Www.cloudsecurityalliance.org Security and Privacy SLAs for Cloud services Dr. Jesus Luna, CSA Research Director EMEA Copyright © 2015 Cloud Security Alliance.

Slides:



Advertisements
Similar presentations
1 Enforcement Powers of National Data Protection Authorities and Experience gained of the Data Protection Directive Safe Harbour Conference Washington.
Advertisements

Digital Agenda Unleashing the Potential of Cloud Computing in Europe Ken Ducatel Head of Unit Software and Services, Cloud European Commission (Directorate.
European Cloud Computing Conference Panel 1: What should be the legal framework to help create a market for Cloud services? Dalibor Baskovc Member Executive.
Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.
Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.
The Gathering Cloud computing - Legal considerations David Goodbrand, Partner 28 February 2013 Aberdeen Edinburgh Glasgow.
Copyright © 2011 Cloud Security Alliance Keynote.
Copyright © 2011 Cloud Security Alliance.
Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
This project is partially funded by the European Union’s Seventh Framework Programme: FP7-ICT and Grant agreement no: REPUBLIC OF SLOVENIA.
Communications Briefing: Navigating the clouds Sam Parr and Ian Walden Wednesday 21 October 2009, – 2.00 pm.
CROATIAN REGULATORY AUTHORITY FOR NETWORK INDUSTRIES (HAKOM) TELECOM SINGLE MARKET – CHALLENGES AND CONCERNS DOMAGOJ MARIČIĆ, CROATIAN REGULATORY AUTHORITY.
Europol’s tailor-made data protection framework
P3P: Platform for Privacy Preferences Charlin Lu Sensitive Information in a Wired World November 11, 2003.
Symantec Vision and Strategy for the Information-Centric Enterprise Muhamed Bavçiç Senior Technology Consultant SEE.
Building trust in the Cloud: the CSA perspective Daniele Catteddu, Managing Director EMEA & OCF-STAR Program Director Cloud Security Alliance © Cloud Security.
Per Anders Eriksson
Cloud Computing Stuart Dillon-Roberts. “In the simplest terms, cloud computing means storing & accessing data & programs over the Internet instead of.
Social Europe The European job search network (EURES) Citizen and business mobility across regions and cities Committee of the Regions 9 October 2013,
CUI Statistical: Collaborative Efforts of Federal Statistical Agencies Eve Powell-Griner National Center for Health Statistics.
Social Media Jeevan Kaur, Michael Mai, Jing Jiang.
T AKING THE MOST FROM H YBRID C LOUDS OPTIMIS PROJECT W ATERLOO (CANADA), M ARCH 24 TH Josep Martrat TIM Market Manager ATOS research and Innovation
18 th Annual Canadian IT Law Association Conference Insider View from the EU Expert Group on Cloud Computing Dr Sam De Silva Partner, Head of IT & Outsourcing.
Nov/Dec 2003ElectraNet BSP-2 Workshop (khb) 1 EU Telecoms Regulatory Status Governing Legislation Package 2002  Directive 2002/19/EC Access to, and interconnection.
CLOUD AND SECURITY: A LEGISLATOR'S PERSPECTIVE 6/7/2013.
WHEN TITLE IS NOT A QUESTION N O ‘WE CAN’ WHEN TITLE IS NOT A QUESTION N O ‘WE CAN’ WHEN TITLE IS NOT A QUESTION N O ‘WE CAN’ Identity and Privacy: the.
Ready to use Cloud SLAs. SLALOM Project2 SLALOM is ready to use Cloud SLAs “SLALOM will take theory to practice, providing a trusted verifiable starting.
Assurance Report on Controls at Service Organizations SAE 3402
TG7 – Business models and SLAs BEinGRID - Legal Issues ICRI – K.U. Leuven Davide M. Parrilli
© Copyright 2011, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers. ® CISO Executive Network Executive Breakfast.
Privacy and Security Risks to Rural Hospitals John Hoyt, Partner December 6, 2013.
1 MARKET SURVEILLANCE IN THE EUROPEAN UNION A coordinate approach for metrology Lucia Palmegiani Policy Officer, DG ENTR I.5 WELMEC, WG 5, Malta, 23 October.
Leveraging the potential of Cloud security SLAs
LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.
S tefano S oro European Commission Health and Consumer Protection DG OBLIGATION OF PRODUCERS AND DISTRIBUTORS TO NOTIFY DANGEROUS PRODUCTS.
Cloud Security: Critical Threats and Global Initiatives Jim Reavis, Executive Director July, 2010.
Directive on the Authorisation of electronic communications networks & Services Directive (2002/20/EC) Authorisation Directive Presented by: Nelisa Gwele.
Service Organization Controls (SOC) Overview Shared Assessment Member Forum Presentation April 10, 2012.
Data protection and compliance in context 19 November 2007 Stewart Room Partner.
Fred Carter Senior Policy & Technology Advisor Information and Privacy Commissioner Ontario, Canada MISA Ontario Cloud Computing Transformation Workshop.
Monitoring Afghanistan, 2015 Food Security and Agriculture Working Group – 9 December 2015.
The New Legislative Framework
Daniel Field, Atos Spain Towards the European Open Science Cloud, Heidelberg, 20/01/2016.
Personal data processed in cloud infrastructures: main legal aspects Avv. Enrico Pelino Attorney at Law at Bologna Bar, Italy Senior Associate at ICTlegalconsulting.
Dino Tsibouris (614) Updates on Cloud, Contracting, Privacy, Security, and International Privacy Issues Mehmet Munur (614)
D3.2 Procurement Best Practices Interim Report 20 January 2016 Toward the European Open Science Cloud 1 Damir Savanovic, CSA.
WHAT WE OFFER Go-To-Market Services Microsoft Azure Brings to Life Citizen Assistance, the Tech Solution That Improves Communication Between the People.
1 TAIEX JHA Workshop on data protection and cloud computing Data transfers to third countries and standard contractual clauses Skopje, 29 May 2014.
Harmonised use of accreditation for assessing the competence of various Conformity Assessment Bodies Dr Andreas Steinhorst, EA ERA workshop 13 April 2016,
A Methodology to Evaluate the Trustworthiness and Security Compliance of Cloud Service Providers Sasko Ristov Ss. Cyril and Methodius University, Skopje,
1 Export Control of Dual-Use Items and Arms: Industry Outreach Sofia, May, 2006 POLAND’S EXPERIENCES INDUSTRY OUTREACH and PERSONNEL TRAINING JACEK.
Devices 10 billion Internet- connected devices by 2016 People 1 billion+ people use social media services today Cloud 30 % of data will live in or pass.
GDPR – Legal Aspects Desislava Krusteva, Attorney-at-Law, CIPP/E
General Data Protection Regulation (GDPR
Service level Agreements
Bob Siegel President Privacy Ref, Inc.
Axel Polleres Technical aspects vs. Innovation challenges of Enabling and Enhancing Privacy Axel Polleres
Introduction to GDPR 09/11/2018.
The General Data Protection Regulation (GDPR)
Data protection certification and cloud computing
State of the privacy union
G.D.P.R General Data Protection Regulations
From DPA to GDPR: the key elements
 How does GDPR impact your business? Pro Tip: Pro Tip: Pro Tip:
What YOUR ORGANIZATION CAN be doing to prepare
The Impact of Digitization on Global Alignment of Product Safety Regulations ICPHSO International Symposium November 12, 2018.
PRESENTATION OF MONTENEGRO
General Data Protection Regulation “11 months in”
Data Privacy by Design Expanding Security for bepress Users
Presentation transcript:

