Cloud Computing - Starting Points for Privacy and Transparency Ina - - PowerPoint PPT Presentation

cloud computing starting points for privacy and
SMART_READER_LITE
LIVE PREVIEW

Cloud Computing - Starting Points for Privacy and Transparency Ina - - PowerPoint PPT Presentation

Nov 21, 2023 336 likes •780 views

Cloud Computing - Starting Points for Privacy and Transparency Ina Schiering Ostfalia University of Applied Science Wolfenbttel, Germany IFIP Summerschool: Privacy and Identity Management for Life, Helsingborg, August 2nd, 2010 Cloud

slide-1
SLIDE 1

Cloud Computing - Starting Points for Privacy and Transparency

Ina Schiering

Ostfalia University of Applied Science Wolfenbüttel, Germany

IFIP Summerschool: Privacy and Identity Management for Life, Helsingborg, August 2nd, 2010

slide-2
SLIDE 2

Ina Schiering, Cloud Computing - Starting Points for Privacy and Transparency 2

Cloud Services

Introduction

  • Interacting

Partners

  • Service

Delivery Model

  • Cloud

Deployment Model

Privacy in Cloud Services Audits and Assessments

  • Dynamically utilisable, scalable IT services
  • Use of virtualisation and scalability
slide-3
SLIDE 3

Ina Schiering, Cloud Computing - Starting Points for Privacy and Transparency 3

Interacting Partners

The different interacting partners in a cloud environment are

  • Cloud Users
  • Cloud Providers
  • Resource Owners

Introduction

  • Interacting

Partners

  • Service

Delivery Model

  • Cloud

Deployment Model

Privacy in Cloud Services Audits and Assessments

slide-4
SLIDE 4

Ina Schiering, Cloud Computing - Starting Points for Privacy and Transparency 4

Cloud User

  • Uses a cloud service
  • A person, a company or an organisation

can be a cloud user

Introduction

  • Interacting

Partners

  • Service

Delivery Model

  • Cloud

Deployment Model

Privacy in Cloud Services Audits and Assessments

slide-5
SLIDE 5

Ina Schiering, Cloud Computing - Starting Points for Privacy and Transparency 5

Cloud Provider

  • Cloud services are offered by cloud

providers

Introduction

  • Interacting

Partners

  • Service

Delivery Model

  • Cloud

Deployment Model

Privacy in Cloud Services Audits and Assessments

slide-6
SLIDE 6

Ina Schiering, Cloud Computing - Starting Points for Privacy and Transparency 6

Resource Owner

  • Resource Owner is an interacting party

who owns resources

  • Resources are e.g. virtual instances and

storage

Introduction

  • Interacting

Partners

  • Service

Delivery Model

  • Cloud

Deployment Model

Privacy in Cloud Services Audits and Assessments

slide-7
SLIDE 7

Ina Schiering, Cloud Computing - Starting Points for Privacy and Transparency 7

Service Delivery Model

Cloud services are distinguished concerning the complexity of the technology stack they deliver. Types of cloud services are:

  • IaaS - Infrastructure as a Service
  • PaaS - Platform as a Service
  • SaaS - Software as a Service

Introduction

  • Interacting

Partners

  • Service

Delivery Model

  • Cloud

Deployment Model

Privacy in Cloud Services Audits and Assessments

slide-8
SLIDE 8

Ina Schiering, Cloud Computing - Starting Points for Privacy and Transparency 8

IaaS

Infrastructure as a Service

  • Storage

(Amazon S3, ScaleUp)

  • Virtual instances

(Amazon EC2)

Introduction

  • Interacting

Partners

  • Service

Delivery Model

  • Cloud

Deployment Model

Privacy in Cloud Services Audits and Assessments

slide-9
SLIDE 9

Ina Schiering, Cloud Computing - Starting Points for Privacy and Transparency 9

PaaS

Platform as a Service Infrastructure software as (e.g. LAMP-Stack)

  • Web servers,

application servers

  • Data bases
  • Asynchronous queues

(Microsoft Azure, Amazon Web Services, Google App Engine, Force.com)

Introduction

  • Interacting

Partners

  • Service

Delivery Model

  • Cloud

Deployment Model

Privacy in Cloud Services Audits and Assessments

slide-10
SLIDE 10

Ina Schiering, Cloud Computing - Starting Points for Privacy and Transparency 10

SaaS

Software as a Service Software for complex processes e.g.

