Protecting Data in the Cloud


Published on

Presentation given to the Australia Computer Society's QLD Branch Cloud SIG in September 2012.

Published in: Technology
1 Comment
  • GOOD ONE!!!
    Just came across yours after I posted one today. Great details in yours - I did not want to include as much in mine (the ISO numbers and such). It was already 22 pages long and I didn't want to overwhelm with it.
    Take care, Patrick
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Protecting Data in the Cloud

  1. 1. Neil Readshaw, CISSPWorldwide Chief Architect – Cloud SecurityIBM Global Technology Services @readshawProtecting Data in the Cloud © 2012 IBM Corporation
  2. 2. A Perfect Storm for Data Protection Big Data Industrialization Consumerization of IT of IT2 © 2012 IBM Corporation
  3. 3. How data protection in the cloud can go wrong 1. Security policy does not specify appropriate use of public 5. Enterprise workload in the cloud clouds, so users are unguided. not subject to same security policy as on-premise. Security Policy Customer Workloads Administrator 3. No data security controls at the Internet Cloud Infrastructure enterprise boundary. 4. Cloud provider’s data protection controls are 2. Without knowing neither documented, better, user tries to trusted nor certified. User upload confidential Cloud data to public cloud Administrator service “to do their job”: 6. Mobile employee with BYOD leaks data Enterprise because device lacks sufficient security to Cloud Service Mobile User protect data at rest after Provider retrieval from the cloud3 © 2012 IBM Corporation
  4. 4. Risks change when putting data in the cloud Example Risk What makes it different? Information may no longer be protected by the same laws Data Location and regulations as if it was in your on-premise environments. A multi-tenant cloud may contain vulnerabilities at any level Multi-tenancy in the architecture that compromise the isolation principle. A cloud provider’s administrators are not necessarily Cloud Provider subject to the same security controls and regulations as in Administration the on-premise case. While the extent of risks may vary from on-premise data protection, the way to approach data protection is no different.4 © 2012 IBM Corporation
  5. 5. To protect data in the cloud requires: • A balanced approach: • Governance, policy and process • User awareness • Technical security controls • Trust, compliance and assurance • Meeting or exceeding what is already available in the enterprise IT environments5 © 2012 IBM Corporation
  6. 6. Governance, policy and process • How effective is current your enterprise data protection policy? • And how accurate is the perception of its effectiveness? • Make your CIO Office/Cybersecurity policies and procedures cloud aware • System inventory • Endpoint security and compliance management • Incident response • Automation is a must • Taking a risk based approach allows for a balanced consideration of business opportunities • Cloud is not one-size-fits-all, nor should the evaluation of workloads and their suitability6 © 2012 IBM Corporation
  7. 7. User awareness • The division of security and privacy responsibilities between the cloud service provider and cloud consumer should be clearly and consistently understood by all parties • Include end users, not just owners/admins • Demarcation of responsibilities will vary according to the cloud service and its delivery model • A program of ongoing education and awareness to users provides an opportunity to update users as the cybersecurity and compliance landscape changes7 © 2012 IBM Corporation
  8. 8. Technical security controls What Where • Identity and access management • Within the enterprise (desktops, (IAM) servers) • Encryption and key management • At the enterprise boundary • Tokenization • Secure delete • At the cloud boundary • Anti-malware • In the cloud infrastructure • Data loss prevention (DLP) • In the workloads/VMs running in • Security and compliance the cloud management • Audit • Secure software engineering8 © 2012 IBM Corporation
  9. 9. Trust, compliance and assurance • How is trust built between a cloud service provider and cloud service consumer? • Infrastructure certifications, e.g. ISO 27001, SSAE 16 • Industry regulations, e.g. PCI-DSS • History and experience of a vendor to provide cloud/IT services • Providing visibility into the operation of the cloud is important for assurance • Directly with the cloud service provider or through a trusted third party9 © 2012 IBM Corporation
  10. 10. When data protection in the cloud goes well 1. Security policy specifies appropriate use of public clouds, 5. Enterprise treats cloud hosted including incremental security workloads as per on-premise, with controls, by workload. the same security controls, e.g. IAM, AV, SCM. Security Policy Customer Workloads 3. Boundary security Administrator devices performs malware detection, Internet Cloud Infrastructure policy based data filtering/tokenization. 4. Cloud provider can demonstrate 2. User has been educated compliance with to know that confidential industry regulations User data cannot be put in and standards. Cloud public clouds without Administrator encryption, and that SPI cannot be put in a cloud outside of the home country. 6. Mobile devices (enterprise supplied or BYOD) are Enterprise managed, including security configuration management. Cloud Service Mobile User Provider10 © 2012 IBM Corporation
  11. 11. Conclusion • Data protection in the cloud starts with data protection in the enterprise • A balanced approach is needed • Governance, policy and process • User awareness • Technical security controls • Trust, compliance and assurance11 © 2012 IBM Corporation
  12. 12. Thank you!12 © 2012 IBM Corporation