Post on 22-Feb-2016
description
transcript
1© Copyright 2010 EMC Corporation. All rights reserved.
Hey Enterprise!I’ve got my OWN Cloud!IAPP 2010 Privacy Academy
Wayne Pauley, EMC Corporation
2© Copyright 2010 EMC Corporation. All rights reserved.
It Should be Easy, So What is Cloud?
Characteristics
Service Models
Deployment Models
• On Demand & Self-Service• Broad Network Access• Resource Pooling• Rapid Elasticity• Measured Service
• Software as a Service (SaaS)• Platform as a Service (PaaS)• Infrastructure as a Service (IaaS)
• Private Cloud• Public Cloud• Hybrid Cloud• Community Cloud
Reference: NIST Definition
3© Copyright 2010 EMC Corporation. All rights reserved.
Cloud Vendor Taxonomy
Reference: OpenCrowd
4© Copyright 2010 EMC Corporation. All rights reserved.
Cloud Security & Compliance
Reference: Cloud Security Alliance
5© Copyright 2010 EMC Corporation. All rights reserved.
Private & Hybrid Cloud• Tier 1 Licensing, Support, Risk• Tier 2-4 Private Cloud• Hybrid• Infra Apps: Cloud as Target• Websites, Portals, Grid • Test/Dev – Scale, R&D
• SaaS Salesforce, SAP, Oracle, MS
Hybrid Cloud • Risk Averse on Tier 1 Apps• SaaS: Salesforce, NetSuite• Tier 2-4: Non OLTP/ATOM Apps• Infra Apps: Cloud as Target for Backup, Archive, or Security
Public Cloud • Convenience Outweighs Risk• CAPEX VS OPEX• Self-Service• Back Office, Development, & Production
Public Cloud• Convenience Outweighs Risk• Low Cost or Free• Email, eCommerce, Social Nets, Gaming
Consumer SOHO/Startup
SMB Enterprise
Segmentation – by Business Size
6© Copyright 2010 EMC Corporation. All rights reserved.
Public Cloud • Availability, Scale, Maintenance•Online Courses & Labs• Email, Docs/Collaboration, Research• Blackboard, eCollege, Google Apps, MS Azure
Private Cloud • Regulators watching, not yet approving• Location of data, sharing resources at issue• Extend private cloud to SP’s• Interested in cost reduction and burst scale
Public Cloud • Public Information (low risk)• Scale & Cost• OpenStack, FISMA Qualified• USA.gov, Google Gov
Public Cloud / Hybrid Cloud• Government HITECH Incentives• Access to Big Compute Power• Data Repositories, Data Mining• MS Health, Google Health, etc.• Consumer apps, Rx, EHR, Monitoring and Alerting Systems
HealthCare Government
Financial
Services
Education
Segmentation – by Vertical
7© Copyright 2010 EMC Corporation. All rights reserved.
Impact on Privacy• Regulations– Multi-tenancy / Shared Resources– Data Location(s)– Transitivity– Backup/Recovery– SAS 70, PCI, and HIPAA Certifications
• Mitigation of Exposure– Audit/Assessment Requirements– Evidentiary Requirements– Background Checks
• Standards– CSA, ENISA, CloudAudit, SharedAssessments
8© Copyright 2010 EMC Corporation. All rights reserved.
Example Evaluation Model
• Security & Privacy Scorecard• 4 Domains to Assess– Security– Privacy– Auditability– Service Levels
Full AssessmentSecurity 1 Portal Area for Security Information? 1 1 1 1 0 1
2 Published Security Policy? 1 1 1 0 0 03 White Paper on Security Standards? 1 1 1 1 1 1
4Does the policy specifically address multi-
tenancy issues? 0 0 0 0 0 05 Email or Online Chat for Questions? 1 1 1 1 1 16 ISO/IEC 27000 Certified? 0 0 1 0 1 17 COBiT Certified? 0 0 1 0 1 18 NIST SP800-53 Security Certified? 0 0 0 0 1 0
9Offer Security Professional Services
(assessment)? 0 0 1 1 1 1
10Employees CISSP, CISM, or other
Security Certified? 0 0 1 1 1 1Security Sub-Total Score 4 4 8 5 7 7
Privacy 11 Portal Area for Privacy Information? 1 1 1 0 0 112 Published Privacy Policy? 1 1 1 0 0 113 Whitepaper on Privacy Standards? 1 1 1 1 1 114 Email or Online Chat for Questions? 1 1 1 1 1 1
15Offer Privacy Professional Services
(assessment)? 0 0 1 1 1 1
16Employees CIPP, or Other Privacy
Certified? 0 1 1 0 1 1Privacy Sub-Total Score 4 5 6 3 4 6
External Audits or Certifications 17 SAS 70 Type II 1 1 1 1 1 1
18 PCI-DSS 0 0 1 1 1 119 SOX 1 0 1 0 1 120 HIPAA 1 0 1 0 1 1
Audit Sub-Total Score 3 1 4 2 4 4Service Level
Aggrements 21 Do they Offer an SLA? 1 1 1 0 1 122 Does the SLA apply to all Services? 0 1 1 0 1 1
2399.9 = 1, 99.95=2, 99.99=3, 99.999=4,
100=5 1 2 1 0 5 124 ITIL Certified Employees? 0 0 0 0 1 125 Publish Outage & Remediation? 1 1 1 1 0 0
SLA Sub-Total Score 3 5 4 1 8 4Total Score 14 15 22 11 23 21
CP6
Cloud Provider Transparency Scorecard
Table 4. Transparency Instrument
CP1
CP2
CP3
CP4
CP5
Reference: Cloud Provider Transparency, IEEE Security & Privacy
9© Copyright 2010 EMC Corporation. All rights reserved.
Transformations
FromThis
FromThis
To This
&
ToThis
10© Copyright 2010 EMC Corporation. All rights reserved.
11© Copyright 2010 EMC Corporation. All rights reserved.
THANK YOU
12© Copyright 2010 EMC Corporation. All rights reserved.
ReferencesCloud Provider Transparency: An Empirical Evaluation. (2010)
Wayne Pauley, IEEE Security & Privacy (in press)
Cloud Security Alliance – www.cloudsecurityalliance.org
NIST - http://csrc.nist.gov/groups/SNS/cloud-computing/cloud-def-v15.doc
OpenCrowd - http://cloudtaxonomy.opencrowd.com/