  • Email
  • Text Processing
  • CRM (Customer Relationship

Management) (Google Docs, Salesforce.com, Facebook, Picasa)

Introduction

  • Interacting

Partners

  • Service

Delivery Model

  • Cloud

Deployment Model

Privacy in Cloud Services Audits and Assessments

slide-11
SLIDE 11

Ina Schiering, Cloud Computing - Starting Points for Privacy and Transparency 11

Cloud Deployment Model

Cloud services are distinguished concerning the relation between cloud provider and cloud user:

  • Private clouds
  • Public clouds
  • Hybrid clouds
  • Community Clouds

Introduction

  • Interacting

Partners

  • Service

Delivery Model

  • Cloud

Deployment Model

Privacy in Cloud Services Audits and Assessments

slide-12
SLIDE 12

Ina Schiering, Cloud Computing - Starting Points for Privacy and Transparency 12

Private Clouds

  • Cloud user, cloud provider and resource
  • wner are the same instance

Introduction

  • Interacting

Partners

  • Service

Delivery Model

  • Cloud

Deployment Model

Privacy in Cloud Services Audits and Assessments

slide-13
SLIDE 13

Ina Schiering, Cloud Computing - Starting Points for Privacy and Transparency 13

Public Clouds

  • Cloud services offered by an external

supplier

  • All physical resources are out of reach
  • f the cloud user

Introduction

  • Interacting

Partners

  • Service

Delivery Model

  • Cloud

Deployment Model

Privacy in Cloud Services Audits and Assessments

slide-14
SLIDE 14

Ina Schiering, Cloud Computing - Starting Points for Privacy and Transparency 14

Hybrid Clouds

  • Mixture of private and public cloud

Introduction

  • Interacting

Partners

  • Service

Delivery Model

  • Cloud

Deployment Model

Privacy in Cloud Services Audits and Assessments

slide-15
SLIDE 15

Ina Schiering, Cloud Computing - Starting Points for Privacy and Transparency 15

Community Clouds

  • Several organisations have similar

requirements and share the infrastructure (e.g. model for public sector)

Introduction

  • Interacting

Partners

  • Service

Delivery Model

  • Cloud

Deployment Model

Privacy in Cloud Services Audits and Assessments

slide-16
SLIDE 16

Ina Schiering, Cloud Computing - Starting Points for Privacy and Transparency 16

Cloud Network

Interacting partners in a cloud can be visualized as a finite, directed graph

Introduction

  • Interacting

Partners

  • Service

Delivery Model

  • Cloud

Deployment Model

Privacy in Cloud Services Audits and Assessments

slide-17
SLIDE 17

Ina Schiering, Cloud Computing - Starting Points for Privacy and Transparency 17

Privacy in Cloud Services

We concentrate

  • on cloud services for organisations,
  • on technical measures.

What data of organisations?

  • Personal data of employees, customers
  • Confidential (business-related) data
  • Intellectual property

Responsibility rests always with the cloud user.

Introduction Privacy in Cloud Services

  • Privacy

Requirem.

  • Cloud

Services

  • IaaS
  • PaaS
  • SaaS

Audits and Assessments

slide-18
SLIDE 18

Ina Schiering, Cloud Computing - Starting Points for Privacy and Transparency 18

Responsibility for Personal Data

Personal data

  • fairly and lawfully processed
  • processed for limited purpose
  • adequate, relevant, not excessive
  • accurate,
  • not kept longer than necessary
  • processed in accordance with data

subjects rights

  • secure

Introduction Privacy in Cloud Services

  • Privacy

Requirem.

