We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byAmira Valley
Modified over 2 years ago
1© Copyright 2010 EMC Corporation. All rights reserved. Privacy, Assessments, and Cloud Wayne Pauley EMC Corporation UMass Lowell November 3, 2010
2© Copyright 2010 EMC Corporation. All rights reserved. The Focus Area Cloud Computing –Economic Drivers for the Enterprise –Top Concerns: Security & Privacy Privacy & Security –Relatively New Area of Research –Challenges Exacerbated Shared Resource Model Highly Automated Self-Service Loss of Control –Regulatory vs. Self-Regulated? –Lifecycle Needed Starts with Assessment Adds to Privacy Knowledge Image from: https://www.expresscertifications.com/ISC2/
3© Copyright 2010 EMC Corporation. All rights reserved. The Justification In the context of the enterprise – Smith (2004) stated that private information relates to information that companies value as intellectual property, information about their customers, and their employees. Smith (2004) also stated that the enterprise is driven to improve privacy protections based on an external force such as changes in regulations or a breach. Cloud computing is an emerging technology that holds promise to replace traditional client-server architectures by providing new economic incentives for the enterprise (Foster, Zhao, Raicu, and Lu, 2008). Yee (2009) defined a requirement that the privacy standard for one provider must be maintained when information flows and information is stored potentially by another provider. Clarke (2009) suggests that privacy is a strategic variable to the enterprise and that Privacy Impact Assessments (PIA) adoption is an element of cogent management. Yee (2009) defined the providers obligation to build in provisions that gives users control over the providers collection, retention, and distribution about he user.
4© Copyright 2010 EMC Corporation. All rights reserved. Research in Progress Position Paper –Risk Assessment as a Service (March,2010) –Co-authored with Dr. Burton Kaliski Empirical Studies –Cloud Service Provider Transparency (May, 2010) –Privacy Risk Assessment Methodologies in the Cloud (Nov./Dec., 2010)
5© Copyright 2010 EMC Corporation. All rights reserved. Risk Assessment: Definition Quantitative and/or qualitative valuation of risk in a specific context against a given threat with a probability of occurrence Includes system characterization, threat assessment, vulnerability analysis, impact analysis, and risk determination Many well-established standards for assessing security; some for privacy as well
6© Copyright 2010 EMC Corporation. All rights reserved. Risk Assessment in the Cloud: Challenges Cloud Characteristic (per NIST) Challenge On-Demand Self- Service Human interaction is replaced with automated controls – which now must be trained to pass security audits Broad Network Access Endpoints can be any type, location, not just a pre-approved set Resource Pooling Dynamic allocation, virtualization mean that resources are not known in advance Multi-tenancy brings threats in house Location independence introduces significant diversity in applicable laws
7© Copyright 2010 EMC Corporation. All rights reserved. Risk Assessment in the Cloud: Challenges Cloud Characteristic (per NIST) Challenge Rapid Elasticity Cloud bursting engages multiple levels of sub-providers, who must also be assessed Measured Service Metering information has more detail about multiple tenants – a higher-value target Economics of the cloud also complicate assessments: cloud infrastructures will be constantly changing due to market growth, M&A – risk assessments will rapidly become stale cost competition may discourage investment in risk assessments while increasing risk-taking
8© Copyright 2010 EMC Corporation. All rights reserved. Proposal: Risk Assessment as a Service Approach: an automated risk score (e.g. like credit score) –for a given tenant or application – or for general use –pre-assessment and on-demand Modes: provider self-assessment, third-party audit, consumer assessment (non-privileged) –internal and external agents involved Policy-based IT management translates assessment of underlying dynamic resources into overall score
9© Copyright 2010 EMC Corporation. All rights reserved. A Possible Architecture
10© Copyright 2010 EMC Corporation. All rights reserved. Transparency Challenges Self-Serviceness –Lowest Cost at the Expense of Customer Service –Portal tells part of the story Manual Methods –Time Consuming –Much of the data not publically available –No scoring system
11© Copyright 2010 EMC Corporation. All rights reserved. Transparency Results Self-Service Method Basic Scorecard Four Areas –Security –Privacy –Audit –Service Level Findings –Manual method time consuming –Results varied based on public information & centralization of information –Insufficient information via self-service method
