Contenu connexe
Similaire à Porticor - Can Data be safe in Public Clouds, in Compliance with Standards (20)
Porticor - Can Data be safe in Public Clouds, in Compliance with Standards
- 1. Can Data be Safe in Public Clouds, in Compliance with Standards? Gilad Parann-Nissany http://www.porticor.comcontact@porticor.com CloudCon, March 30th, 2011 3/29/2011 www.porticor.com © PORTICOR 2009, 2010
- 2. 3/29/2011 www.porticor.com © PORTICOR 2009, 2010 2 The Cloud Security Scales Lets talk about solutions Scare Stories? Or real issues?
- 3. Shared Technology Vulnerabilities Data Loss/Data Leakage Malicious Insiders Account Service or Hijacking of Traffic Insecure APIs Nefarious Use of Service Unknown Risk Profile 3/29/2011 www.porticor.com © PORTICOR 2009, 2010 3 Threat Analysis: I/PaaS PaaS Platform as a Service IaaS Infrastructure as a Service (*) courtesy “Cloud Security Alliance: Assuring the future of Cloud Computing”: S. Loureiro, 2010
- 4. 3/29/2011 www.porticor.com © PORTICOR 2009, 2010 4 Typical Provider Customer Agreement 7.2. Security. We strive to keep Your Content secure, but cannot guarantee that we will be successful at doing so, given the nature of the Internet. Accordingly, without limitation to Section 4.3 above and Section 11.5 below, you acknowledge that you bear sole responsibility for adequate security, protection and backup of Your Content and Applications. We strongly encourage you, where available and appropriate, to (a) use encryption technology to protect Your Content from unauthorized access, (b) routinely archive Your Content, and (c) keep your Applications or any software that you use or run with our Services current with the latest security patches or updates. We will have no liability to you for any unauthorized access or use, corruption, deletion, destruction or loss of any of Your Content or Applications. Makes sense? Yes! But means you have to do some things…
- 5. Strong investment in security of the infrastructure Compliance with standards SAS70 ISO 27K PCI Enabling (key word!) customers to be compliant 3/29/2011 www.porticor.com © PORTICOR 2009, 2010 5 Provider responsibilitiesWhat can you expect?
- 6. Detailed advice from White Papers, Industry bodies and the community Emphasis on your responsibility for Security of whatever you install on the Cloud infrastructure Identities and their management Encryption and management of data Significant implementation Ability to achieve certification with standards (PCI, HIPAA, …) 3/29/2011 www.porticor.com © PORTICOR 2009, 2010 6 Customer responsibilitiesWhat can you expect?
- 7. Combining the security of the Cloud Infrastructure with your own responsibilities How? And… … What has really changed? What’s new, what carries over from the “old world”? 3/29/2011 www.porticor.com © PORTICOR 2009, 2010 7 Cloud SecurityMaking it all happen
- 8. Some known concepts translate to cloud with a twist APIs SaaS security Usage of IaaS And of course, there is some pretty new stuff More about this later… 3/29/2011 Copyright 2009, 2010 ©Porticor What’s new? What carries over?
- 10. Secure distributed data storage Keys management Hypervisors and virtual machines Role of encryption changes New data protection measures emerge (i.e. fragmentation) Physical security of cloud environments 3/29/2011 www.porticor.com © PORTICOR 2009, 2010 10 Some new considerations
- 11. Package complex privacy and security technology Get the operations and economics right Pay as you go Privacy and security solutions can be brought up in a reasonable time – not months Privacy and security have proper service level guarantees Backed by proper SLA and/or Warranty 3/29/2011 www.porticor.com © PORTICOR 2009, 2010 11 Elasticity, Flexibility, Management