Security and Privacy in Cloud Computing

Security and Privacy in Cloud Computing - Study Report Sai Lakshmi General Manager Enterprise Security Solutions

2 Agenda Background & Objective Current Scenario & Future of Cloud Computing Challenges in Cloud Computing Data Security, Data Privacy Compliance Legal and Contractual Challenges faced by Cloud Providers Recommendations

3 Background & Objective DSCI has undertaken a study on Data Protection Challenges in Cloud Computing in partnership with Wipro with the objective to understand the security and privacy challenges and trends in Cloud Computing with respect to Indian IT environment As part of this study, DSCI along with Wipro conducted a survey to understand the perception of the security professionals on risks & challenges associated with Cloud Computing focusing on Security & Privacy

4 Study Methodology Primary research A survey across 48 organizations Survey was conducted by DSCI and Wipro Total of 71 professionals representing 48 organizations Secondary research, covering the following aspects vis-à-vis Cloud Computing: Different Cloud deployment models (Private, Public, Hybrid etc) Cloud Services Models (SaaS, PaaS, IaaS, etc.) Current Scenario and Future of Cloud Computing Reasons behind considering Cloud Computing Challenges in the adoption of Cloud Computing Criteria for Cloud service provider selection Challenges faced by Cloud service providers Role of NASSCOM-DSCI in Cloud Computing ecosystem

Cloud Computing in India World Cloud Services Revenue forecasted to reach $ 68.3 billion in 2010 and $148.8 billion in 2014 Cloud Computing market in India currently stands at USD 110 million and is expected to reach USD 1,084 million by 2015* Software-as-a-Service (SaaS) has witnessed the highest growth and it is likely to reach a mark of USD 650 million by 2015* 21% of the surveyed firms are planning to host IT services on the Cloud and pilot projects are initiated Cloud adoption in India 24% 15% 38% Not considering migration to Cloud Computing as of now 5 21% Already using Cloud Computing services Planning to initiate a pilot project or implement less critical services Planning a complete migration Will consider based on the industry / peer adoption trend

6 Cloud Deployment models and Adoption Private cloud. - Dedicated cloud infrastructure for an org. Self Managed or Third Party, On premise / Off Premise Public cloud. - Shared Cloud Infrastructure on a cost services model selling cloud services. Hybrid cloud. Cloud infrastructure composed of private, public and or community cloud that enables data & application portability (e.g., cloud bursting). Community cloud. Shared cloud infrastructure managed by the organizations or a third party and may exist on premise or off premise ORGANISATION PREFERENCE FOR ADOPTION OF CLOUD DEPLOYMENT MODELS Deployment Decision Matrix Cost Effectiveness Management Control Reliability Accountability Standardization Adoption Security Public Cloud 6% Private Cloud 29% 66% Hybrid Cloud or Community Cloud Large enterprises points toward exploring Public Clouds for hosting of non-business, non-critical, support applications only such as Document Management Systems hosted Emails, CRM and Learning Solutions, etc Critical Applications, that demand data to reside within organizational systems, because of regulatory/legal requirements, remain on the Private Cloud Organizations often adopt Public Cloud for services where users are not required to deal With any sensitive data

7 Cloud Deployment Models In a SaaS Model, the software is hosted at the cloud service provider s site 91% In a PaaS Model, the application framework is hosted at the cloud service provider s site 56% 53% In a IaaS Model, the compute, storage is available as a service

Security as a Service In a Security as a Service Model, the security functions are delivered as a service 53% Security as a Service 70% 57% 61% 43% 48% 35% Identity Management Threat Management Security Device Management Infrastructure Security Operations 8 Web Security Monitoring Vulnerability Assessment and Penetration Testing

