Your SlideShare is downloading. ×
0
Cloud Security (11-09-2012, (ISC)2 Secure Amsterdam)
Cloud Security (11-09-2012, (ISC)2 Secure Amsterdam)
Cloud Security (11-09-2012, (ISC)2 Secure Amsterdam)
Cloud Security (11-09-2012, (ISC)2 Secure Amsterdam)
Cloud Security (11-09-2012, (ISC)2 Secure Amsterdam)
Cloud Security (11-09-2012, (ISC)2 Secure Amsterdam)
Cloud Security (11-09-2012, (ISC)2 Secure Amsterdam)
Cloud Security (11-09-2012, (ISC)2 Secure Amsterdam)
Cloud Security (11-09-2012, (ISC)2 Secure Amsterdam)
Cloud Security (11-09-2012, (ISC)2 Secure Amsterdam)
Cloud Security (11-09-2012, (ISC)2 Secure Amsterdam)
Cloud Security (11-09-2012, (ISC)2 Secure Amsterdam)
Cloud Security (11-09-2012, (ISC)2 Secure Amsterdam)
Cloud Security (11-09-2012, (ISC)2 Secure Amsterdam)
Cloud Security (11-09-2012, (ISC)2 Secure Amsterdam)
Cloud Security (11-09-2012, (ISC)2 Secure Amsterdam)
Cloud Security (11-09-2012, (ISC)2 Secure Amsterdam)
Cloud Security (11-09-2012, (ISC)2 Secure Amsterdam)
Cloud Security (11-09-2012, (ISC)2 Secure Amsterdam)
Cloud Security (11-09-2012, (ISC)2 Secure Amsterdam)
Cloud Security (11-09-2012, (ISC)2 Secure Amsterdam)
Cloud Security (11-09-2012, (ISC)2 Secure Amsterdam)
Cloud Security (11-09-2012, (ISC)2 Secure Amsterdam)
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Cloud Security (11-09-2012, (ISC)2 Secure Amsterdam)

210

Published on

This presentation shows, through illustration of a case, the issues of storing privacy-sensitive data in the cloud.

This presentation shows, through illustration of a case, the issues of storing privacy-sensitive data in the cloud.

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
210
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
1
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Withourprevious hosting provider, we spendmonths tracking down backups…
  • Editor: Mat Honan
  • Secundairy Data: anonymous sets
  • Transcript