  • Cloud

Services

  • IaaS
  • PaaS
  • SaaS

Audits and Assessments

slide-19
SLIDE 19

Ina Schiering, Cloud Computing - Starting Points for Privacy and Transparency 19

Multilateral Privacy

Allows all parties of an interaction

  • to express their privacy objectives
  • with no party taking precedence over

another. Mechanisms of effective control are needed.

Introduction Privacy in Cloud Services

  • Privacy

Requirem.

  • Cloud

Services

  • IaaS
  • PaaS
  • SaaS

Audits and Assessments

slide-20
SLIDE 20

Ina Schiering, Cloud Computing - Starting Points for Privacy and Transparency 20

Requirements for Data Privacy

Standard requirements for data privacy:

  • Confidentiality,
  • Integrity,
  • Availability
  • Authenticity
  • Accountability
  • Non-repudiability
  • Restrict the location of data

Introduction Privacy in Cloud Services

  • Privacy

Requirem.

  • Cloud

Services

  • IaaS
  • PaaS
  • SaaS

Audits and Assessments

slide-21
SLIDE 21

Ina Schiering, Cloud Computing - Starting Points for Privacy and Transparency 21

Operational Requirements

  • Identity and Access Management
  • Monitoring, reporting, logging

(e.g. based on service level, legal requirements)

  • Backup, archiving of data
  • Deletion of data
  • Interfaces to other Systems

(e.g. data warehouse)

Introduction Privacy in Cloud Services

  • Privacy

Requirem.

  • Cloud

Services

  • IaaS
  • PaaS
  • SaaS

Audits and Assessments

slide-22
SLIDE 22

Ina Schiering, Cloud Computing - Starting Points for Privacy and Transparency 22

Characteristics of Cloud Services

  • Shared resources
  • Communication over public networks

(Internet)

  • Location of resources not transparent
  • Operated by third parties

Introduction Privacy in Cloud Services

  • Privacy

Requirem.

  • Cloud

Services

  • IaaS
  • PaaS
  • SaaS

Audits and Assessments

slide-23
SLIDE 23

Ina Schiering, Cloud Computing - Starting Points for Privacy and Transparency 23

Approach to Requirements

Requirements have to be met by the application, resp. the service:

  • SaaS: Requirements are actual

requirements for the service

  • IaaS, PaaS: Support the realisation of

requirements in applications

Introduction Privacy in Cloud Services

  • Privacy

Requirem.

  • Cloud

Services

  • IaaS
  • PaaS
  • SaaS

Audits and Assessments

slide-24
SLIDE 24

Ina Schiering, Cloud Computing - Starting Points for Privacy and Transparency 24

Components of an IT-Service

We start with an example of an IT-Service realised traditional:

Introduction Privacy in Cloud Services

  • Privacy

Requirem.

  • Cloud

Services

  • IaaS
  • PaaS
  • SaaS

Audits and Assessments

slide-25
SLIDE 25

Ina Schiering, Cloud Computing - Starting Points for Privacy and Transparency 25

Use Cloud Services

Service delivery models for cloud services:

Introduction Privacy in Cloud Services

  • Privacy

Requirem.

  • Cloud

Services

  • IaaS
  • PaaS
  • SaaS

Audits and Assessments

slide-26
SLIDE 26

Ina Schiering, Cloud Computing - Starting Points for Privacy and Transparency 26

IaaS

Use IaaS cloud services for storage and virtual instances:

Introduction Privacy in Cloud Services

  • Privacy

Requirem.

  • Cloud

Services

  • IaaS
  • PaaS
  • SaaS

Audits and Assessments

slide-27
SLIDE 27

Ina Schiering, Cloud Computing - Starting Points for Privacy and Transparency 27

IaaS

  • Host security instead of network security for

access and transfer of data

  • Encryption (possible for transfer, but not feasible

for computation, data bases)

  • Multi-tenancy
  • Access of cloud provider restricted by

processes and documented

  • Restrict locations
  • Standardized API, logging, monitoring, reporting
  • Deletion of Data

Introduction Privacy in Cloud Services

  • Privacy

Requirem.

