4neKarbalio4sDataProtec*on&PrivacyLead
May4,2010 1
Agenda
PrivacyIssuesintheCloud‐Constan*neKarbalio*s2
Introduc*on1
WhatistheCloud?2
WhatdoSecurityProfessionalsSeeasRisks?3
WhatarethePrivacyIssues?4
WhatistheRealProblem?5
Conclusion/Q&A6
WhatistheCloud?
3PrivacyIssuesintheCloud‐Constan*neKarbalio*s
Whatis“theCloud”?
• “Cloudcompu*ng”defini*ons:– Cloudcompu*ngisinterconnectednetworksofITenabledresources(i.e.services)deliveredinadynamicallyscalableandvirtualizedmethod,madeavailabletocustomersforpurchaseviavariablecostmodelsbasedonusage.• Symantec
– justaswithau*lity,enterprisescanpayforinforma*ontechnologyservicesonaconsump*onbasis
PrivacyIssuesintheCloud‐Constan*neKarbalio*s 4
BenefitsandRisks
Accelera4ngTrend
– Growingmarkettoreach$42billionby2012‐IDC
Rewards
– Takesadvantageofvirtualiza*on– Provideson‐demandservicesforeasyscalability
– Minimizescapitalandopera*ngcostsexpenditures
– Providesaccesstoexper*senotavailablein‐house– Enhancesbusinessagility
Risks
– Currentlackofstandardiza*on– Rela*velyhighswitchingcostsforproprietarysolu*ons– SecurityandPrivacy
5
5PrivacyIssuesintheCloud‐Constan*neKarbalio*s
WhatdoSecurityProfessionalsSeeasRisks?
6PrivacyIssuesintheCloud‐Constan*neKarbalio*s
PrivacyIssuesintheCloud‐Constan*neKarbalio*s 7
TopSecurityThreatstoCloudCompu4ng
• AbuseandNefariousUseofCloudCompu*ng• InsecureApplica*onProgrammingInterfaces• MaliciousInsiders• SharedTechnologyVulnerabili*es• DataLoss/Leakage• Account,Service&TrafficHijacking• UnknownRiskProfile
• Source:TopThreatstoCloudCompu*ng,Version1.0
CloudSecurityAlliance
hbp://www.cloudsecurityalliance.org/topthreats
PrivacyIssuesintheCloud‐Constan*neKarbalio*s 8
GovernanceConcerns
PERCEIVEDRISKSINCLOUDCOMPUTING
Uncertainabilitytoenforcesecuritypoliciesataprovider
23percent
InadequatetrainingandITaudi*ng 22percent
Ques*onableprivilegedaccesscontrolatprovidersite
14percent
Uncertainabilitytorecoverdata 12percent
Proximityofdatatoanothercustomer’s 11percent
Uncertainabilitytoauditprovider 10percent
Uncertaincon*nuedexistenceofprovider 4percent
Uncertainproviderregulatorycompliance 4percent
Source:PriceWaterhouseCooper/CISO‐CIOMagazineSurvey,2010
WhatarethePrivacyRisks?
9PrivacyIssuesintheCloud‐Constan*neKarbalio*s
PrivacyIssuesintheCloud‐Constan*neKarbalio*s 10
PrivacyRiskswithCloudCompu4ng
• Certaintypesofdatamaytriggerspecificobliga*onsunderna*onalorlocallaw
• Vendorissues:– Organiza*onsmaybeunawaretheyareevenusingcloud‐basedvendors
– Duediligences*llrequiredasinanyvendorrela*onship– Datasecurityiss*lltheresponsibilityofthecustomer– ServiceLevelagreementsneedtoaccountforaccess,correc*onandprivacyrights
• DataTransfer:– Cloudmodelsmaytriggerinterna*onallegaldatatransferrequirements
Source:Hunton&Williams,“Outsourcingtothecloud:datasecurityandprivacyrisks”,March15,2010
WhatistheRealProblem?
11PrivacyIssuesintheCloud‐Constan*neKarbalio*s
PonemonStudyforSymantec:Summary
• Businessapplica*ons,solu*onstacksandstoragearethemostpopularcloudcompu*ngapplica*ons,plaiormsandinfrastructureservices
• Feworganiza*onstakeproac*vestepstoprotectboththeirownsensi*vebusinessinforma*onandthatoftheircustomers,consumersandemployeeswhentheystorethatinforma*onwithcloudcompu*ngvendors
• Organiza*onsareadop*ngcloudtechnologieswithouttheusualvekngprocedures
• EmployeesaremakingdecisionswithouttheirITdepartments’insightsorfullknowledgeofthesecurityrisksinvolved
• Twoyearsfromnow,mostrespondentsplantousecloudcompu*ngmuchmoreintensivelythantheydotoday
• Yetevenasmomentumforcloudcompu*ngbuilds,doubtsaboutsecuritydifficul*esofcloudcompu*ngpersist
• Organiza*onsmostfrequentlyprotectthemselvesthroughtradi*onalITsecuritysolu*onsandlegalorindemnifica*onagreementswithvendors.
