Privacy issues in the cloud final

1. Privacy Issues in the Cloud  Presenta4on to the Chief Privacy Oﬃcers Council  Constan4ne Karbalio4s  Data Protec*on & Privacy Lead  May 4, 2010  1 

2. Agenda  1  Introduc*on  2  What is the Cloud?  3  What do Security Professionals See as Risks?  4  What are the Privacy Issues?  5  What is the Real Problem?  6  Conclusion/Q&A  2  Privacy Issues in the Cloud ‐ Constan*ne Karbalio*s 

3. What is the Cloud?  Privacy Issues in the Cloud ‐ Constan*ne Karbalio*s  3 

4. What is “the Cloud”?  • “Cloud compu*ng” deﬁni*ons:  – Cloud compu*ng is interconnected networks of IT enabled  resources (i.e. services) delivered in a dynamically scalable  and virtualized method, made available to customers for  purchase via variable cost models based on usage.  •  Symantec  – just as with a u*lity, enterprises can pay for informa*on  technology services on a consump*on basis  Privacy Issues in the Cloud ‐ Constan*ne Karbalio*s  4 

5. Beneﬁts and Risks  Accelera4ng Trend  –  Growing market to reach $42 billion by 2012 ‐ IDC  Rewards  –  Takes advantage of virtualiza*on   –  Provides on‐demand services for easy scalability  –  Minimizes capital and opera*ng costs expenditures  –  Provides access to exper*se not available in‐house  –  Enhances business agility   Risks  –  Current lack of standardiza*on  –  Rela*vely high switching costs for proprietary solu*ons  –  Security and Privacy  Privacy Issues in the Cloud ‐ Constan*ne Karbalio*s  5  5

6. What do Security Professionals See as  Risks?  Privacy Issues in the Cloud ‐ Constan*ne Karbalio*s  6 

7. Top Security Threats to Cloud Compu4ng  •  Abuse and Nefarious Use of Cloud Compu*ng  •  Insecure Applica*on Programming Interfaces  •  Malicious Insiders  •  Shared Technology Vulnerabili*es  •  Data Loss/Leakage  •  Account, Service & Traﬃc Hijacking  •  Unknown Risk Proﬁle  •  Source:   Top Threats to Cloud Compu*ng, Version 1.0  Cloud Security Alliance  hbp://www.cloudsecurityalliance.org/topthreats  Privacy Issues in the Cloud ‐ Constan*ne Karbalio*s  7 

8. Governance Concerns  PERCEIVED RISKS IN CLOUD COMPUTING   Uncertain ability to enforce security  23 percent   policies at a provider   Inadequate training and IT audi*ng     22 percent     Ques*onable privileged access control at  14 percent    provider site     Uncertain ability to recover data    12 percent     Proximity of data to another customer’s   11 percent   Uncertain ability to audit provider     10 percent     Uncertain con*nued existence of provider   4 percent     Uncertain provider regulatory compliance   4 percent   Source: Price Waterhouse Cooper/CISO‐CIO Magazine Survey, 2010  Privacy Issues in the Cloud ‐ Constan*ne Karbalio*s  8 

9. What are the Privacy Risks?  Privacy Issues in the Cloud ‐ Constan*ne Karbalio*s  9 

10. Privacy Risks with Cloud Compu4ng  •  Certain types of data may trigger speciﬁc  obliga*ons under na*onal or local law  •  Vendor issues:   –  Organiza*ons may be unaware they are even using  cloud‐based vendors  –  Due diligence s*ll required as in any vendor rela*onship  –  Data security is s*ll the responsibility of the customer  –  Service Level agreements need to account for access,  correc*on and privacy rights  •  Data Transfer:  –  Cloud models may trigger interna*onal legal data  transfer requirements  Source: Hunton & Williams, “Outsourcing to the cloud: data security and  privacy risks”, March 15, 2010  Privacy Issues in the Cloud ‐ Constan*ne Karbalio*s  10 

11. What is the Real Problem?  Privacy Issues in the Cloud ‐ Constan*ne Karbalio*s  11 

12. Ponemon Study for Symantec: Summary  •  Business applica*ons, solu*on stacks and storage are the most popular cloud  compu*ng applica*ons, plaiorms and infrastructure services  •  Few organiza*ons take proac*ve steps to protect both their own sensi*ve  business informa*on and that of their customers, consumers and employees  when they store that informa*on with cloud compu*ng vendors  •  Organiza*ons are adop*ng cloud technologies without the usual vekng  procedures  •  Employees are making decisions without their IT departments’ insights or full  knowledge of the security risks involved  •  Two years from now, most respondents plan to use cloud compu*ng much  more intensively than they do today  •  Yet even as momentum for cloud compu*ng builds, doubts about security  diﬃcul*es of cloud compu*ng persist  •  Organiza*ons most frequently protect themselves through tradi*onal IT  security solu*ons and legal or indemniﬁca*on agreements with vendors.  Privacy Issues in the Cloud ‐ Constan*ne Karbalio*s  12 