12© Copyright 2010 EMC Corporation. All rights reserved. Privacy Assessments Privacy Impact Assessments –Questionnaire based pre- assessment –ISO/IEC 22307:2008 –DHS/DOJ PIA Template –Shared Assessments Assessment NameAuthoritySecurity or PrivacyPre or Post Assessment ISO/IEC 27002:2005StandardSecurityPost ISO/IEC 22307:2008StandardPrivacyPre OCTAVE AllegroStandardSecurityPost DHS/DOJ PIABest PracticePrivacyPre Share Assessments Privacy Assessment Best PracticePrivacyPost Security Assessments Subset of questionnaire ISO/IEC 27002:2005 CMU OCTAVE Allegro
13© Copyright 2010 EMC Corporation. All rights reserved. Cloud Privacy Assessment Six Privacy Dimensions Evaluated –Notice, Access and Consent (FIPS) –Permissions, Regulations & Data Flows, Management & Organization Five Cloud Characteristics Scored –On-demand & Self-Service –Broad Network Access –Resource Pooling –Rapid Elasticity –Measured Service Four Phased Approach –External via Self-service –As a Customer via Self-service –As a Customer using customer service chat/email –Survey CSP Security/Privacy Office Three Cloud Providers –Must be IaaS Providers –Offer includes Self-Service 5 6 3 4
14© Copyright 2010 EMC Corporation. All rights reserved. RAA Theoretical Reference Application Architecture –Application, Web server, & Database –Database has regulated data in it Employee, Customer, and Corporate data Regulated as PII, HIPAA, SOX, & PCI data Size of RAA is Important –Ideally enough data to cross hard-drive boundaries –Enough VMs to reside on multiple servers –Shared across multiple data-centers North American based Providers –Not studying trans-border issues outside US –Scope creep due to expanded regulatory requirements
15© Copyright 2010 EMC Corporation. All rights reserved. Topics for Further Research Automated measurement and analysis for risk assessment –What sensors are needed? What language to use? e.g., CloudAudit defines a dictionary based on common standards Automated adjustment based on the assessment Trust assurances for measurements –Who guards the guards? Effectiveness of automated assessment vs. traditional approaches Defining what is Privacy Knowledge in the enterprise Practical Privacy Assessment & Privacy Scoring methodologies
16© Copyright 2010 EMC Corporation. All rights reserved. References Clarke, R. (2009). Privacy impact assessment: Its Origins and development. Computer Law & Security Review, 25, 123-135. Foster, I., Zhao, Y., Raicu, I. & Lu, S. (2008). Cloud computing and grid computing 360-degree compared. Proceedings of the IEEE Grid Computing Environments, 1-10. Kaliski, B. S. Jr., Pauley, W. (2010). Toward risk assessment as a service in cloud environments. Proceedings of the 2nd USENIX conference on Hot topics in cloud computing, 13-26. Pauley, W. (2010). Cloud provider transparency – an empirical evaluation. IEEE Security and Privacy, 18-25. Smith, H. J. (1994). Managing privacy: Information technology and corporate America. Chapel Hill, NC: University of North Carolina Press. Smith, H. J., Milberg, S. J., & Burke, S. J. (1996). Information privacy: Measuring individuals concerns about organizational practices. MIS Quarterly, 20(2), 167-196. Tsoumas, B., Dritsas, S., & Gritzalis, D. (2005). An ontology-based approach to information systems security management. In V. Gorodetsky, I. Kotenko, and V. Skormin (Eds.), Lecture Notes in Computer Science, (Vol. 3685, pp. 151-164). Berlin, Germany: Springer. Yee, G. (2009). Estimating the privacy protection capability of a web service provider. International Journal of Web Services Research, 6(2), 20-41.
17© Copyright 2010 EMC Corporation. All rights reserved. Contact Information Burt Kaliski Director, EMC Innovation Network Founding Scientist, RSA Laboratories firstname.lastname@example.org community.emc.com/people/kalisb email@example.com community.emc.com/people/kalisb Wayne Pauley Advisory Technical Consultant firstname.lastname@example.org email@example.com www.privately-exposed.com
18© Copyright 2010 EMC Corporation. All rights reserved.
1© Copyright 2010 EMC Corporation. All rights reserved. Hey Enterprise! I’ve got my OWN Cloud! IAPP 2010 Privacy Academy Wayne Pauley, EMC Corporation.
1 Cloud Computing Prof. Ravi Sandhu Executive Director and Endowed Chair April 12, © Ravi Sandhu World-Leading.
Accelerating Your Go-to-Market Strategy By Randy Goldsmith, PhD
Analyzing International Opportunities 12 Copyright © 2014 Pearson Education, Inc. publishing as Prentice Hall.
© 2012 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.
1. 2 August Recommendation 9.1 of the Strategic Information Technology Advisory Committee (SITAC) report initiated the effort to create an Administrative.
Bill McClanahan – Principal Business Consultant LPS Integration.
CLOUD-BASED VIDS A CIO’S PERSPECTIVE Stephen Alford, CIO WEP, Inc.
1 K P M G L L P A D V I S O R Y Changes in the IT Audit Profession Stephen G. Hasty, Jr. National Partner in Charge IT Advisory Savannah, GA January 4,
Measuring innovation CENTRAL ASIAN SUB-REGIONAL CONSULTATION MEETING ON SCIENCE, TECHNOLOGY AND INNOVATION (STI) STATISTICS AND INDICATORS.
Fifth Edition 1 M a n a g e m e n t I n f o r m a t i o n S y s t e m s M a n a g I n g I n f o r m a t i o n T e c h n o l o g y i n t h e E – B u s i.