PrivacyIssuesintheCloud‐Constan*neKarbalio*s 12
PonemonStudyfindsFewerthanOneinTenCompaniesEvaluateVendorsorTrainEmployeesonCloudSecurity:
• Morethan75percentofrespondentsnotedthatthemigra*ontocloudcompu*ngwasoccurringinaless‐thanidealmanner,duetoalackofcontroloverendusers
• Only27percentofrespondentssaidtheirorganiza*onshaveproceduresforapprovingcloudapplica*onsthatusesensi*veorconfiden*alinforma*on
• 68percentindicatedthatownershipforevalua*ngcloudcompu*ngvendorsresideswithendusersandbusinessmanagers
• Only20percentoftheorganiza*onssurveyedreportedthattheirinforma*onsecurityteamsareregularlyinvolvedinthedecisionmakingprocessandapproximatelyaquartersaidtheyneverpar*cipatedatall
• 69percentoftherespondentsindicatedtheywouldprefertoseetheinforma*onsecurityorcorporateITteamsleadtheclouddecisionmakingprocess
13PrivacyIssuesintheCloud‐Constan*neKarbalio*s
PolicyandProceduralGaps
PrivacyIssuesintheCloud‐Constan*neKarbalio*s 14
Source:PonemonIns*tutestudyforSymantec:“FlyingBlindintheCloud”,April7,2010
Ineffec4veReview
PrivacyIssuesintheCloud‐Constan*neKarbalio*s 15
CloudCompu4ngVendorsReview“Process”
PrivacyIssuesintheCloud‐Constan*neKarbalio*s 16
Source:PonemonIns*tutestudyforSymantec:“FlyingBlindintheCloud”,April7,2010
Organiza4onalstepstoensuredataprotec4on
PrivacyIssuesintheCloud‐Constan*neKarbalio*s 17
Source:PonemonIns*tutestudyforSymantec:“FlyingBlindintheCloud”,April7,2010
Conclusion/Q&A
18PrivacyIssuesintheCloud‐Constan*neKarbalio*s
ManagingPrivacyintheCloud
• Policiesandproceduresmustexplicitlyaddresscloudprivacyrisks
• Informa*ongovernancemustbeputinplacethat:– Providestoolsandproceduresforclassifyinginforma*onandassessingrisk
– Establishpoliciesforcloud‐basedprocessingbaseduponriskandvalueofasset.
• Evaluatethirdpar*es’securityandprivacycapabili*esbeforesharingconfiden*alorsensi*veinforma*on.– Thoroughreviewandauditofvendors– Independentthirdpartyverifica*on
• Trainemployeesandstaffaccordinglytomi*gatesecurity/privacyrisksincloudcompu*ng– Addressfrommul*‐departmentalperspec*ve
19PrivacyIssuesintheCloud‐Constan*neKarbalio*s
ModelforManagingCloudRisks‐Governance
• Strategy:– Whatkindsofdatawillyouasamaberofcoursenotallowtogotothecloud?Whatkindofcloudisappropriateforcertaintypesofdata?
– Implicit:youhaveadataclassifica*onsystemthatyoufollowandknowthevalueofyourdataassets
• Educa*on&training– Trainusers/businessunitsthatthisrequiresvendorreviewjustasanyothervendor
• Resources&Ownership– Academictohavenicepolicies,contractuallanguagepermikngauditrights,ifyoudon’thavestafftodoit
– EveryonewantsInforma*onSecurityorITtoownthis–equipthem
PrivacyIssuesintheCloud‐Constan*neKarbalio*s 20
ModelforManagingCloudRisks–FormalRiskManagement
• PrivacyRisk/ImpactAssessment
– Documentownershipofrisks,mi*ga*ons
• DataFlowDiagram– Iden*fytypesofPIIinflow,aswellaswhatsystems,en**esandjurisdic*onsthatdataflowsthrough
• SecurityAssessments&Measures
– Appropriatemeasurestoensureadequateapplica*onsecurity,developmentprocessesandpenetra*on/vulnerabilitytes*ng
– Requireregulartes*ngaswellasatoutsetofrela*onship– Considerstrategiesbasedonencryp*on,dataobfusca*on
PrivacyIssuesintheCloud‐Constan*neKarbalio*s 21
ModelforManagingCloudRisks–Contract&Audit• LegalModels– Developappropriatecontractualtermstoensureprotec*onofthetypesofdatayouwanttoprocess:• Recordsreten4on&lawfulaccess• Access• Datasharingrisks/commingling• Jurisdic4onalrisks• Flow‐downofrequirementsforsecurity,audit,evidenceofcomplianceforsub‐contractors
– Revisit/revisecustomerprivacyno*ces,agreements:dotheyreflectwhatyouaredoingwiththedata?
• Monitoring– Ensurethattherearemechanismstechnicalandorganiza*onaltoassessandauditcloudvendor’suseofdata
• AuditandThirdPartyCer*fica*on– Ensureyouhavetheabilitytoaudit–anddoit– Thirdpartycer*fica*onsasaminimum
PrivacyIssuesintheCloud‐Constan*neKarbalio*s 22
Thankyou!
Copyright©2010SymantecCorpora4on.Allrightsreserved.SymantecandtheSymantecLogoaretrademarksorregisteredtrademarksofSymantecCorpora*onoritsaffiliatesintheU.S.andothercountries.Othernamesmaybetrademarksoftheirrespec*veowners.
Thisdocumentisprovidedforinforma*onalpurposesonlyandisnotintendedasadver*sing.Allwarran*esrela*ngtotheinforma*oninthisdocument,eitherexpressorimplied,aredisclaimedtothemaximumextentallowedbylaw.Theinforma*oninthisdocumentissubjecttochangewithoutno*ce.
PrivacyIssuesintheCloud‐Constan*neKarbalio*s 23
Constan*neKarbalio*s,J.D.,CIPP/C/ITconstan*ne_karbalio*[email protected]