Privacy issues in the cloud final
- 1. Privacy Issues in the Cloud Presenta4on to the Chief Privacy Officers Council Constan4ne Karbalio4s Data Protec*on & Privacy Lead May 4, 2010 1
- 2. Agenda 1 Introduc*on 2 What is the Cloud? 3 What do Security Professionals See as Risks? 4 What are the Privacy Issues? 5 What is the Real Problem? 6 Conclusion/Q&A 2 Privacy Issues in the Cloud ‐ Constan*ne Karbalio*s
- 4. What is “the Cloud”? • “Cloud compu*ng” defini*ons: – Cloud compu*ng is interconnected networks of IT enabled resources (i.e. services) delivered in a dynamically scalable and virtualized method, made available to customers for purchase via variable cost models based on usage. • Symantec – just as with a u*lity, enterprises can pay for informa*on technology services on a consump*on basis Privacy Issues in the Cloud ‐ Constan*ne Karbalio*s 4
- 5. Benefits and Risks Accelera4ng Trend – Growing market to reach $42 billion by 2012 ‐ IDC Rewards – Takes advantage of virtualiza*on – Provides on‐demand services for easy scalability – Minimizes capital and opera*ng costs expenditures – Provides access to exper*se not available in‐house – Enhances business agility Risks – Current lack of standardiza*on – Rela*vely high switching costs for proprietary solu*ons – Security and Privacy Privacy Issues in the Cloud ‐ Constan*ne Karbalio*s 5 5
- 6. What do Security Professionals See as Risks? Privacy Issues in the Cloud ‐ Constan*ne Karbalio*s 6
- 7. Top Security Threats to Cloud Compu4ng • Abuse and Nefarious Use of Cloud Compu*ng • Insecure Applica*on Programming Interfaces • Malicious Insiders • Shared Technology Vulnerabili*es • Data Loss/Leakage • Account, Service & Traffic Hijacking • Unknown Risk Profile • Source: Top Threats to Cloud Compu*ng, Version 1.0 Cloud Security Alliance hbp://www.cloudsecurityalliance.org/topthreats Privacy Issues in the Cloud ‐ Constan*ne Karbalio*s 7
- 8. Governance Concerns PERCEIVED RISKS IN CLOUD COMPUTING Uncertain ability to enforce security 23 percent policies at a provider Inadequate training and IT audi*ng 22 percent Ques*onable privileged access control at 14 percent provider site Uncertain ability to recover data 12 percent Proximity of data to another customer’s 11 percent Uncertain ability to audit provider 10 percent Uncertain con*nued existence of provider 4 percent Uncertain provider regulatory compliance 4 percent Source: Price Waterhouse Cooper/CISO‐CIO Magazine Survey, 2010 Privacy Issues in the Cloud ‐ Constan*ne Karbalio*s 8
- 10. Privacy Risks with Cloud Compu4ng • Certain types of data may trigger specific obliga*ons under na*onal or local law • Vendor issues: – Organiza*ons may be unaware they are even using cloud‐based vendors – Due diligence s*ll required as in any vendor rela*onship – Data security is s*ll the responsibility of the customer – Service Level agreements need to account for access, correc*on and privacy rights • Data Transfer: – Cloud models may trigger interna*onal legal data transfer requirements Source: Hunton & Williams, “Outsourcing to the cloud: data security and privacy risks”, March 15, 2010 Privacy Issues in the Cloud ‐ Constan*ne Karbalio*s 10
- 12. Ponemon Study for Symantec: Summary • Business applica*ons, solu*on stacks and storage are the most popular cloud compu*ng applica*ons, plaiorms and infrastructure services • Few organiza*ons take proac*ve steps to protect both their own sensi*ve business informa*on and that of their customers, consumers and employees when they store that informa*on with cloud compu*ng vendors • Organiza*ons are adop*ng cloud technologies without the usual vekng procedures • Employees are making decisions without their IT departments’ insights or full knowledge of the security risks involved • Two years from now, most respondents plan to use cloud compu*ng much more intensively than they do today • Yet even as momentum for cloud compu*ng builds, doubts about security difficul*es of cloud compu*ng persist • Organiza*ons most frequently protect themselves through tradi*onal IT security solu*ons and legal or indemnifica*on agreements with vendors. Privacy Issues in the Cloud ‐ Constan*ne Karbalio*s 12
