The document discusses cloud computing security and privacy challenges. It defines cloud computing and outlines essential characteristics, service models, and deployment models. It then discusses technical, policy, organizational, legal, and economic risks to security and privacy in cloud computing. The document concludes by recommending certification processes and standards, and discussing the need for technology solutions, compliance, and transparency to build trust in cloud computing.

1. Cloud Computing Security and Privacy to gain Trust SMARTEVENT 2010 September 23 Sophia Antipolis Christian GOIRE

2. Cloud Computing Definition(s) 06/01/11 Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction . This cloud model promotes availability and is composed of five essential characteristics, three service models , and four deployment models . NIST Definition Built on compute and storage virtualization , provides scalable , network-centric, abstracted IT infrastructure , platforms , and applications as on-demand services that are billed by consumption . Gartner’s definition : "a style of computing where scalable and elastic IT-related capabilities are provided 'as a service' to external customers using Internet technologies."

3. The NIST Cloud Definition Framework 06/01/11 Deployment Models Service Models Essential Character-istics Common Character-istics Homogeneity Massive Scale Resilient Computing Geographic Distribution Community Cloud Private Cloud Public Cloud Hybrid Clouds Software as a Service (SaaS) Platform as a Service (PaaS) Infrastructure as a Service (IaaS) Resource Pooling Broad Network Access Rapid Elasticity Measured Service On Demand Self-Service Low Cost Software Virtualization Service Orientation Advanced Security

4. 3 main Services Models 06/01/11

5. Cloud Providers – A Birds Eye View 06/01/11 Infrastructure as a Service Platform as a Service Software as a Service

6. Main aspects forming a cloud system 06/01/11

7. Expert group report (Excerpts) Non- functional aspects Elasticity Reliability Quality of Service Agility and adaptability Availability 06/01/11

8. Continued (2) Economic aspects Cost reduction Pay per use Improved time to market Return of investment Turning CAPEX into OPEX Going Green 06/01/11

9. Continued (3) Technological Aspects Virtualisation Multi- tenancy Security, Privacy and compliance Data Management API’s and / or Programming Enhancements Metering Tools 06/01/11

10. Research time line (in year) of the individual topics 06/01/11

11. Security and Privacy Challenges The massive concentrations of resources and data present a more attractive target to attackers The challenges are not new but Cloud computing intensifies them 06/01/11

12. Technical risks Resource exhaustion Isolation failure Cloud provider malicious insider, abuse of high privilege Management interface compromise Intercepting data in transit Data leakage on up /download, intra- cloud Insecure or ineffective deletion of data Distributed Denial of service DDoS Economic denial of service EDOS Loss of encryption keys Undertaking malicious probes and scans Compromise service engine Conflicts between customer procedures and cloud 06/01/11

13. Policy and organizational risks Lock -in Loss of governance Compliance challenges Loss of business reputation due to co -tenant activities Cloud service termination or failure Cloud provider acquisition Supply chain failure 06/01/11

14. Legal risk Subpoena and e- discovery Risk from change of jurisdiction Data protection risk Licensing risks 06/01/11

15. Research recommendations Certification processes and standards for the Cloud 06/01/11

16. Research recommendations Metrics for security in cloud computing Return on security investments Effects of different forms reporting breaches on security Techniques for increasing transparency /level of security Location tagging, data type tagging, policy tagging Privacy (data provenance) tracing data end to end End to end data confidentiality in the cloud and beyond: Encrypted search (long term) Encrypted processing schemes (long term) Encryption and confidentiality tools for social applications in the cloud Trusted computing in clouds, trusted boot sequence for virtual machine stack Standardization etc. 06/01/11

17. Legal recommendations Legal issues to be resolved during the evaluation of the contracts (ULA User Licensing Agreement, SLA Service Level Agreement) Data protection Data security Data Transfer Law enforcement access Confidentiality and non disclosure Intellectual property Risk allocation and limitation of liability Change of control 06/01/11

18. Conclusion Technology solutions ; privacy by design Compliance with transparency provisions vis-à-vis individuals Ensure that customers know about the location of their data Ensure that they properly understand the risks so that they make informed choices Current review process of the existing Data Protection Directive 06/01/11