  • Cloud

Services

  • IaaS
  • PaaS
  • SaaS

Audits and Assessments

slide-28
SLIDE 28

Ina Schiering, Cloud Computing - Starting Points for Privacy and Transparency 28

PaaS

Use PaaS cloud services for data base and application server, web server:

Introduction Privacy in Cloud Services

  • Privacy

Requirem.

  • Cloud

Services

  • IaaS
  • PaaS
  • SaaS

Audits and Assessments

slide-29
SLIDE 29

Ina Schiering, Cloud Computing - Starting Points for Privacy and Transparency 29

PaaS

  • Support requirements for data privacy in

applications (e.g. data bases)

  • Identity and Access Management (as feature)
  • Encryption (possible for transfer, but not feasible

for computation, data bases)

  • Multi-tenancy
  • Access of cloud provider restricted by

processes and documented

  • Restrict locations
  • Standardized API, logging, monitoring, reporting
  • Deletion of Data

Introduction Privacy in Cloud Services

  • Privacy

Requirem.

  • Cloud

Services

  • IaaS
  • PaaS
  • SaaS

Audits and Assessments

slide-30
SLIDE 30

Ina Schiering, Cloud Computing - Starting Points for Privacy and Transparency 30

SaaS

Use SaaS cloud services for the IT-service

Introduction Privacy in Cloud Services

  • Privacy

Requirem.

  • Cloud

Services

  • IaaS
  • PaaS
  • SaaS

Audits and Assessments

slide-31
SLIDE 31

Ina Schiering, Cloud Computing - Starting Points for Privacy and Transparency 31

SaaS

  • Support requirements for data privacy,
  • perational requirements
  • Identity and Access Management
  • Encryption (possible for transfer, but not feasible

for computation)

  • Multi-tenancy
  • Access of cloud provider restricted by

processes and documented

  • Restrict locations
  • Standardized API, logging, monitoring, reporting
  • Deletion of Data

Introduction Privacy in Cloud Services

  • Privacy

Requirem.

  • Cloud

Services

  • IaaS
  • PaaS
  • SaaS

Audits and Assessments

slide-32
SLIDE 32

Ina Schiering, Cloud Computing - Starting Points for Privacy and Transparency 32

Realising requirements

Host security instead of network security for access and transfer of data (IaaS, virtual instances)

  • Allowed by cloud provider, realised by cloud user

Encryption

  • For virtual instances (IaaS) realised by cloud user,
  • therwise by cloud provider

Standardized API, logging, monitoring, reporting

  • Standards need to be developed and established

(see e.g. DMTF approach) “Rest of requirements”

  • Realised by cloud provider

Introduction Privacy in Cloud Services

  • Privacy

Requirem.

  • Cloud

Services

  • IaaS
  • PaaS
  • SaaS

Audits and Assessments

slide-33
SLIDE 33

Ina Schiering, Cloud Computing - Starting Points for Privacy and Transparency 33

Checking Requirements

Responsibility for personal data

  • Cloud user

Realisation of requirements for processing

  • f personal data
  • Cloud provider (often)

To cope with responsibility cloud user needs to assess the requirements regularly

  • Standard assessments and audits

Introduction Privacy in Cloud Services

  • Privacy

Requirem.

