The Data Melting Pot Computing in the Cloud. Becky Pinkard Manager, Security Operations Centres Research In Motion



Similar documents
Information Security: Cloud Computing

Data Protection Act Guidance on the use of cloud computing

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

Cloud Computing; What is it, How long has it been here, and Where is it going?

Contracting for Cloud Computing

Cloud Computing and Data Protection Compliance - Experiences from Norway

Security & Trust in the Cloud

Cloud Computing and Records Management

Virginia Government Finance Officers Association Spring Conference May 28, Cloud Security 101

Cloud Computing: The atmospheric jeopardy. Unique Approach Unique Solutions. Salmon Ltd 2014 Commercial in Confidence Page 1 of 5

Security from a customer s perspective. Halogen s approach to security

What Every User Needs To Know Before Moving To The Cloud. LawyerDoneDeal Corp.

Bringing the Cloud into Focus. A Whitepaper by CMIT Solutions and Cadence Management Advisors

Cloud Software Services for Schools

Legal Issues Associated with Cloud Computing. Laurin H. Mills May 13, 2009

Cloud Computing: What needs to Be Validated and Qualified. Ivan Soto

Article 29 Working Party Issues Opinion on Cloud Computing

Daren Kinser Auditor, UCSD Jennifer McDonald Auditor, UCSD

Cloud Security Keeping Data Safe in the Boundaryless World of Cloud Computing

Privacy and Electronic Communications Regulations

What Is The Cloud And How Can Your Agency Use It. Tom Konop Mark Piontek Cathleen Christensen

Cloud Computing. Introduction

White Paper on CLOUD COMPUTING

Privacy and Cloud Computing for Australian Government Agencies

<Choose> Addendum Windows Azure Data Processing Agreement Amendment ID M129

Cloud Computing: Legal Risks and Best Practices

Cloud Computing Security Considerations

Using AWS in the context of Australian Privacy Considerations October 2015

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Negotiating Contracts That Will Keep our Clouds Afloat: You re going to put THAT in a cloud? Meteorologist: Daniel T. Graham

Insights into Cloud Computing

2011 Morrison & Foerster LLP All Rights Reserved mofo.com. Risk, Governance and Negotiation in the Cloud: Capture Benefits and Reduce Risks

ADRI. Advice on managing the recordkeeping risks associated with cloud computing. ADRI v1.0

Top 10 Cloud Risks That Will Keep You Awake at Night

CLOUD COMPUTING ISSUES FOR SCHOOL DISTRICTS. Presented to the 2013 BRADLEY F. KIDDER LAW CONFERENCE. October 2, 2013

Dean Bank Primary and Nursery School. Secure Storage of Data and Cloud Storage

Vormetric Data Security Securing and Controlling Data in the Cloud

Every Cloud Has A Silver Lining. Protecting Privilege Data In A Hosted World

Addressing Information Protection, Privacy & Sovereignty Concerns in Cloud Applications

Cloud Software Services for Schools

IJRSET 2015 SPL Volume 2, Issue 11 Pages: 29-33

Moving Applications To Cloud

Webinar Questions Local Government Data Security Help Improve Your Compliance, 30 July 2015

The potential legal consequences of a personal data breach

Office 365 Data Processing Agreement with Model Clauses

Cloud Services Overview

CLOUD COMPUTING An Overview

So the security measures you put in place should seek to ensure that:

Architectural Implications of Cloud Computing

Cloud Security and Privacy

Cloud SQL Security. Swati Srivastava 1 and Meenu 2. Engineering College., Gorakhpur, U.P. Gorakhpur, U.P. Abstract

How to ensure control and security when moving to SaaS/cloud applications

Cloud Service Providers Overcoming security and compliance barriers

How To Protect Your Data From Being Hacked

Cloud Computing: Contracting and Compliance Issues for In-House Counsel

Security Landscape of Cloud Computing

Big Data Analytics Service Definition G-Cloud 7

Data Privacy, Security, and Risk Management in the Cloud

Cloud Software Services for Schools

Cloud Computing in a Government Context

Securing Your Data In The Cloud: an insiders perspective

Thinking Cloud Services Look Before You Leap

AskAvanade: Answering the Burning Questions around Cloud Computing

Cloud Computing Submitted By : Fahim Ilyas ( ) Submitted To : Martin Johnson Submitted On: 31 st May, 2009

DIGITALEUROPE and European Services Forum (ESF) response to the Draft Supervision Rules on Insurance Institutions Adopting Digitalised Operations

Quick guide: Using the Cloud to support your business

How To Address Data Sovereignty In The Cloud

Enterprise Architecture Review Checklist

Data Protection Act Bring your own device (BYOD)