9 Challenges in Cloud Computing Data Security and Privacy - a Major inhibitor to Cloud adoption 95% Challenge in meeting Compliance requirements Accountability and ownership of data in the Cloud Legal & Contractual Issues addressing geographical specific regulatory requirements especially in trans-border data flow and storage 80% 76% major challenges / concerns Data Security & Privacy 70% 25% 3% Compliance Issues 30% 50% 16% 4% Legal & Contractual Issues 39% 37% 21% 4% Challenges in migration 11% 2 38% 18% 11% Lack of clarity in pay per use Model 13% 15% 47% 24% Integration of Cloud based applications with legacy systems 2 33% 33% 8% 4% Critical Very Important Important Less Important Not Important

10 Data Security & Privacy Challenges Major Data Security Challenges in the Cloud 9 Data Segregation & Protection 80% Data Leak Prevention Other Important Considerations on Cloud Threat and Vulnerability Management 75% 7 Identity and Access Management

Compliance & Legal Contractual Challenges Compliance Considerations on Cloud 7 71% Ability of provider to demonstrate compliance Feasibility of Audit and Assessment of Applications Distribution of ownership between user organization and cloud provider Addressing Specific Compliance Requirements like HIPAA, GLBA, PCI Feasibility of Audit and assessment of applications and systems COMPLIANCE CHALLENGES 27% 26% 21% 41% 36% 50% 31% 34% 27% On demand availability of Log & Audit Trails 24% 44% 24% 8% Ability of provider to demonstrate compliance requirements of user 39% 33% 27% Critical Very Important Important Less Important Not Important Legal and Contractual Challenges in the Cloud 79% 74% Liability Sharing in case of data breaches and subsequent resource mechanism Ownership of Intellectual property of end users information End of Service Support Issues like retention & disposal of information, transfer of IPR Ownership of Intellectual Property of cloud based services, products and end user Information LEGAL & CONTRACTUAL CHALLENGES 34% 41% 30% 33% 3 2 4% 4% Liability sharing in case of data breaches and subsequent recourse mechanism 44% 35% 21% Critical Very Important Important Less Important Not Imporantt 11

12 Measures Adopted - Addressing Data Security Top 3 Measures adopted by Organizations 69% 58% 5 Including security & privacy clauses in the contractual agreement Periodically auditing the services of Cloud service provider Making Cloud service provider legally liable for data breach The emergence of security services on the cloud is yet to mature from the basic MSS models, which are currently prevalent. Strengthening the contracts and periodic audits are some of the basic measures that organizations are currently adopting. Measures adopted by organization Including data security and privacy clauses in the contract 69% Making the service provider legally liable for any data security & privacy breach 5 Auditing the service provider at a defined and mutually agreed frequency Service Provider providing third party audit reports to your organization on a regular basis Mandating service providers to implement technical and organizational safeguards Demanding transparency in information management practices through regular reporting Aligning existing security & privacy strategies to address new challenges Updating the norms of privacy specific user transactions to incorporate new challenges None 4% 33% 33% 31% 44% 4 58%

Selecting the Right Cloud Provider Security, Privacy and Compliance considerations for selecting a Cloud service provider 77% 73% 7 7 Demonstration of Data Security and Privacy Capabilities of Cloud service provider Ability to support BCP/ DR requirements Standardized security preparedness of Cloud service provider like ISO 27001 Certification Transparency in information practices followed by the Cloud service provider Reduced Investment in BCP/DR, a major cost-centre for business, is one of the major drivers for adoption of Cloud Computing Major Security & Privacy, Compliance considertion for selecting a cloud provider Standardized security preparedness of cloud provider like ISO 27001 certification 54% 18% 1 4% 1 Third Party Attestation or Seal for Privacy 21% 4 21% 15% Demonstration of data security and privacy capabilities by cloud provider 43% 34% 17% 4% Transparency in Information practices followed by the cloud provider 43% 29% 20% 6% No. of Data Security breaches in the past 41% 2 28% 4% 4% Service and Operation level agreements including Security Operations 4 19% 21% 17% Disaster Recovery capabilities 48% 25% 13% 6% 8% Compliance Demonstration Capabilities 38% 33% 16% 4% 9% Critical Very Important Important Less Important Not Important 13