    • 1. Click to edit Master title style One single cloud to rule them all?© Copyright 1989 – 2010, (ISC)2 All Rights Reserved 2011,
    • 2. Agenda • Introducing my view on the cloud • Introducing a case • One single cloud to rule them all? • Hybrid clouds Click to edit Master title style • Current challenges© Copyright 1989 – 2010, (ISC)2 All Rights Reserved 2011,
    • 3. Introducing myself • Jaap van Ekris • Consultant specialised in high risk and high secure environments • Employed by Delta Pi Click to edit Master title style • Lead architect for several privacy sensitive solutions© Copyright 1989 – 2010, (ISC)2 All Rights Reserved 2011,
    • 4. A trust paradox • From the relation: If you don’t trust them, don’t do business • From technology: Don’t trust them by design Click to edit Master title style© Copyright 1989 – 2010, (ISC)2 All Rights Reserved 2011,
    • 5. Cloud: an architects view • Technically: a cheaper, more public, standardized product that provides much flexibility • Legal: No difference from contract, but privacy laws do introduce pitfalls Click to edit Master title style • Contractmanagement: Much less grip, more hassle?© Copyright 1989 – 2010, (ISC)2 All Rights Reserved 2011,
    • 6. The cloud is no panacea Click to edit Master title style© Copyright 1989 – 2010, (ISC)2 All Rights Reserved 2011,
    • 7. On the other hand… • Our previous hosting provider was specialized/dedicated, but worthless • Cloud solutions are cheap and flexible • We can design the solution to minimize Click to edit and reliability issues trust, privacy Master title style • Separation of powers is a good thing…© Copyright 1989 – 2010, (ISC)2 All Rights Reserved 2011,
    • 8. PALGA foundation • Foundation founded in 1971 • An official medical registration, as described in Dutch Privacy laws • Helps pathologist connect to colleagues on a case-to-case basis, since medical relevancy for diagnosis is measured in decades • Enabler for statistical medical research from Universities that can be observed through pathology reports • Supports national policy development through: Dutch Cancer registration, Cervical and Breast Cancer Screening Programs, Health Care Evaluation and Epidemiological Research Survey • National coverage since 1990 Click to edit Master title style • Patients can opt-out through responsible pathology lab Everything is outsourced….© Copyright 1989 – 2010, (ISC)2 All Rights Reserved 2011,
    • 9. Pathology as seen on TV... Click to edit Master title style© Copyright 1989 – 2010, (ISC)2 All Rights Reserved 2011,
    • 10. Our infrastructure Pathology Labs Lab (U-DPS) Rapporten (individueel) Aanmelden Patienten Opvragen BVO Historische Gegevens Rapporten Opvragen Patienhistorie Opvragen Patienthistorie ZorgTTP Rapporten (batches) Ruwe DataStore Bijwerken Bijwerken referentietabellen referentietabellen (RDS) LSP Transferium PZVDB Medewerker Referentiesysteem St. Palga Gegevens voor analyse Click to edit Master title style Rule Engine Bijwerken Business rules (ETL) Resultaten (dagelijks) Medewerker Tieto Wetenschappelijke Vraag Medewerker Datawarehouse St. Palga (SAS) Direct Patient care (Central) Scientific Reseach (Central)© Copyright 1989 – 2010, (ISC)2 All Rights Reserved 2011,
    • 11. Different types of data… • Medical data: highly classified, requires specialized hosting or strong encryption • Medical Statistical Queries: confidential, requires a specific SLA • Medical Statistical reports: Semi-public, falls within most SLA’s • E-mail etc.: Nearly public, falls within any Click to SLA Master title style decent edit© Copyright 1989 – 2010, (ISC)2 All Rights Reserved 2011,
    • 12. One mans trash is anothers treasure… Click to edit Master title style© Copyright 1989 – 2010, (ISC)2 All Rights Reserved 2011,
    • 13. The power of combination • Data becomes much more valuable when combined with other data sources • You never know your opponent • You never know what his goal with Click to edit Master your data is title style • This might be the clouds biggest threat© Copyright 1989 – 2010, (ISC)2 All Rights Reserved 2011,
    • 14. One single cloud provider? • One single cloud is easy from management perspective • The highest class of privacy starts to dominate requirements quickly (also pushing the cost of public data) • There are very few providers specialized in medical data solutions Click to edit Master title style • Their costs are colossal, own hosting suddenly seems affordable  • Introduces the risk of data recombination© Copyright 1989 – 2010, (ISC)2 All Rights Reserved 2011,
    • 15. Could Amazon solve it? • Reliable platform provider • Privacy laws are an issue: No explicit medical focus and no absolute guarantees about geographic data location • Designing around this problem style Click to edit Master title is possible but comes at a cost: strong encryption is hampering performance of big queries© Copyright 1989 – 2010, (ISC)2 All Rights Reserved 2011,
    • 16. Hybrid cloud • Partially put data in the cloud, partially host your own data • It is one single solution, allowing seamless access to different hosting areas Click to edit Master title style© Copyright 1989 – 2010, (ISC)2 All Rights Reserved 2011,
    • 17. Could Microsoft Azure solve it? • Split data: – Put medical data and queries into own hosting – Put all semi-public and public data into the cloud • Doesn’t fit our philisophy of outsourcing Click to edit Master title style (i.e. hosting our own data)© Copyright 1989 – 2010, (ISC)2 All Rights Reserved 2011,
    • 18. Our final mixed cloud solution • Pseudonimisation: SaaS/SECaas • Critical medical data: PaaS • Secondary data: SaaS, designed as a “disposable” environment Click to edit Master title style • E-Mail, Desktops: DaaS© Copyright 1989 – 2010, (ISC)2 All Rights Reserved 2011,
    • 19. Current Serivceproviders Pathology Labs Lab (U-DPS) Rapporten (individueel) Opvragen BVO Historische Gegevens Rapporten ZorgTTP Rapporten (batches) Ruwe DataStore Bijwerken Bijwerken referentietabellen referentietabellen (RDS) Transferium PZVDB Medewerker Referentiesysteem St. Palga Gegevens voor analyse Click to edit Master title style Rule Engine Bijwerken Business rules (ETL) Resultaten (dagelijks) Medewerker Tieto Wetenschappelijke Vraag Medewerker Datawarehouse St. Palga (SAS) Direct Patient care (Central) Scientific Reseach (Central)© Copyright 1989 – 2010, (ISC)2 All Rights Reserved 2011,
    • 20. Current challenges • Single Sign-On Authentication across different clouds is difficult: – Limiting access to the highly critical environment from a shared DaaS environment is challenging – User management is a lot of work • Defining dataflows crossing the borders of Click to providers is extremely challenging service edit Master title style • Logging of user actions is challenging© Copyright 1989 – 2010, (ISC)2 All Rights Reserved 2011,
    • 21. Worries… • Our platform provider started to host a lot of medical data, Chinese walls are vital in order to comply with privacy laws • The power of combination and reidentification grows by the day, challenging the height of the chinese wall Click to edit Master title style© Copyright 1989 – 2010, (ISC)2 All Rights Reserved 2011,
    • 22. Conclusion • It doesn’t make sense to talk about one single cloud when you have different types of information • Hybrid solutions, or better multiple clouds, would be a more sensible approach Click to edit Master title style© Copyright 1989 – 2010, (ISC)2 All Rights Reserved 2011,
    • 23. Questions? Mail: J.vanEkris@Delta-Pi.nl Watch again: www.slideshare.net/Jaap_van_Ekris Click to edit Master title style© Copyright 1989 – 2010, (ISC)2 All Rights Reserved 2011,

    ×