Security and Privacy SLAs for Cloud services Dr. Jesus Luna, CSA Research Director EMEA Copyright © 2015 Cloud Security Alliance

Copyright © 2011 Cloud Security Alliance Copyright © 2015 Cloud Security Alliance How do you choose a Cloud Service Provider? Performance Price Reputation  What about security and privacy? Service-related:

Copyright © 2011 Cloud Security Alliance Copyright © 2014 Cloud Security Alliance (Some) cloud security BARRIERS The lack of transparency of some Cloud Service Providers or brokers Lack of clarity in Service Level Agreements Cloud security not easy to understand for SME’s

Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance In 3 words: LACK OF TRUST

HOW DO WE BUILD TRUST IN CLOUD COMPUTING?

Copyright © 2011 Cloud Security Alliance Copyright © 2015 Cloud Security Alliance Cloud Service Level Agreements Documented agreement between the cloud service provider (CSP) and cloud service customer that identifies services and associated quality levels (i.e., cloud service level objectives or SLOs). Security and Privacy specification in Cloud SLAs (secSLAs and PLAs) aims to provide useful/measurable (security/privacy) information to Customers, beyond what we can find on certifications.

Copyright © 2011 Cloud Security Alliance Copyright © 2015 Cloud Security Alliance secSLA + PLA: Advantages More transparency = Customer trust! Create a standardized way to specify/manage security and privacy among CSPs and Customers. Enable realistic levels of automation for the whole security life cycle: Plan (negotiation), Do (enforcement), Check (monitoring), Act (remediation).

