• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Privacy issues in the cloud   final
 

Privacy issues in the cloud final

on

  • 1,348 views

 

Statistics

Views

Total Views
1,348
Views on SlideShare
1,344
Embed Views
4

Actions

Likes
0
Downloads
41
Comments
0

1 Embed 4

http://www.slideshare.net 4

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Privacy issues in the cloud   final Privacy issues in the cloud final Presentation Transcript

    • Privacy
Issues
in
the
Cloud
 Presenta4on
to
the
Chief
Privacy
Officers
Council
 Constan4ne
Karbalio4s
 Data
Protec*on
&
Privacy
Lead
 May
4,
2010
 1

    • Agenda
 1
 Introduc*on
 2
 What
is
the
Cloud?
 3
 What
do
Security
Professionals
See
as
Risks?
 4
 What
are
the
Privacy
Issues?
 5
 What
is
the
Real
Problem?
 6
 Conclusion/Q&A
 2
 Privacy
Issues
in
the
Cloud
‐
Constan*ne
Karbalio*s

    • What
is
the
Cloud?
 Privacy
Issues
in
the
Cloud
‐
Constan*ne
Karbalio*s
 3

    • What
is
“the
Cloud”?
 • “Cloud
compu*ng”
defini*ons:
 – Cloud
compu*ng
is
interconnected
networks
of
IT
enabled
 resources
(i.e.
services)
delivered
in
a
dynamically
scalable
 and
virtualized
method,
made
available
to
customers
for
 purchase
via
variable
cost
models
based
on
usage.
 •  Symantec
 – just
as
with
a
u*lity,
enterprises
can
pay
for
informa*on
 technology
services
on
a
consump*on
basis
 Privacy
Issues
in
the
Cloud
‐
Constan*ne
Karbalio*s
 4

    • Benefits
and
Risks
 Accelera4ng
Trend
 –  Growing
market
to
reach
$42
billion
by
2012
‐
IDC
 Rewards
 –  Takes
advantage
of
virtualiza*on

 –  Provides
on‐demand
services
for
easy
scalability
 –  Minimizes
capital
and
opera*ng
costs
expenditures
 –  Provides
access
to
exper*se
not
available
in‐house
 –  Enhances
business
agility

 Risks
 –  Current
lack
of
standardiza*on
 –  Rela*vely
high
switching
costs
for
proprietary
solu*ons
 –  Security
and
Privacy
 Privacy
Issues
in
the
Cloud
‐
Constan*ne
Karbalio*s
 5
 5
    • What
do
Security
Professionals
See
as
 Risks?
 Privacy
Issues
in
the
Cloud
‐
Constan*ne
Karbalio*s
 6

    • Top
Security
Threats
to
Cloud
Compu4ng
 •  Abuse
and
Nefarious
Use
of
Cloud
Compu*ng
 •  Insecure
Applica*on
Programming
Interfaces
 •  Malicious
Insiders
 •  Shared
Technology
Vulnerabili*es
 •  Data
Loss/Leakage
 •  Account,
Service
&
Traffic
Hijacking
 •  Unknown
Risk
Profile
 •  Source:

 Top
Threats
to
Cloud
Compu*ng,
Version
1.0
 Cloud
Security
Alliance
 hbp://www.cloudsecurityalliance.org/topthreats
 Privacy
Issues
in
the
Cloud
‐
Constan*ne
Karbalio*s
 7

    • Governance
Concerns
 PERCEIVED
RISKS
IN
CLOUD
COMPUTING

 Uncertain
ability
to
enforce
security
 23
percent

 policies
at
a
provider

 Inadequate
training
and
IT
audi*ng
 

 22
percent
 

 Ques*onable
privileged
access
control
at
 14
percent 

 provider
site
 

 Uncertain
ability
to
recover
data 

 12
percent
 

 Proximity
of
data
to
another
customer’s

 11
percent

 Uncertain
ability
to
audit
provider
 

 10
percent
 

 Uncertain
con*nued
existence
of
provider

 4
percent
 

 Uncertain
provider
regulatory
compliance

 4
percent

 Source:
Price
Waterhouse
Cooper/CISO‐CIO
Magazine
Survey,
2010
 Privacy
Issues
in
the
Cloud
‐
Constan*ne
Karbalio*s
 8

    • What
are
the
Privacy
Risks?
 Privacy
Issues
in
the
Cloud
‐
Constan*ne
Karbalio*s
 9

    • Privacy
Risks
with
Cloud
Compu4ng
 •  Certain
types
of
data
may
trigger
specific
 obliga*ons
under
na*onal
or
local
law
 •  Vendor
issues:

