Privacy Issues in the Cloud Presentation to the Chief Privacy Officers Council of Canada, May 4, 2010 Ponemon Institute paper at: http://tinyurl.com/3a3pqgl

1. Privacy Issues in the Cloud
Presenta4on to the Chief Privacy Officers Council
Constan4ne Karbalio4s
Data Protec*on & Privacy Lead
May 4, 2010 1

2. Agenda
1 Introduc*on
2 What is the Cloud?
3 What do Security Professionals See as Risks?
4 What are the Privacy Issues?
5 What is the Real Problem?
6 Conclusion/Q&A
2
Privacy Issues in the Cloud ‐ Constan*ne Karbalio*s

3. What is the Cloud?
Privacy Issues in the Cloud ‐ Constan*ne Karbalio*s 3

4. What is “the Cloud”?
• “Cloud compu*ng” defini*ons:
– Cloud compu*ng is interconnected networks of IT enabled
resources (i.e. services) delivered in a dynamically scalable
and virtualized method, made available to customers for
purchase via variable cost models based on usage.
• Symantec
– just as with a u*lity, enterprises can pay for informa*on
technology services on a consump*on basis
Privacy Issues in the Cloud ‐ Constan*ne Karbalio*s 4

5. Benefits and Risks
Accelera4ng Trend
– Growing market to reach $42 billion by 2012 ‐ IDC
Rewards
– Takes advantage of virtualiza*on
– Provides on‐demand services for easy scalability
– Minimizes capital and opera*ng costs expenditures
– Provides access to exper*se not available in‐house
– Enhances business agility
Risks
– Current lack of standardiza*on
– Rela*vely high switching costs for proprietary solu*ons
– Security and Privacy
Privacy Issues in the Cloud ‐ Constan*ne Karbalio*s 5
5

6. What do Security Professionals See as
Risks?
Privacy Issues in the Cloud ‐ Constan*ne Karbalio*s 6

7. Top Security Threats to Cloud Compu4ng
• Abuse and Nefarious Use of Cloud Compu*ng
• Insecure Applica*on Programming Interfaces
• Malicious Insiders
• Shared Technology Vulnerabili*es
• Data Loss/Leakage
• Account, Service & Traffic Hijacking
• Unknown Risk Profile
• Source:
Top Threats to Cloud Compu*ng, Version 1.0
Cloud Security Alliance
hbp://www.cloudsecurityalliance.org/topthreats
Privacy Issues in the Cloud ‐ Constan*ne Karbalio*s 7

8. Governance Concerns
PERCEIVED RISKS IN CLOUD COMPUTING
Uncertain ability to enforce security 23 percent
policies at a provider
Inadequate training and IT audi*ng 22 percent
Ques*onable privileged access control at 14 percent
provider site
Uncertain ability to recover data 12 percent
Proximity of data to another customer’s 11 percent
Uncertain ability to audit provider 10 percent
Uncertain con*nued existence of provider 4 percent
Uncertain provider regulatory compliance 4 percent
Source: Price Waterhouse Cooper/CISO‐CIO Magazine Survey, 2010
Privacy Issues in the Cloud ‐ Constan*ne Karbalio*s 8

9. What are the Privacy Risks?
Privacy Issues in the Cloud ‐ Constan*ne Karbalio*s 9

10. Privacy Risks with Cloud Compu4ng
• Certain types of data may trigger specific
obliga*ons under na*onal or local law
• Vendor issues:
– Organiza*ons may be unaware they are even using
cloud‐based vendors
– Due diligence s*ll required as in any vendor rela*onship
– Data security is s*ll the responsibility of the customer
– Service Level agreements need to account for access,
correc*on and privacy rights
• Data Transfer:
– Cloud models may trigger interna*onal legal data
transfer requirements
Source: Hunton & Williams, “Outsourcing to the cloud: data security and
privacy risks”, March 15, 2010
Privacy Issues in the Cloud ‐ Constan*ne Karbalio*s 10

11. What is the Real Problem?
Privacy Issues in the Cloud ‐ Constan*ne Karbalio*s 11

12. Ponemon Study for Symantec: Summary
• Business applica*ons, solu*on stacks and storage are the most popular cloud
compu*ng applica*ons, plaiorms and infrastructure services
• Few organiza*ons take proac*ve steps to protect both their own sensi*ve
business informa*on and that of their customers, consumers and employees
when they store that informa*on with cloud compu*ng vendors
• Organiza*ons are adop*ng cloud technologies without the usual vekng
procedures
• Employees are making decisions without their IT departments’ insights or full
knowledge of the security risks involved
• Two years from now, most respondents plan to use cloud compu*ng much
more intensively than they do today
• Yet even as momentum for cloud compu*ng builds, doubts about security
difficul*es of cloud compu*ng persist
• Organiza*ons most frequently protect themselves through tradi*onal IT
security solu*ons and legal or indemnifica*on agreements with vendors.
Privacy Issues in the Cloud ‐ Constan*ne Karbalio*s 12

