1. OCDA U: SECURITY DATA PROTECTION
Matt Lowth (NAB)
Ian Lamont (BMW)
®
2. AGENDA
2ODCA Data Security 2013 |
Topic
Discuss
Learning
Cloud Data Security
- Usage Scenarios
- Data Security Challenges
- Data Security Lifecycle
Learnings and
Take-aways from this UM
3. TOPIC & UM BACKGROUND
The ODCA Contributor organizations have created this Usage Model to
collaboratively identify ways in how they agree cloud data security should be
managed, and so as to provide this as a clear message to the Cloud and
Solution Providers, and to share with the general public
The Data Security UM addresses:
1. Concept
2. Important enabling elements
3. Usage Scenario’s
4. Categorization of service
qualities in context of the UM
3ODCA Data Security 2013 |
4. UM CORE – KEY ELEMENTS
4
Different Security Methodology.
Protecting the data versus protecting your perimeter?
Important to understand what you’re protecting?
Options to lower the sensitivity
of the data by masking or encrypting it?
Ensure access and management
of your data is logged and monitored.
Data Security
Challenges
Data
Classification
Data
encryption &
masking
SIEM
ODCA Data Security 2013 |
6. DATA SECURITY – USAGE SCENARIOS
6
What to think about before you move your
data to the cloud?
How to get your data to the cloud.
How to access your data in the cloud.
How to Backup/Restore information from the
cloud OR delete your data when you’re finished using it.
Transfer
Preparations
Data Transfer
Data Access
Other
Scenarios
ODCA Data Security 2013 |
7. KEY TAKEAWAYS FOR THIS UM
7
Your data is only as secure as your weakest link.
You need to consider what protection is necessary throughout
your data’s lifecycle, not just protecting the information in transit.
Where does your data live?
It is difficult to apply appropriate protection
to your data if you don’t understand the data’s sensitivity.
Develop
Securely
Data
Lifecycle
Data
Sovereignty
Understand
Your Data
ODCA Data Security 2013 |
8. KEY INDUSTRY ACTIONS
(STANDARDS AND MORE)
8
Data security must comply with country-specific legal requirements. These
requirements and their implications need to be clearly comprehended by
providers and subscribers.
Are requested to submit input on the proposed data security criteria for the
various assurance levels (Bronze, Silver, Gold, and Platinum).
Should examine their enterprises and understand the data security life cycle;
then they should validate their findings by comparing them to the RFP
questions.
Industry
Wide
Cloud
Provider
Cloud
Subscriber
ODCA Data Security 2013 |
9. INFORMATION AND ASSETS
9
Available to Members at: www.opendatacenteralliance.org
URL for Public content: www.opendatacenteralliance.org
Standardized
Response Checklists
Accelerate TTM
Shared Practices
Drive Scale
Streamlined
Requirements
Accelerate Adoption
ODCA Data Security 2013 |
N-Tier architecture vs protect the data.Low/Medium/High confidentiality, important to understand these concepts What else can you do with the data to protect it? SIEM - (Compliance monitoring / Provider assurance) – you just missed it. – you should come to the previous session.Ian: Ask what’s happening in BMW for Data Classification & SIEM?
Different access types- Customer Data AccessThe customer typically accesses data in the cloud through an application which provides him a service around the data. The customer will typically come from an uncontrollable external network – generalized as Internet. The access goes through a traditional DMZ architecture with an outer firewall – a reverse proxy enforcing the user authentication and applying access control for the requested application.Staff Data AccessStaff members will access their resources in the cloud through their enterprise firewall or virtual private network (VPN) connection to an access gateway which ensures the user is coming from an identified organization (the cloud subscriber). Staff members will perform admin tasks as well as use applications running in the cloud. Basically, their roles and accessible resources will be controlled by an access control or policy server similar to that controlling the access of the customers (i.e., from a cloud provider’s point of view, these are all customers).- Sysadmin Data AccessThe SysAdmin has OS-level access the the cloud provider’s servers and is under control of an admin gateway to limit the access to systems the admin is entitled to. The admin gateway can be implemented as a function on each server, which enforces role-based access control on the OS level (e.g., PowerBroker).Figure 6 illustrates the SysAdmin access path to data. Basically, the SysAdmin has access to all servers on the OS level. He always accesses data directly, as he has no application entitlements.Application Data AccessThings to think about here include whether you need to think about MASSL for auth, account credentials etc..See the Identity mgmt usage models.
Data Sovereignty – In .AU, lots of talk of it, but no real impacts as of yet as people aren’t using public cloud for highly sensitive services. I hear Data Sovereignty is a problem in Europe – how do you see this affecting Cloud adoption in this area?