 –  Organiza*ons
may
be
unaware
they
are
even
using
 cloud‐based
vendors
 –  Due
diligence
s*ll
required
as
in
any
vendor
rela*onship
 –  Data
security
is
s*ll
the
responsibility
of
the
customer
 –  Service
Level
agreements
need
to
account
for
access,
 correc*on
and
privacy
rights
 •  Data
Transfer:
 –  Cloud
models
may
trigger
interna*onal
legal
data
 transfer
requirements
 Source:
Hunton
&
Williams,
“Outsourcing
to
the
cloud:
data
security
and
 privacy
risks”,
March
15,
2010
 Privacy
Issues
in
the
Cloud
‐
Constan*ne
Karbalio*s
 10

    • What
is
the
Real
Problem?
 Privacy
Issues
in
the
Cloud
‐
Constan*ne
Karbalio*s
 11

    • Ponemon
Study
for
Symantec:
Summary
 •  Business
applica*ons,
solu*on
stacks
and
storage
are
the
most
popular
cloud
 compu*ng
applica*ons,
plaiorms
and
infrastructure
services
 •  Few
organiza*ons
take
proac*ve
steps
to
protect
both
their
own
sensi*ve
 business
informa*on
and
that
of
their
customers,
consumers
and
employees
 when
they
store
that
informa*on
with
cloud
compu*ng
vendors
 •  Organiza*ons
are
adop*ng
cloud
technologies
without
the
usual
vekng
 procedures
 •  Employees
are
making
decisions
without
their
IT
departments’
insights
or
full
 knowledge
of
the
security
risks
involved
 •  Two
years
from
now,
most
respondents
plan
to
use
cloud
compu*ng
much
 more
intensively
than
they
do
today
 •  Yet
even
as
momentum
for
cloud
compu*ng
builds,
doubts
about
security
 difficul*es
of
cloud
compu*ng
persist
 •  Organiza*ons
most
frequently
protect
themselves
through
tradi*onal
IT
 security
solu*ons
and
legal
or
indemnifica*on
agreements
with
vendors.
 Privacy
Issues
in
the
Cloud
‐
Constan*ne
Karbalio*s
 12

    • Ponemon
Study
finds
Fewer
than
One
in
Ten
Companies
 Evaluate
Vendors
or
Train
Employees
on
Cloud
Security:
 •  More
than
75
percent
of
respondents
noted
that
the
migra*on
to
 cloud
compu*ng
was
occurring
in
a
less‐than
ideal
manner,
due
 to
a
lack
of
control
over
end
users
 •  Only
27
percent
of
respondents
said
their
organiza*ons
have
 procedures
for
approving
cloud
applica*ons
that
use
sensi*ve
or
 confiden*al
informa*on
 •  68
percent
indicated
that
ownership
for
evalua*ng
cloud
 compu*ng
vendors
resides
with
end
users
and
business
managers
 •  Only
20
percent
of
the
organiza*ons
surveyed
reported
that
their
 informa*on
security
teams
are
regularly
involved
in
the
decision
 making
process
and
approximately
a
quarter
said
they
never
 par*cipated
at
all
 •  69
percent
of
the
respondents
indicated
they
would
prefer
to
see
 the
informa*on
security
or
corporate
IT
teams
lead
the
cloud
 decision
making
process
 Privacy
Issues
in
the
Cloud
‐
Constan*ne
Karbalio*s
 13

    • Policy
and
Procedural
Gaps
 Source:
Ponemon
Ins*tute
study
for
Symantec:
“Flying
Blind
in
the
Cloud”,
 April
7,
2010
 Privacy
Issues
in
the
Cloud
‐
Constan*ne
Karbalio*s
 14

    • Ineffec4ve
Review
 Privacy
Issues
in
the
Cloud
‐
Constan*ne
Karbalio*s
 15

    • Cloud
Compu4ng
Vendors
Review
“Process”
 Source:
Ponemon
Ins*tute
study
for
Symantec:
“Flying
Blind
in
the
Cloud”,
 April
7,
2010
 Privacy
Issues
in
the
Cloud
‐
Constan*ne
Karbalio*s
 16

    • Organiza4onal
steps
to
ensure
data
protec4on
 Source:
Ponemon
Ins*tute
study
for
Symantec:
“Flying
Blind
in
the
Cloud”,
 April
7,
2010
 Privacy
Issues
in
the
Cloud
‐
Constan*ne
Karbalio*s
 17

    • Conclusion/Q&A
 Privacy
Issues
in
the
Cloud
‐
Constan*ne
Karbalio*s
 18

    • Managing
Privacy
in
the
Cloud
 •  Policies
and
procedures
must
explicitly
address
cloud
privacy
 risks
 •  Informa*on
governance
must
be
put
in
place
that:
 –  Provides
tools
and
procedures
for
classifying
informa*on
and
assessing
risk

 –  Establish
policies
for
cloud‐based
processing
based
upon
risk
and
value
of
 asset.