13. Ponemon Study finds Fewer than One in Ten Companies
Evaluate Vendors or Train Employees on Cloud Security:
• More than 75 percent of respondents noted that the migra*on to
cloud compu*ng was occurring in a less‐than ideal manner, due
to a lack of control over end users
• Only 27 percent of respondents said their organiza*ons have
procedures for approving cloud applica*ons that use sensi*ve or
confiden*al informa*on
• 68 percent indicated that ownership for evalua*ng cloud
compu*ng vendors resides with end users and business managers
• Only 20 percent of the organiza*ons surveyed reported that their
informa*on security teams are regularly involved in the decision
making process and approximately a quarter said they never
par*cipated at all
• 69 percent of the respondents indicated they would prefer to see
the informa*on security or corporate IT teams lead the cloud
decision making process
Privacy Issues in the Cloud ‐ Constan*ne Karbalio*s 13

14. Policy and Procedural Gaps
Source: Ponemon Ins*tute study for Symantec: “Flying Blind in the Cloud”,
April 7, 2010
Privacy Issues in the Cloud ‐ Constan*ne Karbalio*s 14

15. Ineffec4ve Review
Privacy Issues in the Cloud ‐ Constan*ne Karbalio*s 15

16. Cloud Compu4ng Vendors Review “Process”
Source: Ponemon Ins*tute study for Symantec: “Flying Blind in the Cloud”,
April 7, 2010
Privacy Issues in the Cloud ‐ Constan*ne Karbalio*s 16

17. Organiza4onal steps to ensure data protec4on
Source: Ponemon Ins*tute study for Symantec: “Flying Blind in the Cloud”,
April 7, 2010
Privacy Issues in the Cloud ‐ Constan*ne Karbalio*s 17

18. Conclusion/Q&A
Privacy Issues in the Cloud ‐ Constan*ne Karbalio*s 18

19. Managing Privacy in the Cloud
• Policies and procedures must explicitly address cloud privacy
risks
• Informa*on governance must be put in place that:
– Provides tools and procedures for classifying informa*on and assessing risk
– Establish policies for cloud‐based processing based upon risk and value of
asset.
• Evaluate third par*es’ security and privacy capabili*es before
sharing confiden*al or sensi*ve informa*on.
– Thorough review and audit of vendors
– Independent third party verifica*on
• Train employees and staff accordingly to mi*gate security/
privacy risks in cloud compu*ng
– Address from mul*‐departmental perspec*ve
Privacy Issues in the Cloud ‐ Constan*ne Karbalio*s 19

20. Model for Managing Cloud Risks ‐ Governance
• Strategy:
– What kinds of data will you as a maber of course not allow to go to the
cloud? What kind of cloud is appropriate for certain types of data?
– Implicit: you have a data classifica*on system that you follow and know
the value of your data assets
• Educa*on & training
– Train users/business units that this requires vendor review just as any
other vendor
• Resources & Ownership
– Academic to have nice policies, contractual language permikng audit
rights, if you don’t have staff to do it
– Everyone wants Informa*on Security or IT to own this – equip them
Privacy Issues in the Cloud ‐ Constan*ne Karbalio*s 20

21. Model for Managing Cloud Risks – Formal Risk
Management
• Privacy Risk/Impact Assessment
– Document ownership of risks, mi*ga*ons
• Data Flow Diagram
– Iden*fy types of PII in flow, as well as what systems, en**es and
jurisdic*ons that data flows through
• Security Assessments & Measures
– Appropriate measures to ensure adequate applica*on security,
development processes and penetra*on/vulnerability tes*ng
– Require regular tes*ng as well as at outset of rela*onship
– Consider strategies based on encryp*on, data obfusca*on
Privacy Issues in the Cloud ‐ Constan*ne Karbalio*s 21

22. Model for Managing Cloud Risks – Contract & Audit
• Legal Models
– Develop appropriate contractual terms to ensure protec*on of the types of
data you want to process:
• Records reten4on & lawful access
• Access
• Data sharing risks/commingling
• Jurisdic4onal risks
• Flow‐down of requirements for security, audit, evidence of compliance for sub‐contractors
– Revisit/revise customer privacy no*ces, agreements: do they reflect what you
are doing with the data?
• Monitoring
– Ensure that there are mechanisms technical and organiza*onal to assess and
audit cloud vendor’s use of data
• Audit and Third Party Cer*fica*on
– Ensure you have the ability to audit – and do it
– Third party cer*fica*ons as a minimum
Privacy Issues in the Cloud ‐ Constan*ne Karbalio*s 22

23. Thank you!
Constan*ne Karbalio*s, J.D., CIPP/C/IT
constan*ne_karbalio*s@symantec.com
416.402.9873
Copyright © 2010 Symantec Corpora4on. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corpora*on or its affiliates in
the U.S. and other countries. Other names may be trademarks of their respec*ve owners.
This document is provided for informa*onal purposes only and is not intended as adver*sing. All warran*es rela*ng to the informa*on in this document, either express or implied,
are disclaimed to the maximum extent allowed by law. The informa*on in this document is subject to change without no*ce.
Privacy Issues in the Cloud ‐ Constan*ne Karbalio*s 23