Privacy issues in the cloud

PrivacyIssuesintheCloudPresenta4ontotheChiefPrivacyOfficersCouncil

Constan4neKarbalio4sDataProtec*on&PrivacyLead

May4,2010 1

Agenda

PrivacyIssuesintheCloud‐Constan*neKarbalio*s2

Introduc*on1

WhatistheCloud?2

WhatdoSecurityProfessionalsSeeasRisks?3

WhatarethePrivacyIssues?4

WhatistheRealProblem?5

Conclusion/Q&A6

WhatistheCloud?

3PrivacyIssuesintheCloud‐Constan*neKarbalio*s

Whatis“theCloud”?

• “Cloudcompu*ng”defini*ons:– Cloudcompu*ngisinterconnectednetworksofITenabledresources(i.e.services)deliveredinadynamicallyscalableandvirtualizedmethod,madeavailabletocustomersforpurchaseviavariablecostmodelsbasedonusage.•  Symantec

– justaswithau*lity,enterprisescanpayforinforma*ontechnologyservicesonaconsump*onbasis

PrivacyIssuesintheCloud‐Constan*neKarbalio*s 4

BenefitsandRisks

Accelera4ngTrend

–  Growingmarkettoreach$42billionby2012‐IDC

Rewards

–  Takesadvantageofvirtualiza*on–  Provideson‐demandservicesforeasyscalability

– Minimizescapitalandopera*ngcostsexpenditures

–  Providesaccesstoexper*senotavailablein‐house–  Enhancesbusinessagility

Risks

–  Currentlackofstandardiza*on–  Rela*velyhighswitchingcostsforproprietarysolu*ons–  SecurityandPrivacy

5


WhatdoSecurityProfessionalsSeeasRisks?



TopSecurityThreatstoCloudCompu4ng

•  AbuseandNefariousUseofCloudCompu*ng•  InsecureApplica*onProgrammingInterfaces•  MaliciousInsiders•  SharedTechnologyVulnerabili*es•  DataLoss/Leakage•  Account,Service&TrafficHijacking•  UnknownRiskProfile

•  Source:TopThreatstoCloudCompu*ng,Version1.0

CloudSecurityAlliance

hbp://www.cloudsecurityalliance.org/topthreats


GovernanceConcerns

PERCEIVEDRISKSINCLOUDCOMPUTING

Uncertainabilitytoenforcesecuritypoliciesataprovider

23percent

InadequatetrainingandITaudi*ng 22percent

Ques*onableprivilegedaccesscontrolatprovidersite

14percent

Uncertainabilitytorecoverdata 12percent

Proximityofdatatoanothercustomer’s 11percent

Uncertainabilitytoauditprovider 10percent

Uncertaincon*nuedexistenceofprovider 4percent

Uncertainproviderregulatorycompliance 4percent

Source:PriceWaterhouseCooper/CISO‐CIOMagazineSurvey,2010

WhatarethePrivacyRisks?



PrivacyRiskswithCloudCompu4ng

•  Certaintypesofdatamaytriggerspecificobliga*onsunderna*onalorlocallaw

•  Vendorissues:–  Organiza*onsmaybeunawaretheyareevenusingcloud‐basedvendors

–  Duediligences*llrequiredasinanyvendorrela*onship–  Datasecurityiss*lltheresponsibilityofthecustomer–  ServiceLevelagreementsneedtoaccountforaccess,correc*onandprivacyrights

•  DataTransfer:–  Cloudmodelsmaytriggerinterna*onallegaldatatransferrequirements

Source:Hunton&Williams,“Outsourcingtothecloud:datasecurityandprivacyrisks”,March15,2010

WhatistheRealProblem?


PonemonStudyforSymantec:Summary

•  Businessapplica*ons,solu*onstacksandstoragearethemostpopularcloudcompu*ngapplica*ons,plaiormsandinfrastructureservices

•  Feworganiza*onstakeproac*vestepstoprotectboththeirownsensi*vebusinessinforma*onandthatoftheircustomers,consumersandemployeeswhentheystorethatinforma*onwithcloudcompu*ngvendors

•  Organiza*onsareadop*ngcloudtechnologieswithouttheusualvekngprocedures

•  EmployeesaremakingdecisionswithouttheirITdepartments’insightsorfullknowledgeofthesecurityrisksinvolved

•  Twoyearsfromnow,mostrespondentsplantousecloudcompu*ngmuchmoreintensivelythantheydotoday

•  Yetevenasmomentumforcloudcompu*ngbuilds,doubtsaboutsecuritydifficul*esofcloudcompu*ngpersist

•  Organiza*onsmostfrequentlyprotectthemselvesthroughtradi*onalITsecuritysolu*onsandlegalorindemnifica*onagreementswithvendors.


