Porticor - Can Data be safe in Public Clouds, in Compliance with Standards


Published on

Can Data be safe in Public Clouds, in Compliance with Standards

1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Porticor - Can Data be safe in Public Clouds, in Compliance with Standards

  1. 1. Can Data be Safe in Public Clouds, in Compliance with Standards?<br />Gilad Parann-Nissany<br />http://www.porticor.comcontact@porticor.com<br />CloudCon, March 30th, 2011<br />3/29/2011<br />www.porticor.com © PORTICOR 2009, 2010<br />
  2. 2. 3/29/2011<br />www.porticor.com © PORTICOR 2009, 2010<br />2<br />The Cloud Security Scales<br />Lets talk about solutions<br />Scare Stories? Or real issues?<br />
  3. 3. Shared Technology Vulnerabilities <br />Data Loss/Data Leakage<br />Malicious Insiders <br />Account Service or Hijacking of Traffic<br />Insecure APIs <br />Nefarious Use of Service <br />Unknown Risk Profile<br />3/29/2011<br />www.porticor.com © PORTICOR 2009, 2010<br />3<br />Threat Analysis: I/PaaS<br />PaaS<br />Platform as a Service<br />IaaS<br />Infrastructure as a Service<br />(*) courtesy “Cloud Security Alliance: Assuring the future of Cloud Computing”: S. Loureiro, 2010<br />
  4. 4. 3/29/2011<br />www.porticor.com © PORTICOR 2009, 2010<br />4<br />Typical Provider Customer Agreement<br />7.2. Security. We strive to keep Your Content secure, but cannot guarantee that we will be successful at doing so, given the nature of the Internet. Accordingly, without limitation to Section 4.3 above and Section 11.5 below, you acknowledge that you bear sole responsibility for adequate security, protection and backup of Your Content and Applications. We strongly encourage you, where available and appropriate, to (a) use encryption technology to protect Your Content from unauthorized access, (b) routinely archive Your Content, and (c) keep your Applications or any software that you use or run with our Services current with the latest security patches or updates. We will have no liability to you for any unauthorized access or use, corruption, deletion, destruction or loss of any of Your Content or Applications.<br />Makes sense? Yes! But means you have to do some things…<br />
  5. 5. Strong investment in security of the infrastructure<br />Compliance with standards<br />SAS70<br />ISO 27K<br />PCI<br />Enabling (key word!) customers to be compliant<br />3/29/2011<br />www.porticor.com © PORTICOR 2009, 2010<br />5<br />Provider responsibilitiesWhat can you expect?<br />
  6. 6. Detailed advice from White Papers, Industry bodies and the community<br />Emphasis on your responsibility for<br />Security of whatever you install on the Cloud infrastructure<br />Identities and their management<br />Encryption and management of data<br />Significant implementation<br />Ability to achieve certification with standards (PCI, HIPAA, …)<br />3/29/2011<br />www.porticor.com © PORTICOR 2009, 2010<br />6<br />Customer responsibilitiesWhat can you expect?<br />
  7. 7. Combining the security of the Cloud Infrastructure with your own responsibilities<br />How? And…<br />… What has really changed? What’s new, what carries over from the “old world”?<br />3/29/2011<br />www.porticor.com © PORTICOR 2009, 2010<br />7<br />Cloud SecurityMaking it all happen<br />
  8. 8. Some known concepts translate to cloud with a twist<br />APIs<br />SaaS security<br />Usage of IaaS<br />And of course, there is some pretty new stuff<br />More about this later…<br />3/29/2011<br />Copyright 2009, 2010 ©Porticor<br />What’s new? What carries over?<br />
  9. 9. 3/29/2011<br />Copyright 2009, 2010 ©Porticor<br />Translating known concepts to cloud<br />Examples<br />…and more<br />
  10. 10. Secure distributed data storage<br />Keys management<br />Hypervisors and virtual machines<br />Role of encryption changes<br />New data protection measures emerge (i.e. fragmentation)<br />Physical security of cloud environments<br />3/29/2011<br />www.porticor.com © PORTICOR 2009, 2010<br />10<br />Some new considerations<br />
  11. 11. Package complex privacy and security technology <br />Get the operations and economics right<br />Pay as you go<br />Privacy and security solutions can be brought up in a reasonable time – not months<br />Privacy and security have proper service level guarantees<br />Backed by proper SLA and/or Warranty<br />3/29/2011<br />www.porticor.com © PORTICOR 2009, 2010<br />11<br />Elasticity, Flexibility, Management<br />
  12. 12. 3/29/2011<br />©Porticor<br />Thank You!<br />Questions<br />?<br />