The Data Melting Pot Computing in the Cloud Becky Pinkard Manager, Security Operations Centres Research In Motion
Notable Quotes January 2010, Mark Zuckerberg (Facebook founder): People have really gotten comfortable not only sharing more information and different kinds, but more openly and with more people. That social norm is just something that has evolved over time. February 2010, Michael McConnell (former US Director of National Intelligence) : We re not going to do what we need to do; we re going to have a catastrophic event [and] the government s role is going to change dramatically, and then we re going g to go to a new infrastructure. February 2010, Scott Borg (US Cyber Consequences Unit director): The greatest damage to the American economy from cyber attacks is due to massive thefts of business information. May 2011, Howard Stringer (CEO, Sony): After spending weeks to resolve a massive Internet security breach, Sony Corp. Chief Executive Howard Stringer said he can't guarantee the security of the company's videogame network or any other Web system in the "bad new world" of cybercrime.
Agenda Data monitoring in the cloud Why is data classification necessary? Understanding the importance of policy development, buy-in and roll-out prior to cloud utilisation. What tkind of fdata is created? d?where is itb being used, stored, and/or transmitted? Who is using it? Measuring data policy compliance and reporting on usage and policy deviation.
Data Privacy & Regulations 1995: EU Data Protection Directive regulates processing of personal data within EU 1998: Data Protection ti Act, primary UK legislation l responsible for protecting ti personal data 2000: US-EU Safe Harbour Framework enacted to assist US companies when working with data belonging to EU citizens 2003: California becomes the first US state to enact a data security breach notification law covering credit card, medical and health insurance data of California citizens. (As of 10/2010: 46 States with legislation; 2011: 14 States introducing legislation) 2006: First compliance deadline set by the Payment Card Industry for compliance to their proposed Data Security Standard (PCI/DSS) 2009: European Council approves a data breach notification rule for European telecom companies 2010: The UK Information Commissioner imposed new timelines and monetary penalty amounts (up to 500K) against future serious breaches of the 1998 DPA May 26, 2011: The UK ICO is issuing new rules and guidance for websites using cookies to store data on end users systems.
What are we dealing with here? What kind of data is created? Personal data Credit card data Proprietary or intellectual property Company confidential data Wh h d t it? Who had access to it? Where is it stored? How do we maintain/track access? How do we report on provider compliance?
Definitions related to Data Privacy Regulation Data Protection Regulator In the UK, this function is carried out by the Information Commissioner ss Office Data Controller an individual who by themselves or jointly decides the purposes and the manner in which any personal data are processed has responsibility for ensuring that the data is maintained in compliance with the Data Protection Act Data Processor Any individual or entity who obtains, records, and/or holds data Any entity performing operations on the data (including deleting, removing or otherwise destroying data) and/or disclosing it to third parties.
DPA Principles The 8 principles of the DPA provide that data must be: 1. Fairly and lawfully processed 2. Obtained only for one or more specified and lawful purposes 3. Adequate, relevant and not excessive 4. Accurate and kept up-to-date 5. Kept no longer than necessary 6. Processed in accordance with the rights of the data subject 7. Kept secure against unlawful or unauthorised processing, or accidental loss or erasure 8. Not transferred to a country outside the European Economic Area unless that country ensures adequate level of protection http://www.ico.gov.uk/for_organisations/data_protection/the_guide/the_principles.aspx
Cloud Computing Definition January 2011: NIST s most recent definition for cloud computing released (Special Publication 800-145). It includes: 5 essential characteristics: On-demand self-service, Broad network access, Resource pooling, Rapid elasticity and Measured service 3 service models: Cloud Software as a Service, Platform as a Service and Infrastructure as a Service 4d deployment models: Pi Private, Community, Public or Hybrid http://csrc.nist.gov/publications/drafts/800-145/draft-sp-800-145_cloud-definition.pdf
Cloud Service Model Examples Software as a Service Cloud-based software is contracted out for customer use (e.g. Salesforce.com, Zoho Office, Taleo, Google Apps) Platform as a Service The provider hosts specific business development applications on behalf of the customer (e.g. Force.com, Google App Engine) Infrastructure as a Service A corporation s entire data centre, storage or hardware needs could be hosted by the provider (e.g. 3Tera s AppLogic, Liquid id Computing s LiquidQ, idq Amazon s EC2)
Cloud Computing & Security Risks Gartner s Seven cloud-computing security risks 1. Privileged user access providers should utilise employee security checks and control employee access to data 2. Regulatory compliance customer remains the data owner, but the provider must be open to audit and certification 3. Data location providers must agree by contractual commitment & conform to location-specific storage requirements and boundaries 4. Data at rest, in motion segregation and encryption 5. Recovery assistance replication and restoration in the event of disaster 6. Investigative support contractual commitment for discovery and investigations 7. Long-term viability of fthe provider http://www.infoworld.com/d/security central/gartner seven cloud computing security risks 853
Compliance and Reporting RSA s Spring 2010 Security Bulletin: In cloud computing, the virtualization layer provides: Increased visibility into almost every activity involved in providing application services Fine-grained monitoring capabilities which can dramatically improve reporting processes for cloud auditing and compliance From a regulatory compliance perspective, the lack of physical borders can make it difficult to comply with jurisdiction-specific specific privacy legislation http://www.rsa.com/newsletter/vantage/spring2010/vantage_cloud_control.pdf
Colocation Concerns Some additional items to keep in mind: http://www.colocationprovider.org/choosingacolocationprovider.htm 1. Does the Colocation Provider have technical staff available 24/7? 2. How long has the Colocation Service Provider been in business? Are they financially profitable? 3. Network redundancy and pipe size: how many other networks does the Colocation Provider connect to? What size connections exist? 4. What kind of security does the Colocation Facility offer? 5. Does the Colocation Provider have redundant power? Do they use a standard back- up generator or a prime source type of generator for back-up power? 6. Is the A/C System in each section of the Colocation Facility redundant? 7. Does the Colocation Provider offer secure locking cabinets or just racks in a shared cage? 8. Does the Provider offer worldwide colocation capabilities?
Cloud Computing is Not the Challenge 1. It s no longer IT security or Information Security it s Data Security. (The perimeter is dead!) 2. Security will never be absolute. As far as data leakage goes, it's not 'how' will it happen it s 'when'. As security professionals, we can no longer worry solely about securing the data, we have to focus on what it will cost us once the data has been breached. Whomever pays less in the end, wins.
Be Careful Out There
References http://www.pcworld.com/article/186584/facebook_ceo_challenges_the_social_nor m_ of_privacy.html http://www.wired.com/threatlevel/2010/03/schmidt-cyberwar/#ixzz0hjvbsbq2 http://www.infowars.com/intel-boss-mcconnell-says-u-s-would-lose-cyberwar/ http://loadtest.story.news.yahoo.com/s/afp/20100224/pl_afp/usitcomputersecurityi y p p_ p p y nternet_20100224161832 http://www.mondaq.com/article.asp?articleid=93070 http://www.dft.gov.uk/about/informationcharter/dataprotectionact http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1373688,00. h t t / / ti /0 id14 i1373688 00 html http://www.networkworld.com/news/2009/042309-cloud-computing-a-securitynightmare.html http://www.scmagazineuk.com/avoiding-the-security-pitfalls-of-cloudcomputing/article/118523/ http://csrc.nist.gov/publications/drafts/800-144/draft-sp-800-144_cloud- computing.pdf http://www.ico.gov.uk/~/media/documents/pressreleases/2011/ico_welcomes_new _powers_news_release_20110420.ashx