 •  Evaluate
third
par*es’
security
and
privacy
capabili*es
before
 sharing
confiden*al
or
sensi*ve
informa*on.

 –  Thorough
review
and
audit
of
vendors
 –  Independent
third
party
verifica*on

 •  Train
employees
and
staff
accordingly
to
mi*gate
security/ privacy
risks
in
cloud
compu*ng
 –  Address
from
mul*‐departmental
perspec*ve
 Privacy
Issues
in
the
Cloud
‐
Constan*ne
Karbalio*s
 19

    • Model
for
Managing
Cloud
Risks
‐
Governance
 •  Strategy:
 –  What
kinds
of
data
will
you
as
a
maber
of
course
not
allow
to
go
to
the
 cloud?
What
kind
of
cloud
is
appropriate
for
certain
types
of
data?
 –  Implicit:
you
have
a
data
classifica*on
system
that
you
follow
and
know
 the
value
of
your
data
assets
 •  Educa*on
&
training
 –  Train
users/business
units
that
this
requires
vendor
review
just
as
any
 other
vendor
 •  Resources
&
Ownership
 –  Academic
to
have
nice
policies,
contractual
language
permikng
audit
 rights,
if
you
don’t
have
staff
to
do
it
 –  Everyone
wants
Informa*on
Security
or
IT
to
own
this
–
equip
them
 Privacy
Issues
in
the
Cloud
‐
Constan*ne
Karbalio*s
 20

    • Model
for
Managing
Cloud
Risks
–
Formal
Risk
 Management
 •  Privacy
Risk/Impact
Assessment
 –  Document
ownership
of
risks,
mi*ga*ons
 •  Data
Flow
Diagram
 –  Iden*fy
types
of
PII
in
flow,
as
well
as
what
systems,
en**es
and
 jurisdic*ons
that
data
flows
through
 •  Security
Assessments
&
Measures
 –  Appropriate
measures
to
ensure
adequate
applica*on
security,
 development
processes
and
penetra*on/vulnerability
tes*ng
 –  Require
regular
tes*ng
as
well
as
at
outset
of
rela*onship
 –  Consider
strategies
based
on
encryp*on,
data
obfusca*on

 Privacy
Issues
in
the
Cloud
‐
Constan*ne
Karbalio*s
 21

    • Model
for
Managing
Cloud
Risks
–
Contract
&
Audit
 •  Legal
Models
 –  Develop
appropriate
contractual
terms
to
ensure
protec*on
of
the
types
of
 data
you
want
to
process:
 •  Records
reten4on
&
lawful
access
 •  Access
 •  Data
sharing
risks/commingling
 •  Jurisdic4onal
risks
 •  Flow‐down
of
requirements
for
security,
audit,
evidence
of
compliance
for
sub‐contractors
 –  Revisit/revise
customer
privacy
no*ces,
agreements:
do
they
reflect
what
you
 are
doing
with
the
data?

 •  Monitoring
 –  Ensure
that
there
are
mechanisms
technical
and
organiza*onal
to
assess
and
 audit
cloud
vendor’s
use
of
data
 •  Audit
and
Third
Party
Cer*fica*on
 –  Ensure
you
have
the
ability
to
audit
–
and
do
it
 –  Third
party
cer*fica*ons
as
a
minimum
 Privacy
Issues
in
the
Cloud
‐
Constan*ne
Karbalio*s
 22

    • Thank
you!
 Constan*ne
Karbalio*s,
J.D.,
CIPP/C/IT
 constan*ne_karbalio*s@symantec.com
 416.402.9873
 Copyright
©
2010
Symantec
Corpora4on.
All
rights
reserved.
Symantec
and
the
Symantec
Logo
are
trademarks
or
registered
trademarks
of
Symantec
Corpora*on
or
its
affiliates
in
 the
U.S.
and
other
countries.

Other
names
may
be
trademarks
of
their
respec*ve
owners.
 This
document
is
provided
for
informa*onal
purposes
only
and
is
not
intended
as
adver*sing.

All
warran*es
rela*ng
to
the
informa*on
in
this
document,
either
express
or
implied,
 are
disclaimed
to
the
maximum
extent
allowed
by
law.

The
informa*on
in
this
document
is
subject
to
change
without
no*ce.
 Privacy
Issues
in
the
Cloud
‐
Constan*ne
Karbalio*s
 23