Presentation is loading. Please wait.

Presentation is loading. Please wait.

Www.cloudsecurityalliance.org Security and Privacy SLAs for Cloud services Dr. Jesus Luna, CSA Research Director EMEA Copyright © 2015 Cloud Security Alliance.

Published byTheodore Barnett Modified over 9 years ago

Similar presentations

Presentation on theme: "Www.cloudsecurityalliance.org Security and Privacy SLAs for Cloud services Dr. Jesus Luna, CSA Research Director EMEA Copyright © 2015 Cloud Security Alliance."— Presentation transcript:

1 www.cloudsecurityalliance.org Security and Privacy SLAs for Cloud services Dr. Jesus Luna, CSA Research Director EMEA Copyright © 2015 Cloud Security Alliance

2 www.cloudsecurityalliance.org Copyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org Copyright © 2015 Cloud Security Alliance How do you choose a Cloud Service Provider? Performance Price Reputation  What about security and privacy? Service-related:

3 www.cloudsecurityalliance.org Copyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org Copyright © 2014 Cloud Security Alliance (Some) cloud security BARRIERS The lack of transparency of some Cloud Service Providers or brokers Lack of clarity in Service Level Agreements Cloud security not easy to understand for SME’s

4 www.cloudsecurityalliance.org Copyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org Copyright © 2011 Cloud Security Alliance In 3 words: LACK OF TRUST

5 HOW DO WE BUILD TRUST IN CLOUD COMPUTING?

6 www.cloudsecurityalliance.org Copyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org Copyright © 2015 Cloud Security Alliance Cloud Service Level Agreements Documented agreement between the cloud service provider (CSP) and cloud service customer that identifies services and associated quality levels (i.e., cloud service level objectives or SLOs). Security and Privacy specification in Cloud SLAs (secSLAs and PLAs) aims to provide useful/measurable (security/privacy) information to Customers, beyond what we can find on certifications.

7 www.cloudsecurityalliance.org Copyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org Copyright © 2015 Cloud Security Alliance secSLA + PLA: Advantages More transparency = Customer trust! Create a standardized way to specify/manage security and privacy among CSPs and Customers. Enable realistic levels of automation for the whole security life cycle: Plan (negotiation), Do (enforcement), Check (monitoring), Act (remediation).

8 Enabling secSLA automation: the SPECS project

9 www.cloudsecurityalliance.org Copyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org Copyright © 2015 Cloud Security Alliance European Project SPECS CeRICT, Italy (coordinator) TUD, Germany IeAT, Romania CSA, United Kingdom XLAB, Slovenia EISI, Ireland FP7-ICT-10-610795 Project Start: 1/11/2013 Project Type: STREP Duration: 30 Months

10 SPECS Platform Hosted Platform provisions resources from partner CSP’s Offers (Security) Services to Customers Buys/Brokers resources from CSP’s www.cloudsecurityalliance.org Copyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org Copyright © 2015 Cloud Security Alliance

11 Example: secSLAcontent Example: secSLA content www.cloudsecurityalliance.org Copyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org Copyright © 2015 Cloud Security Alliance Describe the services covered by the SLA: VM instances, Storage services, etc. Describe the CSP’s security commitments (Service Level Objectives) and associated metrics: Metrics: % of Critical Vulnerabilities, Frequency of 3rd party audits, Cryptographic Strength, etc. SLO: Availability > 99,999%, Full Backup Frequency < 24hrs, etc. Describe (economic) penalties associated to secSLA violation

12  Based on relevant standards/best practices (including EU guidelines)  Security SLA that includes user preferences  Machine readable SLA Example: secSLAmodel Example: secSLA model Fine grained security requirements Coarse grained security requirements 12

13 Developing a Cloud SLA for Privacy: CSA PLA

14 Privacy Level Agreement v1 www.cloudsecurityalliance.org Copyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org Copyright © 2015 Cloud Security Alliance Privacy Level Agreements (PLA) v1 is a powerful transparency and voluntary disclosure mechanism for those CSPs offering services in the European Economic Area (EEA). PLA is intended to provide: Cloud customers and potential customers with a tool to assess a CSP’s commitment to address information privacy and personal data protection practices (and to support informed decisions); and CSPs with a tool (template) for making privacy and data protection disclosures that address the recommendations provided throughout 2012 by the Article 29 WP and several EU DPAs.

