• No results found

Information Technology: This Year s Hot Issue - Cloud Computing

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Information Technology: This Year s Hot Issue - Cloud Computing"

Copied!
19
0
0

Loading.... (view fulltext now)

Download now ( 19 Page )

Full text

(1)

Information Technology:

This Year’s Hot Issue - Cloud Computing

(2)
(3)

National Institution of Standards and

Technology (NIST) Working Definition

National Institution of Standards and Technology (NIST) defined Cloud computing as a model for

enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with

minimal management effort or service provider interaction.

There currently are three basic service models, delivered through public, private or hybrid delivery models.

(4)

Public Cloud Service Models

Software as a Service (SaaS)

• Use provider’s application over the Internet

Platform as a Service (PaaS)

• Deploy enterprise-created applications in a cloud

Infrastructure as a Service (IaaS)

• Rent processing, storage, network capacity, and other fundamental computing resources

(5)

The Cloud is Wonderful, but…

How can I maintain control of my data in the cloud?

What if I want to change cloud vendors? How can I verify my data is “destroyed” when terminating a service provider?

What happens if my service provider goes out of business?

How can I comply with security best practices, internal governance and compliance rules in the cloud?

How can I guarantee only I have access to my data?

(6)

Information is no longer in your direct custody or

control… data is handed over to a third party to manage

Cloud Providers often use third party providers

themselves, creating further distance to data use and potential storage

Information may be resident in another jurisdiction or multiple jurisdictions

Multiple third parties have access to physical devices and processing environment, even if virtually

segregated:

Cloud providers sometimes implement security assuming that those outside of their cloud are evil, and those inside are good… but what if those inside are also evil?

(7)

Protection of personal information should consider the impact of the cloud

on each phase

(8)

Is data commingled with information from

other organizations that use the same vendor?

What third parties can access my information?

□ In some jurisdictions, governments may have the right and

ability to search through data without necessarily notifying the data owner.

Does the cloud provider itself has any right to

see and access customer data?

□ Some vendors today track user activity for a range of

purposes, from sending targeted advertising to improving services.

(9)

How long is personal information retained in

the cloud?

Which retention policy governs the data?

Who enforces the retention policy in the cloud,

and how are exceptions to this policy (such as

litigation holds) managed?

Does the customer own the data, or the

vendor?

(10)

How does the cloud provider destroy data at the

end of the retention period?

Cloud storage providers often replicate the data

across multiple systems and sites:

□ How do you assure the vendor didn’t retain additional

copies?

□ Did the vendor really destroy the data, or just make it

inaccessible to the organization?

□ Is the vendor keeping the information longer than necessary

so that it can mine the data for its own use?

How do organizations ensure that their PII is

destroyed by the vendor at the right point?

(11)

Trade Secrets

Privileged Information

Access by Governmental Entities

Export Control Issues

(12)

Approaching Privacy in the Cloud

Sensitive Data

Define the Workload

(isolate a function)

Classify the Relevant Data Assess the Associated Risks Determine Legal and Regulatory Requirements Define Appropriate Establish Contractual Obligations

(13)

The original custodian is responsible for protecting and safeguarding the personal information

The original custodian must make informed choices about data handling, including what

services and providers to use for its processing

Should be a risk-based approach

□ What is the sensitivity of the information?

□ What is the risk to the data?

□ What role does the jurisdiction play in that risk?

If the risk is high and the safeguards cannot be assured, then don’t use the service provider

(14)

Threshold Questions/Issues

Where and how will users access the cloud?

How secure is the cloud provider?

Does it have incident response, notification and remediation processes?

Are its servers in a secure facility?

Does it conduct ongoing 3rd party assessments (e.g., SAS 70 Type II Audits) and make these available to customers?

Does the provider segregate job duties, limit access to systems, limit access to customers’ data?

Does it use strong authentication and robust password policies?

(15)

1. Can I see your data center? Ask the vendor to show you their environment and explain their security controls.

2. How do I move my apps to the cloud? Understand the processes and procedures, which may introduce additional security risks.

3. How are my apps and data protected from other users on the same cloud servers? Understand how vendors handle multiple tenants on the same cloud servers how segregation of data and applications is achieved.

4. Can I speak with some of your customers?

Customer references will give you the opportunity to

(16)

5. Can I move an existing app from my servers to your cloud without massive reconfiguration? The cloud

vendor's infrastructure is likely different.

6. How do I get my data back? In the event you need to move applications and data back into your data center (or to another cloud vendor), know where is data stored and how you will get it back.

7. How do you address government regulations? It is critical to know how your cloud vendor is handling your data so you can assure regulatory compliance.

8. What will I really pay? Cloud vendors sometimes

leave details out of their cost estimates (e.g., cost of data transfer and set up).

(17)

• Avoid take-it-or-leave-it agreements with standard, non-negotiable terms.

• To ensure that your organization’s data is not

inadvertently mingled with that of any other company (especially a competitor), ascertain the provider’s data segregation procedures:

• Ensure that no one other than your organization has access to the data, even in a multi-tenant shared-hosting environment

• Determine how frequently the provider monitors its environment to confirm that data is properly

segregated?

• Cloud provider should have good disaster recovery and business continuity plans

(18)

 Has cloud provider implemented a security incident response plan (including forensic investigations and remediation procedures)?

 How will provider deal with electronic discovery requests?

 Will provider sign EU model contract clauses or become Safe Harbor certified if needed?

 Does provider have good physical security measures in its data centers (video cameras, key card entry, security

personnel, etc.)?

 Does provider conduct background checks on IT administrators who will have access to the cloud?

 Does provider have current certifications, as applicable? (e.g., PCI DSS, ISO 27001/02, SAS 70)

(19)

Thank You

Alan N. Sutin

212.801.9286

References

Download now ( PDF - 19 Page - 0.96 MB )

Related documents

effects of computer games to student(research)

(Jbosila, 2013) defines study habits as the attitude of one person towards their academic year in life. It has been also studied by many researchers. In fact, according to

Middle School Student Perception and Understanding of Differentiated Instruction: A Phenomenological Study

Your child/student is invited to be in a research study of middle school student understanding and perception of differentiated instruction. This study is being conducted in an

NATURAL GAS PRICE VOLATILITY: REGULATORY POLICIES TO ASSURE AFFORDABLE AND STABLE GAS SUPPLY PRICES FOR RESIDENTIAL CUSTOMERS

Therefore, in regards to the wholesale gas cost increases, this Commission has a few options such as: disallowing imprudent wholesale gas purchases, reduce interest charges on

DTG Viper2 Direct to Garment Printer

Utilizing the latest high performance piezoelectric print head technology, the DTG Viper2 is the most efficient direct to garment printer in its class.. The DTG exclusive

Index-Terms - S-Box Key Exchange, DSKE Method, And Three Layer Security, Modified Diffie-Hellman Key Exchange.

In this paper we proposed a modified Diffie-Hellman Cryptographic Public key algorithm which provides secure and dynamic key exchange for mutual exchange of the

Notes on the certification and surveillance of management systems for companies with subsidiaries

Organisations which perform their business processes in different subsidiaries by linked activities (e.g. manufacturing of electronic components and their assembly - at

A report on the fauna of the estuaries of the River Tamar and the River Lynher

Membranipora Lacroixii and Bowerbankia imbricata were taken up as far as half a mile above Halton Quay, where the salinity range from high to low water was approximately 210/00to

Integrating SIP Trunks in Enterprise Networks for Next- Generation Unified Communications

The Cisco Unified Border Element can provide interoperability between service provider SIP proxy-based features and enterprise call agent features such as transfer, conference,