Erkan Kahraman, Chief Trust Officer at Projectplace, gave a presentation on cloud services and security. He discussed Projectplace's security program and ecosystem which covers all aspects of cloud risks. Top customer concerns with cloud include legislation, privacy, security, and data ownership. The chief threats to cloud security are data breaches, loss, and account hijacking. Security measures discussed included encryption, access control, and monitoring. Ensuring customer trust requires considering location of data, terms of service, retention policies, and other factors. Government access to data varies by country and transparency reports provide some insight into requests.

1. Frukostseminarium om
molntjänster
Rigoletto den 19 mars 2015

2. Erkan Kahraman | Chief Trust Officer | erkank@projectplace.com
excellence in collaboration

4. Starting on January 2014, I assumed the
Chief Trust Officer role at Projectplace where
I continue to oversee our security program as
well as taking on the responsibility to
maintain customer trust, regulatory
compliance and third party assurance.
We designed Projectplace Security, Trust and
Assurance ecosystem to cover all aspects of
cloud computing risks and address common
concerns.
Erkan Kahraman
Chief Trust Officer (formerly known as the Chief Information Security Officer)

5. At Projectplace, we have built a security program which
focuses on customers by implementing user-friendly,
customer-driven security controls and improving
communication. An example is how we put customers first
in incident management. We know that information
security incidents will occur. When they do, how
companies respond will directly impact the customer
experience.
What do we do?

6. Security, Trust and Assurance
an way to confidence in the cloud

7. Top Customer Concerns
legislation accountability privacy confidentiality
integration retention privacy Security availability
legislation exit strategies encryption confidentialit
privacy data integrity regulations retention availabi
encryption confidentiality data ownership exit strat
data integrity acccountability retention integration
1 According to ”2012 Cloud Computing Market Maturity” survey conducted jointly by
Cloud Security Alliance (CSA) and ISACA.

8. Security, Trust and Assurance
ecosystem

9. Security

10. The Notorious Nine:
Cloud Computing Security Top Threats
A survey by not-for-profit firm Cloud Security Alliance (CSA), which provides best
practices and education for people in the industry, found that the worry of data
breaches was the top threat, followed by data loss and account hijacking.
› Data Breaches
› Data Loss
› Account Hijacking
› Insecure APIs
› Denial of Service
› Malicious Insiders
› Abuse and Nefarious Use
› Insufficient Due Diligence
› Shared Technology Issues

11. Traditional Security Triad: CIA
Confidentiality
Perimeter security, Access control,
Encryption, User Account and Password
Management
Integrity
Physical and Environmental
measures, protection against malware, FIM,
audit logging, monitoring and traceability
Availability
SLA, RPO/RTO, Independent monitoring,
redundancy, Disaster Recovery and BCP,
Backups and Restoration, Web Accelerators

12. Tools of the trade: 2FA
Double protection with
two-step verification.
Add a second layer of
protection to your accounts
on Google, Facebook, Twitter,
Yahoo, Dropbox,
and Projectplace with 2-factor
authentication.
(https://twofactorauth.org/)

13. Why transport layer security
matters?
› BEAST, Heartbleed, Poodle
› Snowden’s NSA relevations,
encryption strength (AES
256).

14. Trust

15. The nine most important words in cloud
computing are: terms of service,
location, location, location, and
provider, provider, provider
“
“- Bob Gellman at the Computers, Freedom, and Privacy
Conference.

16. Trust factors
› Applicable legislation (Location, location, location)
› Data Ownership (Terms and Conditions)
› Data Retention (and data portability)
› Integration with existing systems (APIs, Single Sign-
on)
› Escrow and Exit strategies
› Privacy Statement, Cookie Information

17. The countries around the world do not respond in the same manner and it is
difficult to predict what a particular court will rule.
The proposed reform to EU Data Protection law seeks to protect EU citizens'
personal data regardless where it is. Similarly, industry specific regulations
such as HIPAA and PCI DSS are applicable to certain data elements
regardless where it is stored.
Recently, Microsoft had to comply with a US supreme court order which
requested disclosure of information located at the company's European cloud
service hosted in Ireland. The reasoning behind the court's rule was mainly
due to the fact that Microsoft's US based Global Compliance Unit had access
to the information requested via programmatical tools and established
business processes.
Which law applies to data held in a
cloud?

18. In another highly publicized case against Facebook in Germany, the court
ruled that Facebook was subject only to the law of the country in which it has
its headquarter. The case had to do with a requirement on the sign-up page of
the German version of Facebook. A privacy organization had filed a lawsuit
against Facebook to require Facebook to make certain changes. Facebook
European headquarters are located in Ireland. The German court ruled that
German law did not apply because Facebook is registered as a company in
Ireland, and not in Germany, thus Irish law should apply. While Facebook has
operations in Germany, the court found that the Facebook German subsidiary
is only an ad sales and marketing organization that is not concerned by the
specific lawsuit.
Which law applies to data held in a
cloud?

