Security and Privacy in Cloud Computing

(1)

Security and Privacy in

Cloud Computing

- Study Report

Sai Lakshmi

General Manager

(2)

• Background & Objective

• Current Scenario & Future of Cloud Computing

• Challenges in Cloud Computing

– Data Security, Data Privacy

– Compliance

– Legal and Contractual

• Challenges faced by Cloud Providers

• Recommendations

(3)

3 3

• DSCI has undertaken a study on “Data Protection Challenges in Cloud

Computing ” in partnership with Wipro with the objective to understand

the security and privacy challenges and trends in Cloud Computing with

respect to Indian IT environment

• As part of this study, DSCI along with Wipro conducted a survey to

understand the perception of the security professionals on risks &

challenges associated with Cloud Computing focusing on Security &

Privacy

(4)

Study Methodology

•Survey was conducted by DSCI and Wipro

•Total of 71 professionals representing 48 organizations

Primary research – A survey across 48 organizations

Secondary research, covering the following aspects vis

Computing:

Primary research – A survey across 48 organizations

Secondary research, covering the following aspects vis-à-vis Cloud

Computing:

• Different Cloud deployment models (Private, Public, Hybrid etc)

• Cloud Services Models (SaaS, PaaS, IaaS, etc.)

• Current Scenario and Future of Cloud Computing

• Reasons behind considering Cloud Computing

• Challenges in the adoption of Cloud Computing

• Criteria for Cloud service provider selection

• Challenges faced by Cloud service providers

(5)

5 5

38%

21%

2%

24%

15%

Cloud adoption in India

Already using Cloud Computing services

Planning to initiate a pilot project or implement less critical services Planning a complete migration

Will consider based on the industry / peer adoption trend Not considering migration to Cloud Computing as of now

Cloud Computing in India

•World Cloud Services Revenue forecasted to reach $ 68.3 billion in 2010 and $148.8 billion in 2014

•Cloud Computing market in India currently stands at USD 110 million and is expected to reach USD

1,084 million by 2015*

•Software-as-a-Service (SaaS) has witnessed the highest growth and it is likely to reach a mark of

USD 650 million by 2015*

(6)

Cloud Deployment models and Adoption

Private cloud. - Dedicated cloud infrastructure for

an org. Self Managed or Third Party, On premise /

Off Premise

Public cloud. - Shared Cloud Infrastructure

on a cost services model selling cloud

services.

private, public and or community cloud that enables

Hybrid cloud. Cloud infrastructure composed of

private, public and or community cloud that enables

data & application portability (e.g., cloud bursting).

Community cloud. Shared cloud infrastructure

managed by the organizations or a third party

and may exist on premise or off premise

Deployment Decision Matrix

•Cost Effectiveness

•Management Control

•Reliability

•Accountability

•Standardization

•Adoption

•Security

6%

29%

66%

•Large enterprises points toward exploring

Public Clouds for hosting of non-business,

non-critical , support applications only such as

Document Management Systems hosted

Emails, CRM and Learning Solutions, etc

•Critical Applications, that demand data to

reside within organizational systems, because

of regulatory/legal requirements, remain on the

Private Cloud

•Organizations often adopt Public Cloud for

services where users are not required to ‘deal’

With any sensitive data

ORGANISATION PREFERENCE FOR ADOPTION OF CLOUD DEPLOYMENT MODELS

Private Cloud

Public Cloud

(7)

7 7

Cloud Deployment Models

In a SaaS Model, the software is hosted at the cloud

service provider’s site

In a PaaS Model, the application

framework is hosted at the cloud

service provider’s site

In a IaaS Model, the compute,

storage is available as a servic

e

91%

(8)

Security as a Service

(9)

9 9

Challenges in Cloud Computing

70% 30% 39% 11% 13% 22% 25% 50% 37% 22% 15% 33% 2% 16% 21% 38% 47% 33% 3% 4% 4% 18% 24% 8% 11% 2% 4%

Data Security & Privacy

Compliance Issues

Legal & Contractual Issues

Challenges in migration

Lack of clarity in pay per use Model

Integration of Cloud based applications with

legacy systems

major challenges / concerns

Critical Very Important Important Less Important Not Important

Data Security and Privacy - a Major

inhibitor to Cloud adoption

95%

Challenge in meeting Compliance

requirements – Accountability and

ownership of data in the Cloud

80%

Legal & Contractual Issues

– addressing

geographical specific regulatory requirements

especially in trans-border data flow and

(10)

Data Security & Privacy Challenges

Major Data Security Challenges in the Cloud

92%

Data Segregation &

Protection

80%

Data Leak

Prevention

Other Important Considerations on Cloud

75%

Threat and Vulnerability

Management

(11)