13. Ponemon Study ﬁnds Fewer than One in Ten Companies  Evaluate Vendors or Train Employees on Cloud Security:  •  More than 75 percent of respondents noted that the migra*on to  cloud compu*ng was occurring in a less‐than ideal manner, due  to a lack of control over end users  •  Only 27 percent of respondents said their organiza*ons have  procedures for approving cloud applica*ons that use sensi*ve or  conﬁden*al informa*on  •  68 percent indicated that ownership for evalua*ng cloud  compu*ng vendors resides with end users and business managers  •  Only 20 percent of the organiza*ons surveyed reported that their  informa*on security teams are regularly involved in the decision  making process and approximately a quarter said they never  par*cipated at all  •  69 percent of the respondents indicated they would prefer to see  the informa*on security or corporate IT teams lead the cloud  decision making process  Privacy Issues in the Cloud ‐ Constan*ne Karbalio*s  13 

14. Policy and Procedural Gaps  Source: Ponemon Ins*tute study for Symantec: “Flying Blind in the Cloud”,  April 7, 2010  Privacy Issues in the Cloud ‐ Constan*ne Karbalio*s  14 

15. Ineﬀec4ve Review  Privacy Issues in the Cloud ‐ Constan*ne Karbalio*s  15 

16. Cloud Compu4ng Vendors Review “Process”  Source: Ponemon Ins*tute study for Symantec: “Flying Blind in the Cloud”,  April 7, 2010  Privacy Issues in the Cloud ‐ Constan*ne Karbalio*s  16 

17. Organiza4onal steps to ensure data protec4on  Source: Ponemon Ins*tute study for Symantec: “Flying Blind in the Cloud”,  April 7, 2010  Privacy Issues in the Cloud ‐ Constan*ne Karbalio*s  17 

18. Conclusion/Q&A  Privacy Issues in the Cloud ‐ Constan*ne Karbalio*s  18 

19. Managing Privacy in the Cloud  •  Policies and procedures must explicitly address cloud privacy  risks  •  Informa*on governance must be put in place that:  –  Provides tools and procedures for classifying informa*on and assessing risk   –  Establish policies for cloud‐based processing based upon risk and value of  asset.   •  Evaluate third par*es’ security and privacy capabili*es before  sharing confiden*al or sensi*ve informa*on.   –  Thorough review and audit of vendors  –  Independent third party verifica*on   •  Train employees and staff accordingly to mi*gate security/ privacy risks in cloud compu*ng  –  Address from mul*‐departmental perspec*ve  Privacy Issues in the Cloud ‐ Constan*ne Karbalio*s  19 

20. Model for Managing Cloud Risks ‐ Governance  •  Strategy:  –  What kinds of data will you as a maber of course not allow to go to the  cloud? What kind of cloud is appropriate for certain types of data?  –  Implicit: you have a data classiﬁca*on system that you follow and know  the value of your data assets  •  Educa*on & training  –  Train users/business units that this requires vendor review just as any  other vendor  •  Resources & Ownership  –  Academic to have nice policies, contractual language permikng audit  rights, if you don’t have staﬀ to do it  –  Everyone wants Informa*on Security or IT to own this – equip them  Privacy Issues in the Cloud ‐ Constan*ne Karbalio*s  20 

21. Model for Managing Cloud Risks – Formal Risk  Management  •  Privacy Risk/Impact Assessment  –  Document ownership of risks, mi*ga*ons  •  Data Flow Diagram  –  Iden*fy types of PII in ﬂow, as well as what systems, en**es and  jurisdic*ons that data ﬂows through  •  Security Assessments & Measures  –  Appropriate measures to ensure adequate applica*on security,  development processes and penetra*on/vulnerability tes*ng  –  Require regular tes*ng as well as at outset of rela*onship  –  Consider strategies based on encryp*on, data obfusca*on   Privacy Issues in the Cloud ‐ Constan*ne Karbalio*s  21 

22. Model for Managing Cloud Risks – Contract & Audit  •  Legal Models  –  Develop appropriate contractual terms to ensure protec*on of the types of  data you want to process:  •  Records reten4on & lawful access  •  Access  •  Data sharing risks/commingling  •  Jurisdic4onal risks  •  Flow‐down of requirements for security, audit, evidence of compliance for sub‐contractors  –  Revisit/revise customer privacy no*ces, agreements: do they reflect what you  are doing with the data?   •  Monitoring  –  Ensure that there are mechanisms technical and organiza*onal to assess and  audit cloud vendor’s use of data  •  Audit and Third Party Cer*fica*on  –  Ensure you have the ability to audit – and do it  –  Third party cer*fica*ons as a minimum  Privacy Issues in the Cloud ‐ Constan*ne Karbalio*s  22 

23. Thank you!  Constan*ne Karbalio*s, J.D., CIPP/C/IT  constan*ne_karbalio*s@symantec.com  416.402.9873  Copyright © 2010 Symantec Corpora4on. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corpora*on or its aﬃliates in  the U.S. and other countries.  Other names may be trademarks of their respec*ve owners.  This document is provided for informa*onal purposes only and is not intended as adver*sing.  All warran*es rela*ng to the informa*on in this document, either express or implied,  are disclaimed to the maximum extent allowed by law.  The informa*on in this document is subject to change without no*ce.  Privacy Issues in the Cloud ‐ Constan*ne Karbalio*s  23 

Privacy issues in the cloud final

Privacy issues in the cloud final

Recommandé

Contenu connexe

Tendances

Tendances(20)

En vedette

En vedette(6)

Similaire à Privacy issues in the cloud final

Similaire à Privacy issues in the cloud final(20)

Privacy issues in the cloud final