This document discusses security issues with public clouds and whether data can be kept safe and compliant with standards in public clouds. It notes that while cloud providers strive to keep customer data secure, customers are ultimately responsible for securing their own data and applications. The document outlines responsibilities of both cloud providers and customers, and examines how traditional security concepts translate to public clouds alongside new considerations for security in cloud environments.

1. Can Data be Safe in Public Clouds, in Compliance with Standards?Gilad Parann-Nissanyhttp://www.porticor.comcontact@porticor.comCloudCon, March 30th, 20113/29/2011www.porticor.com © PORTICOR 2009, 2010

2. 3/29/2011www.porticor.com © PORTICOR 2009, 20102The Cloud Security ScalesLets talk about solutionsScare Stories? Or real issues?

3. Shared Technology Vulnerabilities Data Loss/Data LeakageMalicious Insiders Account Service or Hijacking of TrafficInsecure APIs Nefarious Use of Service Unknown Risk Profile3/29/2011www.porticor.com © PORTICOR 2009, 20103Threat Analysis: I/PaaSPaaSPlatform as a ServiceIaaSInfrastructure as a Service(*) courtesy “Cloud Security Alliance: Assuring the future of Cloud Computing”: S. Loureiro, 2010

4. 3/29/2011www.porticor.com © PORTICOR 2009, 20104Typical Provider Customer Agreement7.2. Security. We strive to keep Your Content secure, but cannot guarantee that we will be successful at doing so, given the nature of the Internet. Accordingly, without limitation to Section 4.3 above and Section 11.5 below, you acknowledge that you bear sole responsibility for adequate security, protection and backup of Your Content and Applications. We strongly encourage you, where available and appropriate, to (a) use encryption technology to protect Your Content from unauthorized access, (b) routinely archive Your Content, and (c) keep your Applications or any software that you use or run with our Services current with the latest security patches or updates. We will have no liability to you for any unauthorized access or use, corruption, deletion, destruction or loss of any of Your Content or Applications.Makes sense? Yes! But means you have to do some things…

5. Strong investment in security of the infrastructureCompliance with standardsSAS70ISO 27KPCIEnabling (key word!) customers to be compliant3/29/2011www.porticor.com © PORTICOR 2009, 20105Provider responsibilitiesWhat can you expect?

6. Detailed advice from White Papers, Industry bodies and the communityEmphasis on your responsibility forSecurity of whatever you install on the Cloud infrastructureIdentities and their managementEncryption and management of dataSignificant implementationAbility to achieve certification with standards (PCI, HIPAA, …)3/29/2011www.porticor.com © PORTICOR 2009, 20106Customer responsibilitiesWhat can you expect?

7. Combining the security of the Cloud Infrastructure with your own responsibilitiesHow? And…… What has really changed? What’s new, what carries over from the “old world”?3/29/2011www.porticor.com © PORTICOR 2009, 20107Cloud SecurityMaking it all happen

8. Some known concepts translate to cloud with a twistAPIsSaaS securityUsage of IaaSAnd of course, there is some pretty new stuffMore about this later…3/29/2011Copyright 2009, 2010 ©PorticorWhat’s new? What carries over?

9. 3/29/2011Copyright 2009, 2010 ©PorticorTranslating known concepts to cloudExamples…and more

10. Secure distributed data storageKeys managementHypervisors and virtual machinesRole of encryption changesNew data protection measures emerge (i.e. fragmentation)Physical security of cloud environments3/29/2011www.porticor.com © PORTICOR 2009, 201010Some new considerations

11. Package complex privacy and security technology Get the operations and economics rightPay as you goPrivacy and security solutions can be brought up in a reasonable time – not monthsPrivacy and security have proper service level guaranteesBacked by proper SLA and/or Warranty3/29/2011www.porticor.com © PORTICOR 2009, 201011Elasticity, Flexibility, Management

12. 3/29/2011©PorticorThank You!Questions?