15 www.cloudsecurityalliance.org Copyright © 2012 Cloud Security Alliance Content of PLA v1 www.cloudsecurityalliance.org Copyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org Copyright © 2015 Cloud Security Alliance  Contact information  Ways in which data will be processed  Data transfer  Data security measures  Monitoring  Personal Data Breach Notification  Data portability, Migration and Transfer back assistance  Data retention, restitution and deletion  Accountability  Cooperation  Law Enforcement Access

16 Privacy Level Agreement v2 www.cloudsecurityalliance.org Copyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org Copyright © 2015 Cloud Security Alliance Objective 1: Define a PLA outline for the global market based on the experience of PLA v1. Objective 2: Define a privacy compliance mechanism for the European Union based on PLA v1, moving from a transparency mechanism into a compliance tool, and to seek for the endorsement of the Art.29 Working Party.

17 6. PERSONAL DATA BREACH NOTIFICATION A personal data breach is defined by EU Directive 2002/58/EC in Article 2 (i) as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a publicly available electronic communications service in the Community.” Specify how, and within what timeframe, customer will be notified of personal data breach affecting CSP and/or its subcontractors Yes for electronic communication service providers YesApplicable Specify how the competent Supervisory Authority(ies) and data subjects will be informed of personal data breaches, and within what timeframe Yes for electronic communication service providers YesApplicableNot Applicable 7. DATA PORTABILITY, MIGRATION, AND TRANSFER BACK ASSISTANCE Specify the formats, preservation of logical relations, and any costs associated with the portability of data, applications and services Yes (This obligation can be inferred from the actual EU data protection legal framework; it is referred to in a number of A29WP Opinions and spcifically set forth in the draft General Data Protection Regulation) -Applicable Describe whether, how, and at what cost CSP will assist customers in the possible migration of the data to another provider or back to an in-house IT environment Yes (This obligation can be inferred from the actual EU data protection legal framework) -Applicable

18 Cloud secSLAs and PLAs: are we there yet?

19 www.cloudsecurityalliance.org Copyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org Copyright © 2015 Cloud Security Alliance Challenges Standards (vocabularies, metrics, …), and best practices (making Cloud SLAs usable for SMEs). ISO/IEC 19086 Cloud supply chains/multi-cloud systems. Certifications or SLA’s or both?

20 www.cloudsecurityalliance.org Copyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org Copyright © 2015 Cloud Security Alliance Contacts Help Us Secure Cloud Computing www.cloudsecurityalliance.org www.cloudsecurityalliance.org www.cloudsecurityalliance.org info@cloudsecurityalliance.org info@cloudsecurityalliance.org jluna@cloudsecurityalliance.org jluna@cloudsecurityalliance.org LinkedIn: www.linkedin.com/groups?gid=1864210 LinkedIn: www.linkedin.com/groups?gid=1864210www.linkedin.com/groups?gid=1864210 Twitter: @cloudsa Twitter: @cloudsa SPECS: http://www.specs-project.eu/ SPECS: http://www.specs-project.eu/http://www.specs-project.eu/

21 www.cloudsecurityalliance.org Copyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org THANK YOU! Copyright © 2015 Cloud Security Alliance

22 www.cloudsecurityalliance.org Copyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org Copyright © 2015 Cloud Security Alliance Enter the cloud “The cloud can deliver a net gain of 2.5 million new European jobs, and an annual boost of EUR 160 billion to EU GDP (around 1%), by 2020.” European Cloud Strategy, 2013 “Cloud gives you the ability to very quickly stand up an infrastructure and test new ideas” IBM, 2013 “Driving innovation AND lowering costs? That’s a lot of pressure. The solution is the cloud” SAP, 2014

Download ppt "Www.cloudsecurityalliance.org Security and Privacy SLAs for Cloud services Dr. Jesus Luna, CSA Research Director EMEA Copyright © 2015 Cloud Security Alliance."

Similar presentations

1 Enforcement Powers of National Data Protection Authorities and Experience gained of the Data Protection Directive Safe Harbour Conference Washington.