PonemonStudyfindsFewerthanOneinTenCompaniesEvaluateVendorsorTrainEmployeesonCloudSecurity:

• Morethan75percentofrespondentsnotedthatthemigra*ontocloudcompu*ngwasoccurringinaless‐thanidealmanner,duetoalackofcontroloverendusers

• Only27percentofrespondentssaidtheirorganiza*onshaveproceduresforapprovingcloudapplica*onsthatusesensi*veorconfiden*alinforma*on

•  68percentindicatedthatownershipforevalua*ngcloudcompu*ngvendorsresideswithendusersandbusinessmanagers

• Only20percentoftheorganiza*onssurveyedreportedthattheirinforma*onsecurityteamsareregularlyinvolvedinthedecisionmakingprocessandapproximatelyaquartersaidtheyneverpar*cipatedatall

•  69percentoftherespondentsindicatedtheywouldprefertoseetheinforma*onsecurityorcorporateITteamsleadtheclouddecisionmakingprocess


PolicyandProceduralGaps


Source:PonemonIns*tutestudyforSymantec:“FlyingBlindintheCloud”,April7,2010

Ineffec4veReview


CloudCompu4ngVendorsReview“Process”



Organiza4onalstepstoensuredataprotec4on



Conclusion/Q&A


ManagingPrivacyintheCloud

• Policiesandproceduresmustexplicitlyaddresscloudprivacyrisks

•  Informa*ongovernancemustbeputinplacethat:–  Providestoolsandproceduresforclassifyinginforma*onandassessingrisk

–  Establishpoliciesforcloud‐basedprocessingbaseduponriskandvalueofasset.

• Evaluatethirdpar*es’securityandprivacycapabili*esbeforesharingconfiden*alorsensi*veinforma*on.–  Thoroughreviewandauditofvendors–  Independentthirdpartyverifica*on

• Trainemployeesandstaffaccordinglytomi*gatesecurity/privacyrisksincloudcompu*ng–  Addressfrommul*‐departmentalperspec*ve


ModelforManagingCloudRisks‐Governance

• Strategy:– Whatkindsofdatawillyouasamaberofcoursenotallowtogotothecloud?Whatkindofcloudisappropriateforcertaintypesofdata?

–  Implicit:youhaveadataclassifica*onsystemthatyoufollowandknowthevalueofyourdataassets

• Educa*on&training–  Trainusers/businessunitsthatthisrequiresvendorreviewjustasanyothervendor

• Resources&Ownership–  Academictohavenicepolicies,contractuallanguagepermikngauditrights,ifyoudon’thavestafftodoit

–  EveryonewantsInforma*onSecurityorITtoownthis–equipthem


ModelforManagingCloudRisks–FormalRiskManagement

• PrivacyRisk/ImpactAssessment

–  Documentownershipofrisks,mi*ga*ons

• DataFlowDiagram–  Iden*fytypesofPIIinflow,aswellaswhatsystems,en**esandjurisdic*onsthatdataflowsthrough

• SecurityAssessments&Measures

–  Appropriatemeasurestoensureadequateapplica*onsecurity,developmentprocessesandpenetra*on/vulnerabilitytes*ng

–  Requireregulartes*ngaswellasatoutsetofrela*onship–  Considerstrategiesbasedonencryp*on,dataobfusca*on


ModelforManagingCloudRisks–Contract&Audit•  LegalModels–  Developappropriatecontractualtermstoensureprotec*onofthetypesofdatayouwanttoprocess:•  Recordsreten4on&lawfulaccess•  Access•  Datasharingrisks/commingling•  Jurisdic4onalrisks•  Flow‐downofrequirementsforsecurity,audit,evidenceofcomplianceforsub‐contractors

–  Revisit/revisecustomerprivacyno*ces,agreements:dotheyreflectwhatyouaredoingwiththedata?

• Monitoring–  Ensurethattherearemechanismstechnicalandorganiza*onaltoassessandauditcloudvendor’suseofdata

•  AuditandThirdPartyCer*fica*on–  Ensureyouhavetheabilitytoaudit–anddoit–  Thirdpartycer*fica*onsasaminimum


Thankyou!

Copyright©2010SymantecCorpora4on.Allrightsreserved.SymantecandtheSymantecLogoaretrademarksorregisteredtrademarksofSymantecCorpora*onoritsaffiliatesintheU.S.andothercountries.Othernamesmaybetrademarksoftheirrespec*veowners.

Thisdocumentisprovidedforinforma*onalpurposesonlyandisnotintendedasadver*sing.Allwarran*esrela*ngtotheinforma*oninthisdocument,eitherexpressorimplied,aredisclaimedtothemaximumextentallowedbylaw.Theinforma*oninthisdocumentissubjecttochangewithoutno*ce.


Constan*neKarbalio*s,J.D.,CIPP/C/ITconstan*ne_karbalio*[email protected]