11 11

Compliance & Legal Contractual Challenges

39% 24% 21% 26% 27% 33% 44% 50% 36% 41% 27% 24% 27% 34% 31% 2% 8% 2% 2% 2% 2%

Ability of provider to demonstrate compliance requirements of user … ‘On demand’ availability of Log & Audit

Trails

Feasibility of Audit and assessment of applications and systems Addressing Specific Compliance Requirements like HIPAA, GLBA, PCI Distribution of ownership between user

organization and cloud provider

COMPLIANCE CHALLENGES

Compliance Considerations on Cloud

72%

Ability of provider to

_{demonstrate compliance}

71%

Feasibility of Audit and

Assessment of Applications

Legal and Contractual Challenges in the

Cloud

79%

Liability Sharing in case of data

breaches and subsequent

resource mechanism

74%

Ownership of Intellectual

property of end users

information

44% 41% 34% 35% 33% 30% 21% 22% 32% 4% 4%

Liability sharing in case of data breaches and subsequent recourse mechanism Ownership of Intellectual Property of cloud

based services, products and end user Information

End of Service Support Issues like retention & disposal of information, transfer of IPR

LEGAL & CONTRACTUAL CHALLENGES

(12)

Measures Adopted -

Addressing Data Security

69% 52% 58% 33% 44% 33% 42% 31% 4%

Including data security and privacy clauses in the contract Making the service provider legally liable for any data security & privacy breach Auditing the service provider at a defined and mutually agreed frequency Service Provider providing third party audit reports to your organization on a

regular basis

Mandating service providers to implement technical and organizational safeguards

Demanding transparency in information management practices through regular reporting

Aligning existing security & privacy strategies to address new challenges Updating the norms of privacy specific user transactions to incorporate new

challenges

None

Measures adopted by organization

Top 3 Measures adopted by Organizations

69%

Including security & privacy clauses in the

contractual agreement

58%

Periodically auditing the services of Cloud

service provider

52%

Making Cloud service provider legally liable

for data breach

The emergence of security services on the

cloud is yet to mature from the basic MSS

models, which are currently prevalent.

Strengthening the contracts and periodic audits

are some of the basic measures that

(13)

13 13

Selecting the Right Cloud Provider

54% 21% 43% 43% 41% 42% 48% 38% 18% 42% 34% 29% 22% 19% 25% 33% 12% 21% 17% 20% 28% 21% 13% 16% 4% 15% 4% 6% 4% 17% 6% 4% 12% 2% 2% 2% 4% 2% 8% 9%

Standardized security preparedness of cloud provider like ISO 27001 certification

Third Party Attestation or Seal for Privacy Demonstration of data security and privacy capabilities by cloud provider Transparency in Information practices followed by the cloud provider No. of Data Security breaches in the past Service and Operation level agreements including Security Operations Disaster Recovery capabilities Compliance Demonstration Capabilities

Major Security & Privacy, Compliance considertion for selecting a cloud provider

Security, Privacy and Compliance considerations

for selecting a Cloud service provider

77%

Demonstration of Data Security and Privacy

Capabilities of Cloud service provider

73%

Ability to support BCP/ DR requirements

72%

Standardized security preparedness of Cloud service

provider like ISO 27001 Certification

72%

Transparency in information practices followed by the

Cloud service provider

(14)

Challenges faced by Cloud Providers

59% 57% 33% 15% 19% 19% 24% 26% 78% Meeting multiple regulatory …

Meeting multiple contractual … Huge initial capital expenditure / … Inadequate Research and Development

Alleviate negative perceptions about … Unavailability of skilled resources Migration of services provided to client …

Technological Limitations (Indian …

Major challenges faced by cloud service

providers

Top 3 Challenges faced by Cloud providers

78%

‘Technological limitation’ especially in Indian context where network bandwidth, latency

and interoperability has been seen as a major challenge

59%

‘Meeting multiple regulatory compliance requirements’, that vary considerably based on

the type of data, geography and domain / industry. E.g. HIPAA for health records, GLBA for

financial transactions, PCI DSS for credit card data, etc.

57%

‘Meeting multiple contractual requirements’, especially when data protection requirements

as well as data breach liabilities of different countries vary considerably

Technological Limitations

Indian legal framework

61% 63% 38%

(15)

15 15

Role of NASSCOM – DSCI in Cloud Computing

70% 68% 48%

55% 45% Promote data security and privacy in the evolving cloud

based ecosystem

Work closely with the government to create necessary policy environment for cloud computing Advise user organizations on the data security and privacy

related aspects of cloud computing

Engage with the cloud providers to establish safe and secure cloud computing environment

Benchmark different cloud providers against their data security and privacy practices

Role of NASSCOM-DSCI in the Cloud computing

ecosystem in India

(16)