1 / 18

Privacy, Assessments, and Cloud

Privacy, Assessments, and Cloud. Wayne Pauley EMC Corporation UMass Lowell November 3, 2010. The Focus Area. Cloud Computing Economic Drivers for the Enterprise Top Concerns: Security & Privacy Privacy & Security Relatively New Area of Research Challenges Exacerbated

fordon
Download Presentation

Privacy, Assessments, and Cloud

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Privacy, Assessments, and Cloud Wayne Pauley EMC Corporation UMass Lowell November 3, 2010

  2. The Focus Area • Cloud Computing • Economic Drivers for the Enterprise • Top Concerns: Security & Privacy • Privacy & Security • Relatively New Area of Research • Challenges Exacerbated • Shared Resource Model • Highly Automated • Self-Service • Loss of Control • Regulatory vs. Self-Regulated? • Lifecycle Needed • Starts with Assessment • Adds to Privacy Knowledge Image from: https://www.expresscertifications.com/ISC2/

  3. The Justification • In the context of the enterprise – Smith (2004) stated that private information relates to information that companies value as intellectual property, information about their customers, and their employees. • Smith (2004) also stated that the enterprise is driven to improve privacy protections based on an external force such as changes in regulations or a breach. • Cloud computing is an emerging technology that holds promise to replace traditional client-server architectures by providing new economic incentives for the enterprise (Foster, Zhao, Raicu, and Lu, 2008). • Yee (2009) defined a requirement that the privacy standard for one provider must be maintained when information flows and information is stored potentially by another provider. • Clarke (2009) suggests that privacy is a strategic variable to the enterprise and that Privacy Impact Assessments (PIA) adoption is an element of cogent management. • Yee (2009) defined the providers obligation to build in provisions that gives users control over the providers collection, retention, and distribution about he user.

  4. Research in Progress • Position Paper • Risk Assessment as a Service (March,2010) • Co-authored with Dr. Burton Kaliski • Empirical Studies • Cloud Service Provider Transparency (May, 2010) • Privacy Risk Assessment Methodologies in the Cloud (Nov./Dec., 2010)

  5. Risk Assessment: Definition • Quantitative and/or qualitative valuation of risk in a specific context against a given threat with a probability of occurrence • Includes system characterization, threat assessment, vulnerability analysis, impact analysis, and risk determination • Many well-established standards for assessing security; some for privacy as well

  6. Risk Assessment in the Cloud: Challenges

  7. Risk Assessment in the Cloud: Challenges • Economics of the cloud also complicate assessments: • cloud infrastructures will be constantly changing due to market growth, M&A – risk assessments will rapidly become stale • cost competition may discourage investment in risk assessments while increasing risk-taking

  8. Proposal: Risk Assessment as a Service • Approach: an automated “risk score”(e.g. like “credit score”) • for a given tenant or application – or for general use • pre-assessment and on-demand • Modes: provider self-assessment, third-party audit, consumer assessment (non-privileged) • internal and external agents involved • Policy-based IT management translates assessment of underlying dynamic resources into overall score

  9. A Possible Architecture

  10. Transparency Challenges • “Self-Serviceness” • Lowest Cost at the Expense of Customer Service • Portal tells part of the story • Manual Methods • Time Consuming • Much of the data not publically available • No scoring system

  11. Transparency Results • Self-Service Method • Basic Scorecard • Four Areas • Security • Privacy • Audit • Service Level • Findings • Manual method time consuming • Results varied based on public information & centralization of information • Insufficient information via self-service method

  12. Privacy Assessments Privacy Impact Assessments • Questionnaire based pre-assessment • ISO/IEC 22307:2008 • DHS/DOJ PIA Template • Shared Assessments • Security Assessments • Subset of questionnaire • ISO/IEC 27002:2005 • CMU OCTAVE Allegro

  13. Cloud Privacy Assessment 6 • Six Privacy Dimensions Evaluated • Notice, Access and Consent (FIPS) • Permissions, Regulations & Data Flows, Management & Organization • Five Cloud Characteristics Scored • On-demand & Self-Service • Broad Network Access • Resource Pooling • Rapid Elasticity • Measured Service • Four Phased Approach • External via Self-service • As a Customer via Self-service • As a Customer using customer service chat/email • Survey CSP Security/Privacy Office • Three Cloud Providers • Must be IaaS Providers • Offer includes Self-Service 5 4 3

  14. RAA • Theoretical Reference Application Architecture • Application, Web server, & Database • Database has regulated data in it • Employee, Customer, and Corporate data • Regulated as PII, HIPAA, SOX, & PCI data • Size of RAA is Important • Ideally enough data to cross hard-drive boundaries • Enough VM’s to reside on multiple servers • Shared across multiple data-centers • North American based Providers • Not studying trans-border issues outside US • Scope creep due to expanded regulatory requirements

  15. Topics for Further Research • Automated measurement and analysis for risk assessment • What sensors are needed? What language to use? • e.g., CloudAudit defines a dictionary based on common standards • Automated adjustmentbased on the assessment • Trust assurances for measurements • “Who guards the guards?” • Effectiveness of automated assessment vs. traditional approaches • Defining what is Privacy Knowledge in the enterprise • Practical Privacy Assessment & Privacy Scoring methodologies

  16. References Clarke, R. (2009). Privacy impact assessment: Its Origins and development. Computer Law & Security Review, 25, 123-135. Foster, I., Zhao, Y., Raicu, I. & Lu, S. (2008). Cloud computing and grid computing 360-degree compared. Proceedings of the IEEE Grid Computing Environments, 1-10. Kaliski, B. S. Jr., Pauley, W. (2010). Toward risk assessment as a service in cloud environments. Proceedings of the 2nd USENIX conference on Hot topics in cloud computing, 13-26. Pauley, W. (2010). Cloud provider transparency – an empirical evaluation. IEEE Security and Privacy, 18-25. Smith, H. J. (1994). Managing privacy: Information technology and corporate America. Chapel Hill, NC: University of North Carolina Press. Smith, H. J., Milberg, S. J., & Burke, S. J. (1996). Information privacy: Measuring individuals’ concerns about organizational practices. MIS Quarterly, 20(2), 167-196. Tsoumas, B., Dritsas, S., & Gritzalis, D. (2005). An ontology-based approach to information systems security management. In V. Gorodetsky, I. Kotenko, and V. Skormin (Eds.), Lecture Notes in Computer Science, (Vol. 3685, pp. 151-164). Berlin, Germany: Springer. Yee, G. (2009). Estimating the privacy protection capability of a web service provider. International Journal of Web Services Research, 6(2), 20-41.

  17. Contact Information • Burt KaliskiDirector, EMC Innovation NetworkFounding Scientist, RSA Laboratoriesburt.kaliski@emc.comcommunity.emc.com/people/kalisb • Wayne PauleyAdvisory Technical Consultantwayne.pauley@emc.com www.privately-exposed.com

More Related