19. What is happening with the EU
Data Protection Law?
In January the European Commission
announced that the EU’s existing
regime of data protection directives
that guide national laws such as the
UK’s Data Protection Act will be
replaced with common EU data
protection regulations across all
member states. The reform is
designed to ensure people have
more effective control over their
personal data and make it easier
for businesses to operate and
innovate within the EU.
Included in the reforms are the
“right to be forgotten”, meaning
that if there are no legitimate
grounds for retaining your data, it
must be deleted. This is designed to
empower individuals and restore
their confidence in the way their data
will be handled, the EU is keen to
emphasise. The new Regulation
would also grant individuals a “right
to portability”, which would require
companies to provide customers
with a copy of their data when the
customer moves to a different
service.

21. It is impossible to give a definitive
answer as some requests, such as
those related to national security, may
be required to be confidential.
However, a very useful resource is the
small but growing trend towards
transparency reports. Google has the
most extensive transparency report,
which provides statistics on the
number of requests for user data as
well as data removal requests, broken
down by country.
How often do the governments to gain
access to my information in the cloud?

22. US Wiretap Report
(2013)
3576Authorised wiretaps
The number of federal and
state wiretaps reported in
2013 increased 5 percent
from 2012. A total of 3,576
wiretaps were reported as
authorized in 2013, with
1,476 authorized by federal
judges and 2,100 authorized
by state judges. Only one
state wiretap application
was denied in 2013.
1Wiretap application denied.

23. Assurance

24. Assurance factors
› Industry accepted standards such as ISO27001.
› SOC2 Type II Audit reports (formerly SSAE-16).
› Cloud Security Alliance STAR.
› Other technology certificates and seals.
› Independent audits.

25. There are known knowns; there are things
we know we know. We also know there are
known unknowns; that is to say, we know
there are some things we do not know. But
there are also unknown unknowns -- the
ones we don't know we don't know.
- Donald Rumsfeld, U.S. Secretary of Defence
“

26. Thank you!
Erkan Kahraman | Chief Trust Officer | erkank@projectplace.com

27. excellence in collaboration

28. Cloud computing
Business considerations before making the leap

29. ©TranscendentGroupSverigeAB2015
Internet based
data access and
exchange
Internet based
access to low
cost computing
and applications
The cloud

30. Characteristics
On-demand
self service
Internet
access
Pooled
resources
Elastic
capacity
Usage based
billing
©TranscendentGroupSverigeAB2015
Software as a service
Source: http://www.nist.gov/itl/cloud/
Infrastructure as a
service
Platform as a service
Private cloud
Public cloud
Hybrid cloud
Community cloud

31. Cloud computing is portrayed
as a valuable consideration for
enterprise IT integration,
however adoption of cloud
computing models carry a
number of challenges.
©TranscendentGroupSverigeAB2015

32. ©TranscendentGroupSverigeAB2015
Business
challenges
Security
and privacy
Operational
Technology
Regulatory
and comp-
liance
Vendor
Financial

33. ©TranscendentGroupSverigeAB2015
Drivers
• Pay as you go
• Virtual and on-demand
• Agility, flexibility, elasticity
• Multi-tenancy
• Ease of implementation
• Pooled resources
Challenges
• Privacy and security
• Reliability and availability
• Transition and execution risk
• Limited scope for
customization
• Cultural resistance
• Regulatory ambiguity
• Issues of taxation

34. Question 1: can we trust the
party who are processing our
data?
Question 2: how can we
check what the cloud service
provider is doing?
©TranscendentGroupSverigeAB2015

35. Contract/SLA
considerations
©TranscendentGroupSverigeAB2015
Initiate SRA
Provide security
requirements
Execute SRA
Vulnerability scans
System hardening
considerations
Cloud threats for
patching
Site visits
Abbreviated SRA
Vulnerability scans
Verify termination
of access rights
Verify data
destruction
Research vendor
SIM support
Forensic/
e-discovery support
Connectivity with
CSP
Discover
vendor and
define
requirements
Vendor
evaluation
Contract
negotiation
Solution
deployment
Vendor
monitoring
Vendor
transition

36. ©TranscendentGroupSverigeAB2015
Phase 1: generation
• ownership
• classification
• governance
Phase 2: use
• Internal versus
External
• Third Party
• Appropriateness
• Discovery/subpoena
Phase 3: transfer
• Public versus private
networks
• Encryption requirements
• Access control
Phase 4:
transformation
• Derivation
• Aggregation
• Lineage
• Integrity
Phase 5: storage
• Access control
• Structured versus
unstructured
• Integrity/availability/
confidentiality
• Encryption
Phase 6: archival
• Legal and compliance
• Offsite considerations
• Media concerns
• Retention
Phase 7: destruction
• Secure
• Complete
Compliance
• Audit and regulatory
• Legal
• Measurement
• Business objectives
Source: http://programming4.us/

37. www.transcendentgroup.com