Enabling secSLA automation: the SPECS project

Copyright © 2011 Cloud Security Alliance Copyright © 2015 Cloud Security Alliance European Project SPECS CeRICT, Italy (coordinator) TUD, Germany IeAT, Romania CSA, United Kingdom XLAB, Slovenia EISI, Ireland FP7-ICT Project Start: 1/11/2013 Project Type: STREP Duration: 30 Months

SPECS Platform Hosted Platform provisions resources from partner CSP’s Offers (Security) Services to Customers Buys/Brokers resources from CSP’s Copyright © 2011 Cloud Security Alliance Copyright © 2015 Cloud Security Alliance

Example: secSLAcontent Example: secSLA content Copyright © 2011 Cloud Security Alliance Copyright © 2015 Cloud Security Alliance Describe the services covered by the SLA: VM instances, Storage services, etc. Describe the CSP’s security commitments (Service Level Objectives) and associated metrics: Metrics: % of Critical Vulnerabilities, Frequency of 3rd party audits, Cryptographic Strength, etc. SLO: Availability > 99,999%, Full Backup Frequency < 24hrs, etc. Describe (economic) penalties associated to secSLA violation

 Based on relevant standards/best practices (including EU guidelines)  Security SLA that includes user preferences  Machine readable SLA Example: secSLAmodel Example: secSLA model Fine grained security requirements Coarse grained security requirements 12

Developing a Cloud SLA for Privacy: CSA PLA

Privacy Level Agreement v1 Copyright © 2011 Cloud Security Alliance Copyright © 2015 Cloud Security Alliance Privacy Level Agreements (PLA) v1 is a powerful transparency and voluntary disclosure mechanism for those CSPs offering services in the European Economic Area (EEA). PLA is intended to provide: Cloud customers and potential customers with a tool to assess a CSP’s commitment to address information privacy and personal data protection practices (and to support informed decisions); and CSPs with a tool (template) for making privacy and data protection disclosures that address the recommendations provided throughout 2012 by the Article 29 WP and several EU DPAs.

Copyright © 2012 Cloud Security Alliance Content of PLA v1 Copyright © 2011 Cloud Security Alliance Copyright © 2015 Cloud Security Alliance  Contact information  Ways in which data will be processed  Data transfer  Data security measures  Monitoring  Personal Data Breach Notification  Data portability, Migration and Transfer back assistance  Data retention, restitution and deletion  Accountability  Cooperation  Law Enforcement Access

Privacy Level Agreement v2 Copyright © 2011 Cloud Security Alliance Copyright © 2015 Cloud Security Alliance Objective 1: Define a PLA outline for the global market based on the experience of PLA v1. Objective 2: Define a privacy compliance mechanism for the European Union based on PLA v1, moving from a transparency mechanism into a compliance tool, and to seek for the endorsement of the Art.29 Working Party.

6. PERSONAL DATA BREACH NOTIFICATION A personal data breach is defined by EU Directive 2002/58/EC in Article 2 (i) as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a publicly available electronic communications service in the Community.” Specify how, and within what timeframe, customer will be notified of personal data breach affecting CSP and/or its subcontractors Yes for electronic communication service providers YesApplicable Specify how the competent Supervisory Authority(ies) and data subjects will be informed of personal data breaches, and within what timeframe Yes for electronic communication service providers YesApplicableNot Applicable 7. DATA PORTABILITY, MIGRATION, AND TRANSFER BACK ASSISTANCE Specify the formats, preservation of logical relations, and any costs associated with the portability of data, applications and services Yes (This obligation can be inferred from the actual EU data protection legal framework; it is referred to in a number of A29WP Opinions and spcifically set forth in the draft General Data Protection Regulation) -Applicable Describe whether, how, and at what cost CSP will assist customers in the possible migration of the data to another provider or back to an in-house IT environment Yes (This obligation can be inferred from the actual EU data protection legal framework) -Applicable

Cloud secSLAs and PLAs: are we there yet?

Copyright © 2011 Cloud Security Alliance Copyright © 2015 Cloud Security Alliance Challenges Standards (vocabularies, metrics, …), and best practices (making Cloud SLAs usable for SMEs). ISO/IEC Cloud supply chains/multi-cloud systems. Certifications or SLA’s or both?

Copyright © 2011 Cloud Security Alliance Copyright © 2015 Cloud Security Alliance Contacts Help Us Secure Cloud Computing LinkedIn: LinkedIn: SPECS: SPECS:

Copyright © 2011 Cloud Security Alliance THANK YOU! Copyright © 2015 Cloud Security Alliance

Copyright © 2011 Cloud Security Alliance Copyright © 2015 Cloud Security Alliance Enter the cloud “The cloud can deliver a net gain of 2.5 million new European jobs, and an annual boost of EUR 160 billion to EU GDP (around 1%), by 2020.” European Cloud Strategy, 2013 “Cloud gives you the ability to very quickly stand up an infrastructure and test new ideas” IBM, 2013 “Driving innovation AND lowering costs? That’s a lot of pressure. The solution is the cloud” SAP, 2014

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.