Embed Size (px)
Citation preview
1© Copyright 2010 EMC Corporation. All rights reserved.
Privacy, Assessments, and CloudWayne PauleyEMC CorporationUMass LowellNovember 3, 2010
2© Copyright 2010 EMC Corporation. All rights reserved.
The Focus Area• Cloud Computing
– Economic Drivers for the Enterprise– Top Concerns: Security & Privacy
• Privacy & Security– Relatively New Area of Research – Challenges Exacerbated
• Shared Resource Model• Highly Automated• Self-Service• Loss of Control
– Regulatory vs. Self-Regulated?– Lifecycle Needed
• Starts with Assessment• Adds to Privacy Knowledge
Image from: https://www.expresscertifications.com/ISC2/
3© Copyright 2010 EMC Corporation. All rights reserved.
The Justification• In the context of the enterprise – Smith (2004) stated that private information
relates to information that companies value as intellectual property, information about their customers, and their employees.
• Smith (2004) also stated that the enterprise is driven to improve privacy protections based on an external force such as changes in regulations or a breach.
• Cloud computing is an emerging technology that holds promise to replace traditional client-server architectures by providing new economic incentives for the enterprise (Foster, Zhao, Raicu, and Lu, 2008).
• Yee (2009) defined a requirement that the privacy standard for one provider must be maintained when information flows and information is stored potentially by another provider.
• Clarke (2009) suggests that privacy is a strategic variable to the enterprise and that Privacy Impact Assessments (PIA) adoption is an element of cogent management.
• Yee (2009) defined the providers obligation to build in provisions that gives users control over the providers collection, retention, and distribution about he user.
4© Copyright 2010 EMC Corporation. All rights reserved.
Research in Progress• Position Paper
– Risk Assessment as a Service (March,2010)
– Co-authored with Dr. Burton Kaliski
• Empirical Studies– Cloud Service Provider
Transparency (May, 2010)
– Privacy Risk Assessment Methodologies in the Cloud (Nov./Dec., 2010)
Cloud Provider X
Server 1
Virtual Machine
Tenant 1
Virtual Machine
Tenant 1
Virtual Machine
Tenant 2
Virtual Machine
Tenant 3
Server 2
Virtual Machine
Tenant 1
Virtual Machine
Tenant 1
Virtual Machine
Tenant 2
Virtual Machine
Tenant 3
Server 3
Virtual Machine
Tenant 1
Virtual Machine
Tenant 2
Virtual Machine
Tenant 2
Virtual Machine
Tenant 3
Storage Array 1
Tenant 2
Tenant 2
Tenant 1
Tenant 1
Tenant 3
Customer or Tenant
5© Copyright 2010 EMC Corporation. All rights reserved.
Risk Assessment: Definition
• Quantitative and/or qualitative valuation of risk in a specific context against a given threat with a probability of occurrence
• Includes system characterization, threat assessment, vulnerability analysis, impact analysis, and risk determination
• Many well-established standards for assessing security; some for privacy as well
6© Copyright 2010 EMC Corporation. All rights reserved.
Risk Assessment in the Cloud: ChallengesCloud Characteristic (per NIST)
Challenge
On-Demand Self-Service
• Human interaction is replaced with automated controls – which now must be “trained” to pass security audits
Broad Network Access
• Endpoints can be any type, location, not just a pre-approved set
Resource Pooling • Dynamic allocation, virtualization mean that resources are not known in advance• Multi-tenancy brings threats “in house”• Location independence introduces significant diversity in applicable laws
7© Copyright 2010 EMC Corporation. All rights reserved.
Risk Assessment in the Cloud: ChallengesCloud Characteristic (per NIST)
Challenge
Rapid Elasticity • Cloud bursting engages multiple levels of sub-providers, who must also be assessed
Measured Service • Metering information has more detail about multiple tenants – a higher-value target• Economics of the cloud also complicate assessments:
• cloud infrastructures will be constantly changing due to market growth, M&A – risk assessments will rapidly become stale
• cost competition may discourage investment in risk assessments while increasing risk-taking
8© Copyright 2010 EMC Corporation. All rights reserved.
Proposal: Risk Assessment as a Service• Approach: an automated “risk score” (e.g. like
“credit score”)– for a given tenant or application – or for general use– pre-assessment and on-demand
• Modes: provider self-assessment, third-party audit, consumer assessment (non-privileged)
– internal and external agents involved
• Policy-based IT management translates assessment of underlying dynamic resources into overall score
9© Copyright 2010 EMC Corporation. All rights reserved.
A Possible Architecture
10© Copyright 2010 EMC Corporation. All rights reserved.
