Martine Lapierre - Security in Cloud computing: sharing more than resources
1 like582 views
Cloud computing provides opportunities but also implies a loss of control over data and infrastructure. When choosing a cloud offering, considerations include the provider's reputation for protecting confidentiality and their ability to prove no loss of control. Sensitive healthcare data processed in the cloud must satisfy strict regulatory requirements regarding data protection, access controls, and ensuring data does not leave its country of origin. Both customers and providers face legal and security challenges in ensuring compliance with privacy laws and protecting against threats in shared cloud environments.
Martine Lapierre - Security in Cloud computing: sharing more than resources
- 1. Security in Cloud computing: sharing more than resources Martine Lapierre, THALES DSC, Technical Director 23-27 November 2009
- 2. Growing need of IaaS - Cloud would help: Smart Environment Smart cities Smart transport Smart energy healthcare monitoring Cloud computing implies loss of control Choices of cloud offering Private based on: Hybrid – reputation to ensure Public protection and confidentiality – ability of the cloud provider to prove that there is ‘no’ loss of control
- 3. eHealth cloud example Data processing Journalisation of acts must satisfy (legal proof), Dedicated network infra European data Journalisation of protection Monitoring Iaas Health (cyber defense Iaas access traces) Patients center Private cloud Sensitive data Network should be transactions destroyed at a Make encryption, Is available to timeavailable to specified Doctors, IsData storage available to nurses protection/ Medical content data Data should not External eHealth driven leave the original service providers security country of collection at any – Satisfy strict regulatory requirements time – Very sensitive to negative public perception
- 4. Customer’s view on security Are my data secure in the Cloud ? Who can access the data ? Can I access my data at any time ? What is the SLA ? Can I stop my contract at any time ? (reversibility) Can I comply with laws and regulation ? Where are my data ? What about if disclosure ? How long are my data kept if I ask for suppression ? How is managed the requisition process ? Who is responsible? Loss of control while maintaining accountability even if operational responsibility falls upon 3rd parties In case of failure in services outsourced to the cloud, the customer cannot meet his duty to his own customers and is exposed to liability
- 5. Legal and regulatory challenges Understand the consequences of decoupling data from infrastructure. Regulation of cross-border data flows cloud providers operate datacenters in multiple locations and transfer data among them. Coherent regulations on privacy, data retention EU member states have divergent views as to whether cloud providers need to retain data and for how long. Enhance criminal enforcement of crimes Aggregation of data in cloud data centers are attractive targets for hackers. Incident response. Compliant storage certification Interoperability standards in cloud
- 6. Security challenges Quality of service guaranties Multi-tenancy issues and isolation Certification and Insecure interfaces in federation accreditation context Compliance to regulations Data protection ID management, RBAC Cloud infrastructure protection Logging, audit Portability, reversibility From Randy Marchany