Anti-SPAM activities in Malaysia - Current Situation, Regulatory Environment and Future Developments ITU virtual conference on anti-spam regulation and.
Benefits of Public Services for the Employment in Flexicurity* implementation: To help in transitions during the Crisis Conference : « Flexicurity in times.
1 IT Analytics for Symantec Endpoint Protection Presenter’s Name Here Presenter’s Title Here.
Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, This work is the intellectual property rights of the author.
Smart Grid: an Ontario Perspective Brian Hewson, Senior Manager Regulatory Policy Hamilton May 8, 2013.
Cloud Computing Kwangyun Cho v=8AXk25TUSRQ.
H I G H E R E D U C A T I O N Managing Critical Customer Relationships in Higher Education May 13, 2002 – CUMREC 2002 – Minneapolis, MN Copyright Joe Burkhart,
1 Leading the Learning Function September 14, 2009 Dr. Gretchen Van der Veer Director, Office of Leadership Development and Training Corporation for National.
Professional Services Overview Centers of Excellence Services SOX Compliance Services Strategic Outsourcing/Offshore Services Information Technology Services.
Conducting your own Data Life Cycle Audit Presented by: I nformation T echnology A dvisory G roup ITAG December 3, 2003.
Cloud Computing Risk Assessments Donald Gallien March 31, 2011.
OECD International Futures Programme 1 OECD Futures Project The Commercialisation of Space and the Development of Space Infrastructure: The Role of Public.
Computer Science and Engineering 1 Cloud ComputingSecurity.
Outsourcing Business Processes ( without In-sourcing the Associated Risks) Gregg Anderson – Crowe Horwath (risk manager) Doug Tripp – Crowe Dunlevy (outsourced.
© 2012 IBM Corporation IBM Security Systems 1 © 2012 IBM Corporation Cloud Security: Who do you trust? Martin Borrett Director of the IBM Institute for.
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
HIGH-RISK: FOREIGN CORRESPONDENT BANKING. 1/2004Anti-Money Laundering 2 OBJECTIVES Define Foreign Correspondent Banking Understand Potential and Unique.
OHT 5.1 © Marketing Insights Limited 2004 Chapter 5 E-business Strategy.
Introducing: Chengdu’s Industrial Cloud Huawei & GDS Services Industrial Cloud Solution for SMEs Author/ID: Zhao Zhijuan/ Dept: Industry Solutions.
Cloud Computing for Education & Cloud Learning Minjuan Wang to BT Research Center (Abu Dhabi) Educational Technology San Diego State University
2009 STRATEGIC PLANNING PLAYBOOK April 2, 2009 Prepared by M3.
Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.
EMS Checklist (ISO model) EPA Regions 9 & 10 and The Federal Network for Sustainability 2005.
IMF Conference, Washington, 1 June 2005 Financial Conglomerates Koos Timmermans General Manager, Market Risk Management.
1 Energy A 2030 framework for climate and energy policies Marten Westrup European Commission, DG ENER Unit A1.
Plan Introduction What is Cloud Computing? Why is it called ‘’Cloud Computing’’? Characteristics of Cloud Computing Advantages of Cloud Computing.
1 Emerging IT Technology: Potential Regulation of Service Oriented Architectures D. Coleman PHD student, School of Public Policy George Mason University.
Plan Introduction What is Cloud Computing? Why is it called ‘’Cloud Computing’’? History and Origins Characteristics of Cloud Computing Advantages.
Enterprise Computing Community June , 2010February 27, Information Security Industry View Linda Betz IBM Director IT Policy and Information.
© 2013 IBM Corporation IBMs Transformation to a Services Company and the Growth of Digital Trade Michael DiPaula-Coyle IBM Governmental Programs.
1/17/20141 Leveraging Cloudbursting To Drive Down IT Costs Eric Burgener Senior Vice President, Product Marketing March 9, 2010.
Copyright ©2010 Pearson Education, Inc. Publishing as Prentice Hall 14-1 Essentials of Organizational Behavior, 10/e Stephen P. Robbins & Timothy A. Judge.
Supervisor : Mr. Hadi Salimi Advanced Topics in Information Systems Mazandaran University of Science and Technology February 4, 2011 Survey on Cloud Computing.
1 Introduction to Safety Management April Objective The objective of this presentation is to highlight some of the basic elements of Safety Management.
1 MEF Reference Presentation December 2012 Carrier Ethernet Delivery of Cloud Services.
1 1 The World of the Modern Systems Analyst and as a Project Manager Lecture 1.
CISC 849 : Applications in Fintech Namami Shukla Dept of Computer & Information Sciences University of Delaware A Cloud Computing Methodology Study of.
Click to add text © 2010 IBM Corporation OpenPages Solution Overview Mark Dinning Principal Solutions Consultant.
© 2017 SlidePlayer.com Inc. All rights reserved.