kpmg haxpo data security and privacy in the age …haxpo.nl/materials/haxpo2015ams/d2 - edwin...
TRANSCRIPT
3
CLOUD ENVIRONMENTS
Think about Cloud computing as putting your data on someone's else hard disk and accessing it via public network:
Public Cloud: ... with a lot of other people too Community Cloud: … with your friends Private Cloud: ... alone Hybrid: ... mix of the above
Infrastructure-as a Service: you have to install OS and software on that hard disk yourself
Platform as a Service: you have to install only software only Software as a Service: everything is installed for you
4
CLOUD SERVICE MODELS
On-premise IT
Storage
Servers
Networking
O/S
Middleware
Virtualization
Data
Applications
Runtime
You
man
age
Infrastructure(as a Service)
IaaS
Storage
Servers
Networking
O/S
Middleware
Virtualization
Data
Applications
Runtime
Other Manages
You
man
age
Platform(as a Service)
PaaS
Other Manages
You
man
age
Storage
Servers
Networking
O/S
Middleware
Virtualization
Applications
Runtime
Data
Software(as a Service)
SaaSOther M
anages
Storage
Servers
Networking
O/S
Middleware
Virtualization
Applications
Runtime
Data
Traditional IT
Provider’s proprietary technology and processes
IT management
Data
Span
of a
udit
Trus
t
IT assets/resources
TRUST VS. CONTROL
Outsourcing
Provider’s proprietary technology and processes
Data
IT assets/resources
IT management
Cloud computing
Provider’s proprietary technology and processes
Data
IT assets/resources
IT management
9
APPLICABLE JURISDICTIONS
Consuming organisation
Backup
ArchiveAdditional storagePrimary contracted party
10
Supervising institutes/government
Enterprises
Laws and regulations
Statements
Providers
Control requirements
Assurance
3rd party providers
Control requirements
Assurance
ASSURANCE ECOSYSTEM
11
DIMENSIONS OF CLOUD RISK
Financial Underestimated start-up costs
Exit costs
Contract complexity
Run-away variable costsFinancial
Vendor
Security
BusinessRisks
RegulatoryCompliance
Technology
Operational
Security Data segregation, isolation, encryption
Information security
Identity and access management
Intellectual property protection
Vendor Vendor lock-in
Service provider reliance
Performance failure
Vendor governance
Regulatory Compliance Complexity to ensure compliance
Lack of industry standards and certifications for cloud providers
Records management / records retention
Regulatory change control, reliant on vendor timeliness
Data privacy
Operational Business Resiliency/Disaster
Recovery
Service reliability and uptime
SLA Compliance
Technology Cross-vendor compatibility
Proprietary lock-in
Customization limitations
Inadequate change control
Technical security risks
12
Determine Risk
Appetite
Evaluate Data
Select Controls Decision
Data Privacy
High Confidentiality
High Availability
Intellectual Property
Internal Controls
Cloud Solution controls
Contracts and SLAs
Assurance
Risk Averse
Risk Neutral
Risk Taking
CLOUD RISK BASED APPROACH
13
A company manages the access to a Cloud service by defining and enforcing access rules, and continuously monitoring user access to the service.
A company’s data is encrypted at rest when stored on any type of media or storage within a Cloud service and the encryption keys are protected against unauthorized access.
The CSP performs real-time monitoring and anomaly detection of the Cloud Service activity and notified on a regular basis (e.g. via dashboards) on the results of the monitoring process.
The CSP holds sufficient number of the third party (security) certifications and assurance reports such as SOC 1, SOC2, ISAE3402, ISO 27001/2, CSA CCM v3.0 compliance, PCI compliance, HIPAA compliance, Safe Harbor certification for onward transfer of data from the European Unit. The reports are available to a customer.
Internal Controls
Cloud Solution controls
Contracts and SLAs
Assurance
High Confidentiality
EXAMPLE
15
CASE: RESULTS
The customer retains ownership of any of its data that is transmitted, stored, or processed by its users within the cloud service.
The CSP should indemnify the customer and its users against any claim from a third party that (its use of) the Online Service infringes any third party intellectual property right.
Baseline Requirements
High Confidentiality
Privacy Sensitive Data
Confidentiality undertaking must be in place by the supplier to respect the confidentiality of the customer’s data which will be hosted in the cloud service.
Contract between the customer should contain a Data Processing Agreement.This applies to processing of personal data, including the transfer of personal data across borders, and the visibility and approval of any sub-processors.
16
CLOUD DECISION MAKING TOOLKIT
.
Answers to the questionnaire
Input
Data Risk Profile
Business Logic
Dynamic set of controls
Output
APPLICATION IN PRACTICE
DRIVEN BY BUSINESS
We work with our clients to move their business forward. Positively managing cyber risk not only helps take control of uncertainty across business; it can be turned into a genuine strategic advantage.
RAZOR SHARP INSIGHTS
In a fast-moving digital world of constantly evolving threats and opportunities, you need both agility and assurance.
Our people are experts in both cyber security and our priority sectors, which means we give our clients leading edge insight, ideas and proven solutions to act with confidence.
SHOULDER TO SHOULDER
We work with our clients as long term partners, giving them advice and challenge to make decisions with confidence. We understand that this area is often clouded by feelings of doubt and vulnerability so we work hand-in-hand with them to turn that into a real sense of security and opportunity.
© 2015 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands.
The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.
HELPING CLIENTS SPREAD THEIR
WINGS