frukostseminarium om molntjänster
TRANSCRIPT
Starting on January 2014, I assumed the
Chief Trust Officer role at Projectplace where
I continue to oversee our security program as
well as taking on the responsibility to
maintain customer trust, regulatory
compliance and third party assurance.
We designed Projectplace Security, Trust and
Assurance ecosystem to cover all aspects of
cloud computing risks and address common
concerns.
Erkan KahramanChief Trust Officer (formerly known as the Chief Information Security Officer)
At Projectplace, we have built a security program which
focuses on customers by implementing user-friendly,
customer-driven security controls and improving
communication. An example is how we put customers first
in incident management. We know that information
security incidents will occur. When they do, how
companies respond will directly impact the customer
experience.
What do we do?
Top Customer Concerns
legislation accountability privacy confidentiality
integration retention privacy Security availability
legislation exit strategies encryption confidentialit
privacy data integrity regulations retention availabi
encryption confidentiality data ownership exit strat
data integrity acccountability retention integration
1 According to ”2012 Cloud Computing Market Maturity” survey conducted jointly by
Cloud Security Alliance (CSA) and ISACA.
The Notorious Nine: Cloud Computing Security Top Threats
A survey by not-for-profit firm Cloud Security Alliance (CSA), which provides best practices and education for people in the industry, found that the worry of data breaches was the top threat, followed by data loss and account hijacking.
› Data Breaches
› Data Loss
› Account Hijacking
› Insecure APIs
› Denial of Service
› Malicious Insiders
› Abuse and Nefarious Use
› Insufficient Due Diligence
› Shared Technology Issues
Traditional Security Triad: CIA
Confidentiality
Perimeter security, Access control,
Encryption, User Account and Password
Management
IntegrityPhysical and Environmental
measures, protection against malware, FIM,
audit logging, monitoring and traceability
AvailabilitySLA, RPO/RTO, Independent monitoring,
redundancy, Disaster Recovery and BCP,
Backups and Restoration, Web Accelerators
Tools of the trade: 2FA
Double protection with
two-step verification.
Add a second layer of
protection to your accounts
on Google, Facebook, Twitter,
Yahoo, Dropbox,
and Projectplace with 2-factor
authentication.
(https://twofactorauth.org/)
Why transport layer security matters?
› BEAST, Heartbleed, Poodle
› Snowden’s NSA relevations,
encryption strength (AES
256).
The nine most important words in cloud
computing are: terms of service,
location, location, location, and
provider, provider, provider
“
“- Bob Gellman at the Computers, Freedom, and Privacy
Conference.
Trust factors
› Applicable legislation (Location, location, location)
› Data Ownership (Terms and Conditions)
› Data Retention (and data portability)
› Integration with existing systems (APIs, Single Sign-
on)
› Escrow and Exit strategies
› Privacy Statement, Cookie Information
The countries around the world do not respond in the same manner and it is
difficult to predict what a particular court will rule.
The proposed reform to EU Data Protection law seeks to protect EU citizens'
personal data regardless where it is. Similarly, industry specific regulations
such as HIPAA and PCI DSS are applicable to certain data elements
regardless where it is stored.
Recently, Microsoft had to comply with a US supreme court order which
requested disclosure of information located at the company's European cloud
service hosted in Ireland. The reasoning behind the court's rule was mainly
due to the fact that Microsoft's US based Global Compliance Unit had access
to the information requested via programmatical tools and established
business processes.
Which law applies to data held in a cloud?
In another highly publicized case against Facebook in Germany, the court
ruled that Facebook was subject only to the law of the country in which it has
its headquarter. The case had to do with a requirement on the sign-up page of
the German version of Facebook. A privacy organization had filed a lawsuit
against Facebook to require Facebook to make certain changes. Facebook
European headquarters are located in Ireland. The German court ruled that
German law did not apply because Facebook is registered as a company in
Ireland, and not in Germany, thus Irish law should apply. While Facebook has
operations in Germany, the court found that the Facebook German subsidiary
is only an ad sales and marketing organization that is not concerned by the
specific lawsuit.
Which law applies to data held in a cloud?
What is happening with the EU Data Protection Law?
In January the European Commission
announced that the EU’s existing
regime of data protection directives
that guide national laws such as the
UK’s Data Protection Act will be
replaced with common EU data
protection regulations across all
member states. The reform is
designed to ensure people have
more effective control over their
personal data and make it easier
for businesses to operate and
innovate within the EU.