- 13. Ponemon Study finds Fewer than One in Ten Companies Evaluate Vendors or Train Employees on Cloud Security: • More than 75 percent of respondents noted that the migra*on to cloud compu*ng was occurring in a less‐than ideal manner, due to a lack of control over end users • Only 27 percent of respondents said their organiza*ons have procedures for approving cloud applica*ons that use sensi*ve or confiden*al informa*on • 68 percent indicated that ownership for evalua*ng cloud compu*ng vendors resides with end users and business managers • Only 20 percent of the organiza*ons surveyed reported that their informa*on security teams are regularly involved in the decision making process and approximately a quarter said they never par*cipated at all • 69 percent of the respondents indicated they would prefer to see the informa*on security or corporate IT teams lead the cloud decision making process Privacy Issues in the Cloud ‐ Constan*ne Karbalio*s 13
- 14. Policy and Procedural Gaps Source: Ponemon Ins*tute study for Symantec: “Flying Blind in the Cloud”, April 7, 2010 Privacy Issues in the Cloud ‐ Constan*ne Karbalio*s 14
- 16. Cloud Compu4ng Vendors Review “Process” Source: Ponemon Ins*tute study for Symantec: “Flying Blind in the Cloud”, April 7, 2010 Privacy Issues in the Cloud ‐ Constan*ne Karbalio*s 16
- 17. Organiza4onal steps to ensure data protec4on Source: Ponemon Ins*tute study for Symantec: “Flying Blind in the Cloud”, April 7, 2010 Privacy Issues in the Cloud ‐ Constan*ne Karbalio*s 17
- 19. Managing Privacy in the Cloud • Policies and procedures must explicitly address cloud privacy risks • Informa*on governance must be put in place that: – Provides tools and procedures for classifying informa*on and assessing risk – Establish policies for cloud‐based processing based upon risk and value of asset. • Evaluate third par*es’ security and privacy capabili*es before sharing confiden*al or sensi*ve informa*on. – Thorough review and audit of vendors – Independent third party verifica*on • Train employees and staff accordingly to mi*gate security/ privacy risks in cloud compu*ng – Address from mul*‐departmental perspec*ve Privacy Issues in the Cloud ‐ Constan*ne Karbalio*s 19
- 20. Model for Managing Cloud Risks ‐ Governance • Strategy: – What kinds of data will you as a maber of course not allow to go to the cloud? What kind of cloud is appropriate for certain types of data? – Implicit: you have a data classifica*on system that you follow and know the value of your data assets • Educa*on & training – Train users/business units that this requires vendor review just as any other vendor • Resources & Ownership – Academic to have nice policies, contractual language permikng audit rights, if you don’t have staff to do it – Everyone wants Informa*on Security or IT to own this – equip them Privacy Issues in the Cloud ‐ Constan*ne Karbalio*s 20
- 21. Model for Managing Cloud Risks – Formal Risk Management • Privacy Risk/Impact Assessment – Document ownership of risks, mi*ga*ons • Data Flow Diagram – Iden*fy types of PII in flow, as well as what systems, en**es and jurisdic*ons that data flows through • Security Assessments & Measures – Appropriate measures to ensure adequate applica*on security, development processes and penetra*on/vulnerability tes*ng – Require regular tes*ng as well as at outset of rela*onship – Consider strategies based on encryp*on, data obfusca*on Privacy Issues in the Cloud ‐ Constan*ne Karbalio*s 21
- 22. Model for Managing Cloud Risks – Contract & Audit • Legal Models – Develop appropriate contractual terms to ensure protec*on of the types of data you want to process: • Records reten4on & lawful access • Access • Data sharing risks/commingling • Jurisdic4onal risks • Flow‐down of requirements for security, audit, evidence of compliance for sub‐contractors – Revisit/revise customer privacy no*ces, agreements: do they reflect what you are doing with the data? • Monitoring – Ensure that there are mechanisms technical and organiza*onal to assess and audit cloud vendor’s use of data • Audit and Third Party Cer*fica*on – Ensure you have the ability to audit – and do it – Third party cer*fica*ons as a minimum Privacy Issues in the Cloud ‐ Constan*ne Karbalio*s 22
- 23. Thank you! Constan*ne Karbalio*s, J.D., CIPP/C/IT constan*ne_karbalio*s@symantec.com 416.402.9873 Copyright © 2010 Symantec Corpora4on. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corpora*on or its affiliates in the U.S. and other countries. Other names may be trademarks of their respec*ve owners. This document is provided for informa*onal purposes only and is not intended as adver*sing. All warran*es rela*ng to the informa*on in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The informa*on in this document is subject to change without no*ce. Privacy Issues in the Cloud ‐ Constan*ne Karbalio*s 23