Erkan Kahraman, Chief Trust Officer at Projectplace, gave a presentation on cloud services and security. He discussed Projectplace's security program and ecosystem which covers all aspects of cloud risks. Top customer concerns with cloud include legislation, privacy, security, and data ownership. The chief threats to cloud security are data breaches, loss, and account hijacking. Security measures discussed included encryption, access control, and monitoring. Ensuring customer trust requires considering location of data, terms of service, retention policies, and other factors. Government access to data varies by country and transparency reports provide some insight into requests.
4. Starting on January 2014, I assumed the
Chief Trust Officer role at Projectplace where
I continue to oversee our security program as
well as taking on the responsibility to
maintain customer trust, regulatory
compliance and third party assurance.
We designed Projectplace Security, Trust and
Assurance ecosystem to cover all aspects of
cloud computing risks and address common
concerns.
Erkan Kahraman
Chief Trust Officer (formerly known as the Chief Information Security Officer)
5. At Projectplace, we have built a security program which
focuses on customers by implementing user-friendly,
customer-driven security controls and improving
communication. An example is how we put customers first
in incident management. We know that information
security incidents will occur. When they do, how
companies respond will directly impact the customer
experience.
What do we do?
10. The Notorious Nine:
Cloud Computing Security Top Threats
A survey by not-for-profit firm Cloud Security Alliance (CSA), which provides best
practices and education for people in the industry, found that the worry of data
breaches was the top threat, followed by data loss and account hijacking.
› Data Breaches
› Data Loss
› Account Hijacking
› Insecure APIs
› Denial of Service
› Malicious Insiders
› Abuse and Nefarious Use
› Insufficient Due Diligence
› Shared Technology Issues
11. Traditional Security Triad: CIA
Confidentiality
Perimeter security, Access control,
Encryption, User Account and Password
Management
Integrity
Physical and Environmental
measures, protection against malware, FIM,
audit logging, monitoring and traceability
Availability
SLA, RPO/RTO, Independent monitoring,
redundancy, Disaster Recovery and BCP,
Backups and Restoration, Web Accelerators
12. Tools of the trade: 2FA
Double protection with
two-step verification.
Add a second layer of
protection to your accounts
on Google, Facebook, Twitter,
Yahoo, Dropbox,
and Projectplace with 2-factor
authentication.
(https://twofactorauth.org/)
15. The nine most important words in cloud
computing are: terms of service,
location, location, location, and
provider, provider, provider
“
“- Bob Gellman at the Computers, Freedom, and Privacy
Conference.
16. Trust factors
› Applicable legislation (Location, location, location)
› Data Ownership (Terms and Conditions)
› Data Retention (and data portability)
› Integration with existing systems (APIs, Single Sign-
on)
› Escrow and Exit strategies
› Privacy Statement, Cookie Information
17. The countries around the world do not respond in the same manner and it is
difficult to predict what a particular court will rule.
The proposed reform to EU Data Protection law seeks to protect EU citizens'
personal data regardless where it is. Similarly, industry specific regulations
such as HIPAA and PCI DSS are applicable to certain data elements
regardless where it is stored.
Recently, Microsoft had to comply with a US supreme court order which
requested disclosure of information located at the company's European cloud
service hosted in Ireland. The reasoning behind the court's rule was mainly
due to the fact that Microsoft's US based Global Compliance Unit had access
to the information requested via programmatical tools and established
business processes.
Which law applies to data held in a
cloud?
18. In another highly publicized case against Facebook in Germany, the court
ruled that Facebook was subject only to the law of the country in which it has
its headquarter. The case had to do with a requirement on the sign-up page of
the German version of Facebook. A privacy organization had filed a lawsuit
against Facebook to require Facebook to make certain changes. Facebook
European headquarters are located in Ireland. The German court ruled that
German law did not apply because Facebook is registered as a company in
Ireland, and not in Germany, thus Irish law should apply. While Facebook has
operations in Germany, the court found that the Facebook German subsidiary
is only an ad sales and marketing organization that is not concerned by the
specific lawsuit.
Which law applies to data held in a
cloud?
19. What is happening with the EU
Data Protection Law?
In January the European Commission
announced that the EU’s existing
regime of data protection directives
that guide national laws such as the
UK’s Data Protection Act will be
replaced with common EU data
protection regulations across all
member states. The reform is
designed to ensure people have
more effective control over their
personal data and make it easier
for businesses to operate and
innovate within the EU.
Included in the reforms are the
“right to be forgotten”, meaning
that if there are no legitimate
grounds for retaining your data, it
must be deleted. This is designed to
empower individuals and restore
their confidence in the way their data
will be handled, the EU is keen to
emphasise. The new Regulation
would also grant individuals a “right
to portability”, which would require
companies to provide customers
with a copy of their data when the
customer moves to a different
service.
20.
21. It is impossible to give a definitive
answer as some requests, such as
those related to national security, may
be required to be confidential.
However, a very useful resource is the
small but growing trend towards
transparency reports. Google has the
most extensive transparency report,
which provides statistics on the
number of requests for user data as
well as data removal requests, broken
down by country.
How often do the governments to gain
access to my information in the cloud?
22. US Wiretap Report
(2013)
3576Authorised wiretaps
The number of federal and
state wiretaps reported in
2013 increased 5 percent
from 2012. A total of 3,576
wiretaps were reported as
authorized in 2013, with
1,476 authorized by federal
judges and 2,100 authorized
by state judges. Only one
state wiretap application
was denied in 2013.
1Wiretap application denied.
24. Assurance factors
› Industry accepted standards such as ISO27001.
› SOC2 Type II Audit reports (formerly SSAE-16).
› Cloud Security Alliance STAR.
› Other technology certificates and seals.
› Independent audits.
25. There are known knowns; there are things
we know we know. We also know there are
known unknowns; that is to say, we know
there are some things we do not know. But
there are also unknown unknowns -- the
ones we don't know we don't know.
- Donald Rumsfeld, U.S. Secretary of Defence
“