Security and Privacy in
Cloud Computing
- Study Report
Sai Lakshmi
General Manager
• Background & Objective
• Current Scenario & Future of Cloud Computing
• Challenges in Cloud Computing
– Data Security, Data Privacy
– Compliance
– Legal and Contractual
• Challenges faced by Cloud Providers
• Recommendations
3 3
•
DSCI has undertaken a study on “Data Protection Challenges in Cloud
Computing ” in partnership with Wipro with the objective to understand
the security and privacy challenges and trends in Cloud Computing with
respect to Indian IT environment
•
As part of this study, DSCI along with Wipro conducted a survey to
understand the perception of the security professionals on risks &
challenges associated with Cloud Computing focusing on Security &
Privacy
Study Methodology
•Survey was conducted by DSCI and Wipro
•Total of 71 professionals representing 48 organizations
Primary research – A survey across 48 organizations
Secondary research, covering the following aspects vis
Computing:
Primary research – A survey across 48 organizations
Secondary research, covering the following aspects vis-à-vis Cloud
Computing:
• Different Cloud deployment models (Private, Public, Hybrid etc)
• Cloud Services Models (SaaS, PaaS, IaaS, etc.)
• Current Scenario and Future of Cloud Computing
• Reasons behind considering Cloud Computing
• Challenges in the adoption of Cloud Computing
• Criteria for Cloud service provider selection
• Challenges faced by Cloud service providers
5 5
38%
21%
2%
24%
15%
Cloud adoption in India
Already using Cloud Computing services
Planning to initiate a pilot project or implement less critical services Planning a complete migration
Will consider based on the industry / peer adoption trend Not considering migration to Cloud Computing as of now
Cloud Computing in India
•World Cloud Services Revenue forecasted to reach $ 68.3 billion in 2010 and $148.8 billion in 2014
•Cloud Computing market in India currently stands at USD 110 million and is expected to reach USD
1,084 million by 2015*
•Software-as-a-Service (SaaS) has witnessed the highest growth and it is likely to reach a mark of
USD 650 million by 2015*
Cloud Deployment models and Adoption
Private cloud. - Dedicated cloud infrastructure for
an org. Self Managed or Third Party, On premise /
Off Premise
Public cloud. - Shared Cloud Infrastructure
on a cost services model selling cloud
services.
private, public and or community cloud that enables
Hybrid cloud. Cloud infrastructure composed of
private, public and or community cloud that enables
data & application portability (e.g., cloud bursting).
Community cloud. Shared cloud infrastructure
managed by the organizations or a third party
and may exist on premise or off premise
Deployment Decision Matrix
•Cost Effectiveness
•Management Control
•Reliability
•Accountability
•Standardization
•Adoption
•Security
6%
29%
66%
•Large enterprises points toward exploring
Public Clouds for hosting of non-business,
non-critical , support applications only such as
Document Management Systems hosted
Emails, CRM and Learning Solutions, etc
•Critical Applications, that demand data to
reside within organizational systems, because
of regulatory/legal requirements, remain on the
Private Cloud
•Organizations often adopt Public Cloud for
services where users are not required to ‘deal’
With any sensitive data
ORGANISATION PREFERENCE FOR ADOPTION OF CLOUD DEPLOYMENT MODELS
Private Cloud
Public Cloud
7 7
Cloud Deployment Models
In a SaaS Model, the software is hosted at the cloud
service provider’s site
In a PaaS Model, the application
framework is hosted at the cloud
service provider’s site
In a IaaS Model, the compute,
storage is available as a servic
e
91%
Security as a Service
9 9
Challenges in Cloud Computing
70% 30% 39% 11% 13% 22% 25% 50% 37% 22% 15% 33% 2% 16% 21% 38% 47% 33% 3% 4% 4% 18% 24% 8% 11% 2% 4%
Data Security & Privacy
Compliance Issues
Legal & Contractual Issues
Challenges in migration
Lack of clarity in pay per use Model
Integration of Cloud based applications with
legacy systems
major challenges / concerns
Critical Very Important Important Less Important Not Important
Data Security and Privacy - a Major
inhibitor to Cloud adoption
95%
Challenge in meeting Compliance
requirements – Accountability and
ownership of data in the Cloud
80%
Legal & Contractual Issues– addressing
geographical specific regulatory requirements
especially in trans-border data flow and
Data Security & Privacy Challenges
Major Data Security Challenges in the Cloud
92%
Data Segregation &
Protection
80%
Data Leak
Prevention
Other Important Considerations on Cloud
75%
Threat and Vulnerability
Management
11 11
Compliance & Legal Contractual Challenges
39% 24% 21% 26% 27% 33% 44% 50% 36% 41% 27% 24% 27% 34% 31% 2% 8% 2% 2% 2% 2%
Ability of provider to demonstrate compliance requirements of user … ‘On demand’ availability of Log & Audit
Trails
Feasibility of Audit and assessment of applications and systems Addressing Specific Compliance Requirements like HIPAA, GLBA, PCI Distribution of ownership between user
organization and cloud provider
COMPLIANCE CHALLENGES
Critical Very Important Important Less Important Not Important
Compliance Considerations on Cloud
72%
Ability of provider to
demonstrate compliance
71%
Feasibility of Audit and
Assessment of Applications
Legal and Contractual Challenges in the
Cloud
79%
Liability Sharing in case of data
breaches and subsequent
resource mechanism
74%
Ownership of Intellectual
property of end users
information
44% 41% 34% 35% 33% 30% 21% 22% 32% 4% 4%Liability sharing in case of data breaches and subsequent recourse mechanism Ownership of Intellectual Property of cloud
based services, products and end user Information
End of Service Support Issues like retention & disposal of information, transfer of IPR
LEGAL & CONTRACTUAL CHALLENGES
Measures Adopted -
Addressing Data Security
69% 52% 58% 33% 44% 33% 42% 31% 4%Including data security and privacy clauses in the contract Making the service provider legally liable for any data security & privacy breach Auditing the service provider at a defined and mutually agreed frequency Service Provider providing third party audit reports to your organization on a
regular basis
Mandating service providers to implement technical and organizational safeguards
Demanding transparency in information management practices through regular reporting
Aligning existing security & privacy strategies to address new challenges Updating the norms of privacy specific user transactions to incorporate new
challenges
None
Measures adopted by organization
Top 3 Measures adopted by Organizations
69%
Including security & privacy clauses in the
contractual agreement
58%
Periodically auditing the services of Cloud
service provider
52%
Making Cloud service provider legally liable
for data breach
The emergence of security services on the
cloud is yet to mature from the basic MSS
models, which are currently prevalent.
