Data security and privacyin the age of cloud

Edwin SturrusKPMG IT Advisory

27 May 2015

HITB Haxpo

2

INTRODUCTION

Edwin Sturrus MSc CCSKKPMG IT AdvisoryInformation Protection Services

3

CLOUD ENVIRONMENTS

Think about Cloud computing as putting your data on someone's else hard disk and accessing it via public network:

Public Cloud: ... with a lot of other people too Community Cloud: … with your friends Private Cloud: ... alone Hybrid: ... mix of the above

Infrastructure-as a Service: you have to install OS and software on that hard disk yourself

Platform as a Service: you have to install only software only Software as a Service: everything is installed for you

4

CLOUD SERVICE MODELS

On-premise IT

Storage

Servers

Networking

O/S

Middleware

Virtualization

Data

Applications

Runtime

You

man

age

Infrastructure(as a Service)

IaaS

Storage

Servers

Networking

O/S

Middleware

Virtualization

Data

Applications

Runtime

Other Manages

You

man

age

Platform(as a Service)

PaaS

Other Manages

You

man

age

Storage

Servers

Networking

O/S

Middleware

Virtualization

Applications

Runtime

Data

Software(as a Service)

SaaSOther M

anages

Storage

Servers

Networking

O/S

Middleware

Virtualization

Applications

Runtime

Data

CLOUD SERVICE PROVIDERS

SaaS

PaaS

IaaS

Traditional IT

Provider’s proprietary technology and processes

IT management

Data

Span

of a

udit

Trus

t

IT assets/resources

TRUST VS. CONTROL

Outsourcing

Provider’s proprietary technology and processes

Data

IT assets/resources

IT management

Cloud computing

Provider’s proprietary technology and processes

Data

IT assets/resources

IT management

7

ONE-SIZE-FITS-ALL

8

COMPLEX ENVIRONMENT

Different cloud deployment models ‘Shadow IT’

9

APPLICABLE JURISDICTIONS

Consuming organisation

Backup

ArchiveAdditional storagePrimary contracted party

10

Supervising institutes/government

Enterprises

Laws and regulations

Statements

Providers

Control requirements

Assurance

3rd party providers

Control requirements

Assurance

ASSURANCE ECOSYSTEM

11

DIMENSIONS OF CLOUD RISK

Financial Underestimated start-up costs

Exit costs

Contract complexity

Run-away variable costsFinancial

Vendor

Security

BusinessRisks

RegulatoryCompliance

Technology

Operational

Security Data segregation, isolation, encryption

Information security

Identity and access management

Intellectual property protection

Vendor Vendor lock-in

Service provider reliance

Performance failure

Vendor governance

Regulatory Compliance Complexity to ensure compliance

Lack of industry standards and certifications for cloud providers

Records management / records retention

Regulatory change control, reliant on vendor timeliness

Data privacy

Operational Business Resiliency/Disaster

Recovery

Service reliability and uptime

SLA Compliance

Technology Cross-vendor compatibility

Proprietary lock-in

Customization limitations

Inadequate change control

Technical security risks

12

Determine Risk

Appetite

Evaluate Data

Select Controls Decision

Data Privacy

High Confidentiality

High Availability

Intellectual Property

Internal Controls

Cloud Solution controls

Contracts and SLAs

Assurance

Risk Averse

Risk Neutral

Risk Taking

CLOUD RISK BASED APPROACH

13

A company manages the access to a Cloud service by defining and enforcing access rules, and continuously monitoring user access to the service.

A company’s data is encrypted at rest when stored on any type of media or storage within a Cloud service and the encryption keys are protected against unauthorized access.

The CSP performs real-time monitoring and anomaly detection of the Cloud Service activity and notified on a regular basis (e.g. via dashboards) on the results of the monitoring process.

The CSP holds sufficient number of the third party (security) certifications and assurance reports such as SOC 1, SOC2, ISAE3402, ISO 27001/2, CSA CCM v3.0 compliance, PCI compliance, HIPAA compliance, Safe Harbor certification for onward transfer of data from the European Unit. The reports are available to a customer.

Internal Controls

Cloud Solution controls

Contracts and SLAs

Assurance

High Confidentiality

EXAMPLE

14

CASE: ASSESSMENTS

Baseline Requirements

Business Impact Assessment

Legal Assessment

15

CASE: RESULTS

The customer retains ownership of any of its data that is transmitted, stored, or processed by its users within the cloud service.

The CSP should indemnify the customer and its users against any claim from a third party that (its use of) the Online Service infringes any third party intellectual property right.

Baseline Requirements

High Confidentiality

Privacy Sensitive Data

Confidentiality undertaking must be in place by the supplier to respect the confidentiality of the customer’s data which will be hosted in the cloud service.

Contract between the customer should contain a Data Processing Agreement.This applies to processing of personal data, including the transfer of personal data across borders, and the visibility and approval of any sub-processors.

16

CLOUD DECISION MAKING TOOLKIT

.

Answers to the questionnaire

Input

Data Risk Profile

Business Logic

Dynamic set of controls

Output

APPLICATION IN PRACTICE

Q&A

Thank you for you attention

Edwin Sturrus

sturrus.edwin@kpmg.nl

DRIVEN BY BUSINESS

We work with our clients to move their business forward. Positively managing cyber risk not only helps take control of uncertainty across business; it can be turned into a genuine strategic advantage.

RAZOR SHARP INSIGHTS

In a fast-moving digital world of constantly evolving threats and opportunities, you need both agility and assurance.

Our people are experts in both cyber security and our priority sectors, which means we give our clients leading edge insight, ideas and proven solutions to act with confidence.

SHOULDER TO SHOULDER

We work with our clients as long term partners, giving them advice and challenge to make decisions with confidence. We understand that this area is often clouded by feelings of doubt and vulnerability so we work hand-in-hand with them to turn that into a real sense of security and opportunity.

© 2015 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands.

The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.

HELPING CLIENTS SPREAD THEIR

WINGS