Data Security Lifecycle versus
                                                                     Cloud Computing
      ...
Cloud computing as phenomenon



•   Cloud computing is considered as the most important IT service model for 2010 and
   ...
Definition of cloud computing 2/2


                                                                                      ...
Security issues are real



•   Google Web Service vulnerability leaked database usernames and passwords (2007)


•   Hack...
Specific risk factors concerning the cloud 1/2



    •   External data storage
        - Weak control over data (failing ...
Specific risk factors concerning the cloud 2/2



    •   Use of the public internet
        - Vague and/or non-existing a...
Data Security Lifecycle: phases



    Create


              Store


                                  Use


            ...
Data Security Lifecycle versus the cloud: phase ‘create’



    •   Data classification
        - What data is valuable/co...
Data Security Lifecycle versus the cloud: phase ‘store’ 1/2



    •   Access Management
        - What access controls an...
Data Security Lifecycle versus the cloud: phase ‘store’ 2/2



     •   Encryption in rest
         - What mechanisms are ...
Data Security Lifecycle versus the cloud: phase ‘use/share’ 1/2



     •   Availability
         - How to assure that my ...
Data Security Lifecycle versus the cloud: phase ‘use/share’ 2/2



     •   Assignment of rights to use/share
         - W...
Data Security Lifecycle versus the cloud: phase ‘archive’



     •   Media
         - On what type of media (tape, disk) ...
Data Security Lifecycle versus the cloud: phase ‘destroy’



     •   Data destruction
         - How to assure that not o...
Conclusion



     •   Questions concerning the Data Security Lifecycle for cloud computing are similar
         from the ...
Contact information



Drs. Mike Chung RE
Manager/Lead Auditor
Risk & Compliance
+31 (0)6 1455 9916
chung.mike@kpmg.nl



...
Upcoming SlideShare
Loading in...5
×

Cloud Computing - Data Security Lifecycle In The Cloud

6,613

Published on

Cloud computing - Data Security Lifecycle - contact Mike per e-mail for the ppt-version

Published in: Technology, Business
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
6,613
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
814
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Cloud Computing - Data Security Lifecycle In The Cloud