Strengthening the contracts and periodic audits
are some of the basic measures that
13 13
Selecting the Right Cloud Provider
54% 21% 43% 43% 41% 42% 48% 38% 18% 42% 34% 29% 22% 19% 25% 33% 12% 21% 17% 20% 28% 21% 13% 16% 4% 15% 4% 6% 4% 17% 6% 4% 12% 2% 2% 2% 4% 2% 8% 9%
Standardized security preparedness of cloud provider like ISO 27001 certification
Third Party Attestation or Seal for Privacy Demonstration of data security and privacy capabilities by cloud provider Transparency in Information practices followed by the cloud provider No. of Data Security breaches in the past Service and Operation level agreements including Security Operations Disaster Recovery capabilities Compliance Demonstration Capabilities
Major Security & Privacy, Compliance considertion for selecting a cloud provider
Critical Very Important Important Less Important Not Important
Security, Privacy and Compliance considerations
for selecting a Cloud service provider
77%
Demonstration of Data Security and Privacy
Capabilities of Cloud service provider
73%
Ability to support BCP/ DR requirements
72%
Standardized security preparedness of Cloud service
provider like ISO 27001 Certification
72%
Transparency in information practices followed by the
Cloud service provider
Challenges faced by Cloud Providers
59% 57% 33% 15% 19% 19% 24% 26% 78% Meeting multiple regulatory …Meeting multiple contractual … Huge initial capital expenditure / … Inadequate Research and Development
Alleviate negative perceptions about … Unavailability of skilled resources Migration of services provided to client …
Technological Limitations (Indian …
Major challenges faced by cloud service
providers
Top 3 Challenges faced by Cloud providers
78%
‘Technological limitation’ especially in Indian context where network bandwidth, latency
and interoperability has been seen as a major challenge
59%
‘Meeting multiple regulatory compliance requirements’, that vary considerably based on
the type of data, geography and domain / industry. E.g. HIPAA for health records, GLBA for
financial transactions, PCI DSS for credit card data, etc.
57%
‘Meeting multiple contractual requirements’, especially when data protection requirements
as well as data breach liabilities of different countries vary considerably
Technological Limitations
Indian legal framework
61% 63% 38%
15 15
Role of NASSCOM – DSCI in Cloud Computing
70% 68% 48%
55% 45% Promote data security and privacy in the evolving cloud
based ecosystem
Work closely with the government to create necessary policy environment for cloud computing Advise user organizations on the data security and privacy
related aspects of cloud computing
Engage with the cloud providers to establish safe and secure cloud computing environment
Benchmark different cloud providers against their data security and privacy practices
Role of NASSCOM-DSCI in the Cloud computing
ecosystem in India
Recommendations
Security standards and certifications specific to Cloud environments need to be developed
for successful implementation of Cloud services
User organizations should involve Business, IT and legal team in framing of the contract
provisions
Cloud service providers - Transparency required with their processes , certifications ,
information security practices , and techniques
Wipro as an Originator and System Integrator of cloud
Cloud Layer
Solutions as an Originator
System Integration Services
BPaaS
1. Mortgage origination
2. HRO
1. Platform development
SaaS
1. Public Cloud solutions: Hospital
software, Auto Dealer platform,
E-commerce platform, Mortgage
origination, Document Management
2. Vendor products offered on Wipro
Cloud: Fidelity Banking software,
MS Dynamics
1. System Integration Services
•
SFDC, Dynamic CRM, Oracle on
Demand, Workday, SAP ByD,
Netsuite, BPOS, Google Applications
2. SaaS enabling Independent software
vendor applications
PaaS
No Originating solutions
1. Lead developer on Azure, Force.com
platforms
2. Hosted test platforms
3. Build Private PaaS platform (wSaaS)
IaaS
1. Wipro Cloud data centers
(USA/Europe/India)
2. Hosting for SaaS & BPaaS vendors
1. Build, Operate & manage Private cloud,
Migration to public cloud
19