Data Protection: From PKI to Virtualization & Cloud

How To Protect Your Cloud Computing Resources From Attack

Defending your data against physical threats

The Use of Cloud Computing for the Storing and Accessing of Client Information: Some Practical and Ethical Considerations

Risks of Hosting Practice Data on the Cloud Vs. Locally

Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) 2014: 245 incidents reported

Data Protection Avoiding Information Commissioner Fines. Caroline Egan 5 June 2014

HIPAA Privacy & Security White Paper

technical factsheet 176

SRG Security Services Technology Report Cloud Computing and Drop Box April 2013

Clouds on the Horizon Cloud Security in Today s DoD Environment. Bill Musson Security Analyst

Cloud Security Trust Cisco to Protect Your Data

Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES

How To Choose A Cloud Service From One Team Logic

Presentation to the ACC Information Technology & Ecommerce Committee June 5, 2008

Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10

Web Site Download Carol Johnston

Last updated: 30 May Credit Suisse Privacy Policy

Compliance and the Cloud: What You Can and What You Can t Outsource

Data Security and Privacy Principles for IBM SaaS How IBM Software as a Service is protected by IBM s security-driven culture

The impact of the personal data security breach notification law

Customer Security Issues in Cloud Computing

August Report on Cloud Computing and the Law for UK FE and HE (An Overview)

2.1 It is an offence under UK law to transmit, receive or store certain types of files.

New EU Data Protection legislation comes into force today. What does this mean for your business?

Information Security Policy

1 Purpose Scope Roles and Responsibilities Physical & Environmental Security Access Control to the Network...

Security breaches: A regulatory overview. Jonathan Bamford Head of Strategic Liaison

Identity & Access Management The Cloud Perspective. Andrea Themistou 08 October 2015

The Cloud. IIA Seminar, York April 30 th

Transcription:

The Data Melting Pot Computing in the Cloud Becky Pinkard Manager, Security Operations Centres Research In Motion

Notable Quotes January 2010, Mark Zuckerberg (Facebook founder): People have really gotten comfortable not only sharing more information and different kinds, but more openly and with more people. That social norm is just something that has evolved over time. February 2010, Michael McConnell (former US Director of National Intelligence) : We re not going to do what we need to do; we re going to have a catastrophic event [and] the government s role is going to change dramatically, and then we re going g to go to a new infrastructure. February 2010, Scott Borg (US Cyber Consequences Unit director): The greatest damage to the American economy from cyber attacks is due to massive thefts of business information. May 2011, Howard Stringer (CEO, Sony): After spending weeks to resolve a massive Internet security breach, Sony Corp. Chief Executive Howard Stringer said he can't guarantee the security of the company's videogame network or any other Web system in the "bad new world" of cybercrime.

Agenda Data monitoring in the cloud Why is data classification necessary? Understanding the importance of policy development, buy-in and roll-out prior to cloud utilisation. What tkind of fdata is created? d?where is itb being used, stored, and/or transmitted? Who is using it? Measuring data policy compliance and reporting on usage and policy deviation.

Data Privacy & Regulations 1995: EU Data Protection Directive regulates processing of personal data within EU 1998: Data Protection ti Act, primary UK legislation l responsible for protecting ti personal data 2000: US-EU Safe Harbour Framework enacted to assist US companies when working with data belonging to EU citizens 2003: California becomes the first US state to enact a data security breach notification law covering credit card, medical and health insurance data of California citizens. (As of 10/2010: 46 States with legislation; 2011: 14 States introducing legislation) 2006: First compliance deadline set by the Payment Card Industry for compliance to their proposed Data Security Standard (PCI/DSS) 2009: European Council approves a data breach notification rule for European telecom companies 2010: The UK Information Commissioner imposed new timelines and monetary penalty amounts (up to 500K) against future serious breaches of the 1998 DPA May 26, 2011: The UK ICO is issuing new rules and guidance for websites using cookies to store data on end users systems.

What are we dealing with here? What kind of data is created? Personal data Credit card data Proprietary or intellectual property Company confidential data Wh h d t it? Who had access to it? Where is it stored? How do we maintain/track access? How do we report on provider compliance?

Definitions related to Data Privacy Regulation Data Protection Regulator In the UK, this function is carried out by the Information Commissioner ss Office Data Controller an individual who by themselves or jointly decides the purposes and the manner in which any personal data are processed has responsibility for ensuring that the data is maintained in compliance with the Data Protection Act Data Processor Any individual or entity who obtains, records, and/or holds data Any entity performing operations on the data (including deleting, removing or otherwise destroying data) and/or disclosing it to third parties.