  1. 1. Data Security Lifecycle versus Cloud Computing What questions are relevant concerning data security lifecycle in the cloud? drs. Mike Chung RE © 2008 KPMG Advisory, a Dutch limited liability company and member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. 1
  2. 2. Cloud computing as phenomenon • Cloud computing is considered as the most important IT service model for 2010 and beyond – Over 50% of all Fortune 500 enterprises are already using cloud computing services – More than 10 million companies will be using cloud computing services by 2012 – Spendings on cloud computing services will grow almost threefold, reaching $42 billion by 2012 (Source: IDC) • All major software vendors and IT integrators are investing heavily on cloud computing offerings • Increasing bandwidth of the internet is paving the way for ‘reliable’ online services • Demand for cloud computing services is growing rapidly due to the economic downturn © (2010) KPMG Advisory N.V., lid van KPMG International, een Zwitserse coöperatie. Alle rechten voorbehouden. 2 KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
  3. 3. Definition of cloud computing 2/2 ‘On-premise’ versus cloud computing • Hosted service from the (inter)net, metaphorically depicted as a cloud ‘On-premise’ Cloud computing Customer Customer • ‘ASP 2.0’ Users Users • Examples: IT services IT services – Software-as-a-Service (Salesforce.com, Gmail, Microsoft Internal IT Internet Online) – Platform-as-a-Service (GoogleApps, Subscription or Force.com, 3tera AppLogic) Hardware, software + data ‘pay as you go’ – Infrastructure-as-a-Service (Amazon Cloud vendor EC2, Citrix Cloud Centre) Software licences + support costs Software vendor Hardware, software + data © (2010) KPMG Advisory N.V., lid van KPMG International, een Zwitserse coöperatie. Alle rechten voorbehouden. 3 KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
  4. 4. Security issues are real • Google Web Service vulnerability leaked database usernames and passwords (2007) • Hackers stole credentials of Salesforce.com’s customers via phishing attacks (2007) • Thousands of customers lost their data in the cloud due to the ‘Sidekick disaster’ of Microsoft/T-Mobile (2009) • Botnet incident at Amazon EC2 infected customer’s computers and compromised their privacy (2009) • Thousands of hotmail accounts were hacked due to technical flaws in Microsoft’s software (2010) © (2010) KPMG Advisory N.V., lid van KPMG International, een Zwitserse coöperatie. Alle rechten voorbehouden. 4 KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
  5. 5. Specific risk factors concerning the cloud 1/2 • External data storage - Weak control over data (failing backup & recovery) - Legal complications (violation on privacy, conflicting legislations) - Viability uncertain (insufficient guarantee on continuity and availability of services) • Multi-tenancy architecture - Inadequate segregation of data - Poor Identity and Access Management (IAM) - Insufficient logging and monitoring - Weakest link is decisive (virtualisation, shared databases) © (2010) KPMG Advisory N.V., lid van KPMG International, een Zwitserse coöperatie. Alle rechten voorbehouden. 5 KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
  6. 6. Specific risk factors concerning the cloud 2/2 • Use of the public internet - Vague and/or non-existing accountability and ownership - Loss, misuse and theft of data - No access to data and/or services • Integration with the internal IT environment - Unclear perimeters - No connection and/or alignment with internal security - Complexity of integration © (2010) KPMG Advisory N.V., lid van KPMG International, een Zwitserse coöperatie. Alle rechten voorbehouden. 6 KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
  7. 7. Data Security Lifecycle: phases Create Store Use Share Archive Destroy © (2010) KPMG Advisory N.V., lid van KPMG International, een Zwitserse coöperatie. Alle rechten voorbehouden. 7 KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
  8. 8. Data Security Lifecycle versus the cloud: phase ‘create’ • Data classification - What data is valuable/confidential? - How should the data be classified? - What data can be disclosed freely? • Assignment of rights to create - What rights/permissions must be assigned to individuals/accounts? - What rights/permissions must be assigned or limitations enforced to different devices/media and/or locations? • Integer creation - How to assure that a specific individual/group has created the data? - How to assure that specific data instances have been merged? © (2010) KPMG Advisory N.V., lid van KPMG International, een Zwitserse coöperatie. Alle rechten voorbehouden. 8 KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
  9. 9. Data Security Lifecycle versus the cloud: phase ‘store’ 1/2 • Access Management - What access controls and processes have been effectuated on the externally hosted systems? - What access controls have been effectuated on organizations (the customer(s) and the cloud provider(s))? • Data integrity & confidentiality - On what (geographic) location(s) is/are my data stored? - How is my data segregated/separated/compartmented from other customer data? - How to assure that my data cannot be commingled with other customer data? - How to assure that my data does not get inferred, contaminated and/or aggregated inadvertently? © (2010) KPMG Advisory N.V., lid van KPMG International, een Zwitserse coöperatie. Alle rechten voorbehouden. 9 KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
  10. 10. Data Security Lifecycle versus the cloud: phase ‘store’ 2/2 • Encryption in rest - What mechanisms are in place for data encryption? - What data should be encrypted? - Who is responsible for key management? - Single key or multiple keys? • Compliance - Does external storage influence regulations and legislations? - Are third parties or government bodies able to seize your data? • Data recovery - What is the recovery mechanism? - What is the backup schedule? © (2010) KPMG Advisory N.V., lid van KPMG International, een Zwitserse coöperatie. Alle rechten voorbehouden. 10 KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
  11. 11. Data Security Lifecycle versus the cloud: phase ‘use/share’ 1/2 • Availability - How to assure that my data is available for use in the cloud? - What are the SLAs and penalties? • Logging & Monitoring - What activities are logged and monitored (real-time, periodic)? - What logging & monitoring reports are required and available? • Discovery - How can specific data be discovered? - How can specific data be retrieved? © (2010) KPMG Advisory N.V., lid van KPMG International, een Zwitserse coöperatie. Alle rechten voorbehouden. 11 KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
  12. 12. Data Security Lifecycle versus the cloud: phase ‘use/share’ 2/2 • Assignment of rights to use/share - Who is responsible for Identity & Access Management? - What rights/permissions must be assigned to individuals/accounts? - What rights/permissions must be assigned or limitations enforced to different devices/media and/or locations? - What are the permissible methods to share? • Non-repudiation - How to assure that someone or some instance has sent/provided the data? • Encryption in transit - What mechanisms are in place for secure transfer? - What data should be encrypted? - Who is responsible for the connection? © (2010) KPMG Advisory N.V., lid van KPMG International, een Zwitserse coöperatie. Alle rechten voorbehouden. 12 KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
  13. 13. Data Security Lifecycle versus the cloud: phase ‘archive’ • Media - On what type of media (tape, disk) must the data be archived? - What are the physical requirements regarding archiving? • Encryption in rest - What mechanisms are in place for data encryption? - What data should be encrypted? - Who is responsible for key management? • Asset management and tracking © (2010) KPMG Advisory N.V., lid van KPMG International, een Zwitserse coöperatie. Alle rechten voorbehouden. 13 KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
  14. 14. Data Security Lifecycle versus the cloud: phase ‘destroy’ • Data destruction - How to assure that not only the content but also all key material will be destroyed? - How to assure that the data is unrecoverable? - How to assure that the data and all backups have been erased completely? • Confirmation - How does the cloud provider confirm the destruction process? © (2010) KPMG Advisory N.V., lid van KPMG International, een Zwitserse coöperatie. Alle rechten voorbehouden. 14 KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
  15. 15. Conclusion • Questions concerning the Data Security Lifecycle for cloud computing are similar from the ones for on-premise IT, yet emphasizing different elements such as location of your data, data recovery and data destruction • Data Security Lifecycle Management must an essential part of cloud computing governance • Do not assume that cloud providers have superior security measures and processes • You can phase out your IT, but not your data • You can transfer complexity to the cloud, but you’ll still bear the risks © (2010) KPMG Advisory N.V., lid van KPMG International, een Zwitserse coöperatie. Alle rechten voorbehouden. 15 KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
  16. 16. Contact information Drs. Mike Chung RE Manager/Lead Auditor Risk & Compliance +31 (0)6 1455 9916 chung.mike@kpmg.nl © (2010) KPMG Advisory N.V., lid van KPMG International, een Zwitserse coöperatie. Alle rechten voorbehouden. 16 KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×