Included in the reforms are the “right to be forgotten”, meaning that if there are no legitimate grounds for retaining your data, it must be deleted. This is designed to empower individuals and restore their confidence in the way their data will be handled, the EU is keen to emphasise. The new Regulation would also grant individuals a “right to portability”, which would require companies to provide customers with a copy of their data when the customer moves to a different service.
It is impossible to give a definitive
answer as some requests, such as
those related to national security, may
be required to be confidential.
However, a very useful resource is the
small but growing trend towards
transparency reports. Google has the
most extensive transparency report,
which provides statistics on the
number of requests for user data as
well as data removal requests, broken
down by country.
How often do the governments to gain access to my information in the cloud?
US Wiretap Report (2013)
3576Authorised wiretaps
The number of federal and
state wiretaps reported in
2013 increased 5 percent
from 2012. A total of 3,576
wiretaps were reported as
authorized in 2013, with
1,476 authorized by federal
judges and 2,100 authorized
by state judges. Only one
state wiretap application
was denied in 2013.
1Wiretap application denied.
Assurance factors
› Industry accepted standards such as ISO27001.
› SOC2 Type II Audit reports (formerly SSAE-16).
› Cloud Security Alliance STAR.
› Other technology certificates and seals.
› Independent audits.
There are known knowns; there are things
we know we know. We also know there are
known unknowns; that is to say, we know
there are some things we do not know. But
there are also unknown unknowns -- the
ones we don't know we don't know.
- Donald Rumsfeld, U.S. Secretary of Defence
“
“
© T
ran
scen
den
t G
rou
p S
veri
ge A
B 2
015
Internet based data access and exchange
Internet based access to low cost computing and applications
The cloud
Characteristics
On-demand self service
Internet access
Pooled resources
Elastic capacity
Usage based billing
© T
ran
scen
den
t G
rou
p S
veri
ge A
B 2
015
Software as a service
Source: http://www.nist.gov/itl/cloud/
Infrastructure as a
service
Platform as a service
Private cloud
Public cloud
Hybrid cloud
Community cloud
Cloud computing is portrayed
as a valuable consideration for
enterprise IT integration,
however adoption of cloud
computing models carry a
number of challenges.
© T
ran
scen
den
t G
rou
p S
veri
ge A
B 2
015
© T
ran
scen
den
t G
rou
p S
veri
ge A
B 2
015
Business challenges
Security and privacy
Operational
Technology
Regulatoryand comp-liance
Vendor
Financial
© T
ran
scen
den
t G
rou
p S
veri
ge A
B 2
015
Drivers
• Pay as you go
• Virtual and on-demand
• Agility, flexibility, elasticity
• Multi-tenancy
• Ease of implementation
• Pooled resources
Challenges
• Privacy and security
• Reliability and availability
• Transition and execution risk
• Limited scope for customization
• Cultural resistance
• Regulatory ambiguity
• Issues of taxation
Question 1: can we trust the
party who are processing our
data?
Question 2: how can we
check what the cloud service
provider is doing?
© T
ran
scen
den
t G
rou
p S
veri
ge A
B 2
015
Contract/SLA
considerations
© T
ran
scen
den
t G
rou
p S
veri
ge A
B 2
015
Initiate SRA
Provide security
requirements
Execute SRA
Vulnerability scans
System hardening
considerations
Cloud threats for
patching
Site visits
Abbreviated SRA
Vulnerability scans
Verify termination
of access rights
Verify data
destruction
Research vendor
SIM support
Forensic/
e-discovery support
Connectivity with
CSP
Discover vendor anddefinerequirements
Vendor evaluation
Contract negotiation
Solution deployment
Vendormonitoring
Vendor transition
© T
ran
scen
den
t G
rou
p S
veri
ge
AB
2015
Phase 1: generation
•ownership
• classification
•governance
Phase 2: use
• Internal versus External
•Third Party
•Appropriateness
•Discovery/subpoena
Phase 3: transfer
•Public versus private networks
•Encryption requirements
•Access control
Phase 4: transformation
•Derivation
•Aggregation
•Lineage
• IntegrityPhase 5: storage
•Access control
•Structured versus unstructured
• Integrity/availability/confidentiality
•Encryption
Phase 6: archival
•Legal and compliance
•Offsite considerations
•Media concerns
•Retention
Phase 7: destruction
•Secure
•Complete
Compliance• Audit and regulatory
• Legal
• Measurement
• Business objectives
Source: http://programming4.us/