14 Challenges faced by Cloud Providers Top 3 Challenges faced by Cloud providers 78% 59% 57% Technological limitation especially in Indian context where network bandwidth, latency and interoperability has been seen as a major challenge Meeting multiple regulatory compliance requirements, that vary considerably based on the type of data, geography and domain / industry. E.g. HIPAA for health records, GLBA for financial transactions, PCI DSS for credit card data, etc. Meeting multiple contractual requirements, especially when data protection requirements as well as data breach liabilities of different countries vary considerably Major challenges faced by cloud service providers Meeting multiple regulatory 59% Technological Limitations Meeting multiple contractual 57% Huge initial capital expenditure / 33% Inadequate Research and Development Alleviate negative perceptions about Unavailability of skilled resources Migration of services provided to client Technological Limitations (Indian 15% 19% 19% 24% 26% Enforcement of IT (Amendment) Act, 2008 will be a challenge as cloud computing Business benefits arising out of the use of cloud computing will influence the focus Under the Indian Telecom Licensing Policy, prohibition of data transfer outside the 78% Indian legal framework 38% 61% 63%

15 Role of NASSCOM DSCI in Cloud Computing Role of NASSCOM-DSCI in the Cloud computing ecosystem in India Promote data security and privacy in the evolving cloud based ecosystem Work closely with the government to create necessary policy environment for cloud computing 70% 68% Advise user organizations on the data security and privacy related aspects of cloud computing 48% Engage with the cloud providers to establish safe and secure cloud computing environment 55% Benchmark different cloud providers against their data security and privacy practices 45% This study is an important step for DSCI to chart out and drive the government policy initiatives for Cloud computing

16 Recommendations Security standards and certifications specific to Cloud environments need to be developed for successful implementation of Cloud services User organizations should involve Business, IT and legal team in framing of the contract provisions Cloud service providers - Transparency required with their processes, certifications, information security practices, and techniques Both User organizations and Cloud service providers should develop robust information security governance, regardless of the service or deployment model.

2010 Wipro Ltd - Confidential Thank you.

Wipro as an Originator and System Integrator of cloud Cloud Layer Solutions as an Originator System Integration Services BPaaS SaaS 1. Mortgage origination 2. HRO 1. Public Cloud solutions: Hospital software, Auto Dealer platform, E-commerce platform, Mortgage origination, Document Management 2. Vendor products offered on Wipro Cloud: Fidelity Banking software, MS Dynamics 1. Platform development 1. System Integration Services SFDC, Dynamic CRM, Oracle on Demand, Workday, SAP ByD, Netsuite, BPOS, Google Applications 2. SaaS enabling Independent software vendor applications PaaS IaaS No Originating solutions 1. Wipro Cloud data centers (USA/Europe/India) 2. Hosting for SaaS & BPaaS vendors 1. Lead developer on Azure, Force.com platforms 2. Hosted test platforms 3. Build Private PaaS platform (wsaas) 1. Build, Operate & manage Private cloud, Migration to public cloud 2. SI, test and manage public cloud 18 2010 Wipro Ltd - Confidential

Wipro services to cloud Originators and Enterprises Cloud Layer Services to Originators Services to Enterprises BPaaS 1. Platform development 1. Wipro BPaaS solutions- Mortgage origination SaaS PaaS IaaS 1. Dev & test support for SaaS ISV s 2. Enabling cloud services on devices (mobile) 1. Enabling devices (mobile) 1. Hosting for SaaS / BPaaS vendors 2. SI and test deployments for public cloud 1. System integration service for SFDC, Dynamic CRM, Oracle On Demand, Netsuite, BPOS, Google Apps, Workday, SAP ByD 2. Wipro solutions offered in Public Cloud: Hospital software, Auto Dealer platform, E commerce platform, Mortgage origination, Document Management 3. ISV products offered on Wipro Cloud: Fidelity Banking software, MS Dynamic CRM 1. Lead developer on Azure, Force.com 2. Test platforms on cloud 3. wsaas Private PaaS 1. Setting up Private cloud 2. Migration to public cloud 3. Wipro Cloud data centers (USA, Europe & India) 19 2010 Wipro Ltd - Confidential