DPA Principles The 8 principles of the DPA provide that data must be: 1. Fairly and lawfully processed 2. Obtained only for one or more specified and lawful purposes 3. Adequate, relevant and not excessive 4. Accurate and kept up-to-date 5. Kept no longer than necessary 6. Processed in accordance with the rights of the data subject 7. Kept secure against unlawful or unauthorised processing, or accidental loss or erasure 8. Not transferred to a country outside the European Economic Area unless that country ensures adequate level of protection http://www.ico.gov.uk/for_organisations/data_protection/the_guide/the_principles.aspx

Cloud Computing Definition January 2011: NIST s most recent definition for cloud computing released (Special Publication 800-145). It includes: 5 essential characteristics: On-demand self-service, Broad network access, Resource pooling, Rapid elasticity and Measured service 3 service models: Cloud Software as a Service, Platform as a Service and Infrastructure as a Service 4d deployment models: Pi Private, Community, Public or Hybrid http://csrc.nist.gov/publications/drafts/800-145/draft-sp-800-145_cloud-definition.pdf

Cloud Service Model Examples Software as a Service Cloud-based software is contracted out for customer use (e.g. Salesforce.com, Zoho Office, Taleo, Google Apps) Platform as a Service The provider hosts specific business development applications on behalf of the customer (e.g. Force.com, Google App Engine) Infrastructure as a Service A corporation s entire data centre, storage or hardware needs could be hosted by the provider (e.g. 3Tera s AppLogic, Liquid id Computing s LiquidQ, idq Amazon s EC2)

Cloud Computing & Security Risks Gartner s Seven cloud-computing security risks 1. Privileged user access providers should utilise employee security checks and control employee access to data 2. Regulatory compliance customer remains the data owner, but the provider must be open to audit and certification 3. Data location providers must agree by contractual commitment & conform to location-specific storage requirements and boundaries 4. Data at rest, in motion segregation and encryption 5. Recovery assistance replication and restoration in the event of disaster 6. Investigative support contractual commitment for discovery and investigations 7. Long-term viability of fthe provider http://www.infoworld.com/d/security central/gartner seven cloud computing security risks 853

Compliance and Reporting RSA s Spring 2010 Security Bulletin: In cloud computing, the virtualization layer provides: Increased visibility into almost every activity involved in providing application services Fine-grained monitoring capabilities which can dramatically improve reporting processes for cloud auditing and compliance From a regulatory compliance perspective, the lack of physical borders can make it difficult to comply with jurisdiction-specific specific privacy legislation http://www.rsa.com/newsletter/vantage/spring2010/vantage_cloud_control.pdf

Colocation Concerns Some additional items to keep in mind: http://www.colocationprovider.org/choosingacolocationprovider.htm 1. Does the Colocation Provider have technical staff available 24/7? 2. How long has the Colocation Service Provider been in business? Are they financially profitable? 3. Network redundancy and pipe size: how many other networks does the Colocation Provider connect to? What size connections exist? 4. What kind of security does the Colocation Facility offer? 5. Does the Colocation Provider have redundant power? Do they use a standard back- up generator or a prime source type of generator for back-up power? 6. Is the A/C System in each section of the Colocation Facility redundant? 7. Does the Colocation Provider offer secure locking cabinets or just racks in a shared cage? 8. Does the Provider offer worldwide colocation capabilities?

Cloud Computing is Not the Challenge 1. It s no longer IT security or Information Security it s Data Security. (The perimeter is dead!) 2. Security will never be absolute. As far as data leakage goes, it's not 'how' will it happen it s 'when'. As security professionals, we can no longer worry solely about securing the data, we have to focus on what it will cost us once the data has been breached. Whomever pays less in the end, wins.

Be Careful Out There

References http://www.pcworld.com/article/186584/facebook_ceo_challenges_the_social_nor m_ of_privacy.html http://www.wired.com/threatlevel/2010/03/schmidt-cyberwar/#ixzz0hjvbsbq2 http://www.infowars.com/intel-boss-mcconnell-says-u-s-would-lose-cyberwar/ http://loadtest.story.news.yahoo.com/s/afp/20100224/pl_afp/usitcomputersecurityi y p p_ p p y nternet_20100224161832 http://www.mondaq.com/article.asp?articleid=93070 http://www.dft.gov.uk/about/informationcharter/dataprotectionact http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1373688,00. h t t / / ti /0 id14 i1373688 00 html http://www.networkworld.com/news/2009/042309-cloud-computing-a-securitynightmare.html http://www.scmagazineuk.com/avoiding-the-security-pitfalls-of-cloudcomputing/article/118523/ http://csrc.nist.gov/publications/drafts/800-144/draft-sp-800-144_cloud- computing.pdf http://www.ico.gov.uk/~/media/documents/pressreleases/2011/ico_welcomes_new _powers_news_release_20110420.ashx

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information