Transparency Challenges
• “Self-Serviceness”– Lowest Cost at the Expense
of Customer Service– Portal tells part of the story
• Manual Methods– Time Consuming– Much of the data not
publically available – No scoring system
11© Copyright 2010 EMC Corporation. All rights reserved.
Transparency Results
• Self-Service Method
• Basic Scorecard
• Four Areas– Security– Privacy– Audit– Service Level
• Findings– Manual method time consuming– Results varied based on public information &
centralization of information– Insufficient information via self-service method
12© Copyright 2010 EMC Corporation. All rights reserved.
Privacy Assessments
Privacy Impact Assessments
– Questionnaire based pre-assessment
– ISO/IEC 22307:2008– DHS/DOJ PIA Template– Shared Assessments
Assessment Name Authority Security or Privacy Pre or Post AssessmentISO/IEC 27002:2005 Standard Security PostISO/IEC 22307:2008 Standard Privacy Pre OCTAVE Allegro Standard Security PostDHS/DOJ PIA Best Practice Privacy PreShare Assessments Privacy Assessment
Best Practice Privacy Post
Security Assessments• Subset of questionnaire• ISO/IEC 27002:2005• CMU OCTAVE Allegro
13© Copyright 2010 EMC Corporation. All rights reserved.
Cloud Privacy Assessment• Six Privacy Dimensions Evaluated
– Notice, Access and Consent (FIPS)– Permissions, Regulations & Data Flows, Management
& Organization
• Five Cloud Characteristics Scored– On-demand & Self-Service– Broad Network Access– Resource Pooling– Rapid Elasticity– Measured Service
• Four Phased Approach– External via Self-service– As a Customer via Self-service– As a Customer using customer service chat/email– Survey CSP Security/Privacy Office
• Three Cloud Providers– Must be IaaS Providers– Offer includes Self-Service
56
34
14© Copyright 2010 EMC Corporation. All rights reserved.
RAA• Theoretical Reference Application Architecture
– Application, Web server, & Database– Database has regulated data in it
• Employee, Customer, and Corporate data• Regulated as PII, HIPAA, SOX, & PCI data
• Size of RAA is Important– Ideally enough data to cross hard-drive boundaries– Enough VM’s to reside on multiple servers– Shared across multiple data-centers
• North American based Providers– Not studying trans-border issues outside US– Scope creep due to expanded regulatory requirements
15© Copyright 2010 EMC Corporation. All rights reserved.
Topics for Further Research• Automated measurement and analysis for risk
assessment– What sensors are needed? What language to use?
• e.g., CloudAudit defines a dictionary based on common standards
• Automated adjustment based on the assessment
• Trust assurances for measurements– “Who guards the guards?”
• Effectiveness of automated assessment vs. traditional approaches
• Defining what is Privacy Knowledge in the enterprise
• Practical Privacy Assessment & Privacy Scoring methodologies
16© Copyright 2010 EMC Corporation. All rights reserved.
ReferencesClarke, R. (2009). Privacy impact assessment: Its Origins and development. Computer Law & Security Review,
25, 123-135.
Foster, I., Zhao, Y., Raicu, I. & Lu, S. (2008). Cloud computing and grid computing 360-degree compared. Proceedings of the IEEE Grid Computing Environments, 1-10.
Kaliski, B. S. Jr., Pauley, W. (2010). Toward risk assessment as a service in cloud environments. Proceedings of the 2nd USENIX conference on Hot topics in cloud computing, 13-26.
Pauley, W. (2010). Cloud provider transparency – an empirical evaluation. IEEE Security and Privacy, 18-25.
Smith, H. J. (1994). Managing privacy: Information technology and corporate America. Chapel Hill, NC: University of North Carolina Press.
Smith, H. J., Milberg, S. J., & Burke, S. J. (1996). Information privacy: Measuring individuals’ concerns about organizational practices. MIS Quarterly, 20(2), 167-196.
Tsoumas, B., Dritsas, S., & Gritzalis, D. (2005). An ontology-based approach to information systems security management. In V. Gorodetsky, I. Kotenko, and V. Skormin (Eds.), Lecture Notes in Computer Science, (Vol. 3685, pp. 151-164). Berlin, Germany: Springer.
Yee, G. (2009). Estimating the privacy protection capability of a web service provider. International Journal of Web Services Research, 6(2), 20-41.
17© Copyright 2010 EMC Corporation. All rights reserved.
Contact Information• Burt Kaliski
Director, EMC Innovation NetworkFounding Scientist, RSA [email protected]/people/kalisb
• Wayne PauleyAdvisory Technical [email protected]
www.privately-exposed.com
18© Copyright 2010 EMC Corporation. All rights reserved.