1 Enforcement Powers of National Data Protection Authorities and Experience gained of the Data Protection Directive Safe Harbour Conference Washington.
Digital Agenda Unleashing the Potential of Cloud Computing in Europe Ken Ducatel Head of Unit Software and Services, Cloud European Commission (Directorate.

Digital Agenda Unleashing the Potential of Cloud Computing in Europe Ken Ducatel Head of Unit Software and Services, Cloud European Commission (Directorate.
European Cloud Computing Conference Panel 1: What should be the legal framework to help create a market for Cloud services? Dalibor Baskovc Member Executive.

European Cloud Computing Conference Panel 1: What should be the legal framework to help create a market for Cloud services? Dalibor Baskovc Member Executive.
Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.

Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.
Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.

Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.
The Gathering Cloud computing - Legal considerations David Goodbrand, Partner 28 February 2013 Aberdeen Edinburgh Glasgow.

The Gathering Cloud computing - Legal considerations David Goodbrand, Partner 28 February 2013 Aberdeen Edinburgh Glasgow.
Www.cloudsecurityalliance.org Copyright © 2011 Cloud Security Alliance Keynote.

Copyright © 2011 Cloud Security Alliance Keynote.
Www.cloudsecurityalliance.org Copyright © 2011 Cloud Security Alliance.

Copyright © 2011 Cloud Security Alliance.
Chapter 5 5-1 © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
This project is partially funded by the European Union’s Seventh Framework Programme: FP7-ICT-2013-10 and Grant agreement no: 610650 REPUBLIC OF SLOVENIA.

This project is partially funded by the European Union’s Seventh Framework Programme: FP7-ICT and Grant agreement no: REPUBLIC OF SLOVENIA.
Communications Briefing: Navigating the clouds Sam Parr and Ian Walden Wednesday 21 October 2009, 12.00 – 2.00 pm.

Communications Briefing: Navigating the clouds Sam Parr and Ian Walden Wednesday 21 October 2009, – 2.00 pm.
CROATIAN REGULATORY AUTHORITY FOR NETWORK INDUSTRIES (HAKOM) TELECOM SINGLE MARKET – CHALLENGES AND CONCERNS DOMAGOJ MARIČIĆ, CROATIAN REGULATORY AUTHORITY.

CROATIAN REGULATORY AUTHORITY FOR NETWORK INDUSTRIES (HAKOM) TELECOM SINGLE MARKET – CHALLENGES AND CONCERNS DOMAGOJ MARIČIĆ, CROATIAN REGULATORY AUTHORITY.
Europol’s tailor-made data protection framework

Europol’s tailor-made data protection framework
P3P: Platform for Privacy Preferences Charlin Lu Sensitive Information in a Wired World November 11, 2003.

P3P: Platform for Privacy Preferences Charlin Lu Sensitive Information in a Wired World November 11, 2003.
Symantec Vision and Strategy for the Information-Centric Enterprise Muhamed Bavçiç Senior Technology Consultant SEE.

Symantec Vision and Strategy for the Information-Centric Enterprise Muhamed Bavçiç Senior Technology Consultant SEE.
Building trust in the Cloud: the CSA perspective Daniele Catteddu, Managing Director EMEA & OCF-STAR Program Director Cloud Security Alliance © Cloud Security.

Building trust in the Cloud: the CSA perspective Daniele Catteddu, Managing Director EMEA & OCF-STAR Program Director Cloud Security Alliance © Cloud Security.
Per Anders Eriksson

Per Anders Eriksson
Cloud Computing Stuart Dillon-Roberts. “In the simplest terms, cloud computing means storing & accessing data & programs over the Internet instead of.

Cloud Computing Stuart Dillon-Roberts. “In the simplest terms, cloud computing means storing & accessing data & programs over the Internet instead of.
Social Europe The European job search network (EURES) Citizen and business mobility across regions and cities Committee of the Regions 9 October 2013,

Social Europe The European job search network (EURES) Citizen and business mobility across regions and cities Committee of the Regions 9 October 2013,
CUI Statistical: Collaborative Efforts of Federal Statistical Agencies Eve Powell-Griner National Center for Health Statistics.

CUI Statistical: Collaborative Efforts of Federal Statistical Agencies Eve Powell-Griner National Center for Health Statistics.

Similar presentations

Ads by Google