  • Cloud

Services

  • IaaS
  • PaaS
  • SaaS

Audits and Assessments

slide-34
SLIDE 34

Ina Schiering, Cloud Computing - Starting Points for Privacy and Transparency 34

Audits and Assessments

Audits and Assessments incorporating privacy requirements

  • EuroPrise
  • PIA (Privacy Impact Assessment, UK)
  • BSI IT-Grundschutz
  • Common Criteria

Introduction Privacy in Cloud Services Audits and Assessments

  • EuroPrise
  • PIA
  • BSI IT-

Grundschutz

  • Common

Criteria

  • Assessments
  • f Cloud

Services

slide-35
SLIDE 35

Ina Schiering, Cloud Computing - Starting Points for Privacy and Transparency 35

EuroPrise

EuroPrise - European Privacy Seal

  • Certification applicable to IT services or IT

products

  • Based on Data Protection Directive and E-Privacy

Directive of the European Union

  • Checked by admitted experts from legal and

technical perspective, accredited certification authority checks the evaluation report

  • Performed after the close of a project
  • SaaS Cloud services with a fixed environment

could be checked (outsourcing)

Introduction Privacy in Cloud Services Audits and Assessments

  • EuroPrise
  • PIA
  • BSI IT-

Grundschutz

  • Common

Criteria

  • Assessments
  • f Cloud

Services

slide-36
SLIDE 36

Ina Schiering, Cloud Computing - Starting Points for Privacy and Transparency 36

PIA - Privacy Impact Assessment

PIA - Privacy Impact Assessment of the ICO (Information Commissioner's Office) in the UK

  • Assessment applicable to IT services or IT

products

  • Evaluate and manage risk of IT projects caused

by privacy issues already during initialisation phase of the project

  • Accompagnies project during all phases, privacy

issues are managed as risks

  • SaaS Cloud services with a fixed environment

could be checked (outsourcing)

Introduction Privacy in Cloud Services Audits and Assessments

  • EuroPrise
  • PIA
  • BSI IT-

Grundschutz

  • Common

Criteria

  • Assessments
  • f Cloud

Services

slide-37
SLIDE 37

Ina Schiering, Cloud Computing - Starting Points for Privacy and Transparency 37

BSI IT-Grundschutz

IT Grundschutz of BSI (Bundesamt für Sicherheit in der Informationstechnik)

  • Framework focussed on IT services
  • Based on ISO27001, structured in modules,

module about privacy

  • Define, analyse and document IT service, analyse

threats, model safeguards based on IT- Grundschutz catalogues

  • Can accompagny project during all phases
  • SaaS Cloud services with a fixed environment

could be checked (outsourcing), should incorporate cloud technology in threat analysis

Introduction Privacy in Cloud Services Audits and Assessments

  • EuroPrise
  • PIA
  • BSI IT-

Grundschut z

  • Common

Criteria

  • Assessments
  • f Cloud

Services

slide-38
SLIDE 38

Ina Schiering, Cloud Computing - Starting Points for Privacy and Transparency 38

Common Criteria

Common Criteria standard

  • Certification for IT products
  • Target of Evaluation (TOE) is defined, protection

profiles from standard catalogue or individually defined, intended Evaluation Assurance Level (EAL), TOE is checked against a selected protection profile with EAL,

  • Performed after the close of a project
  • IaaS, PaaS, (SaaS) cloud service to built IT

services can be checked concerning privacy requirements, multi-tenancy, encryption, etc.

Introduction Privacy in Cloud Services Audits and Assessments

  • EuroPrise
  • PIA
  • BSI IT-

Grundschutz

  • Common

Criteria

  • Assessments
  • f Cloud

Services

slide-39
SLIDE 39

Ina Schiering, Cloud Computing - Starting Points for Privacy and Transparency 39

Assessments of Cloud Services

Common audit in the US: SAS 70 Type II audit

  • American Institute of Certified Public

Acountants (AICPA)

  • service organisations defines control
  • bjectives and corresponding control

activities, audit checks these controls

  • addresses financial statement audits of cloud

users in the US

Introduction Privacy in Cloud Services Audits and Assessments

  • EuroPrise
  • PIA
  • BSI IT-

Grundschutz

  • Common

Criteria

  • Assessment

s of Cloud Services

slide-40
SLIDE 40

Ina Schiering, Cloud Computing - Starting Points for Privacy and Transparency 40

Assessments of Cloud Services

Why use cloud providers SAS 70 Type II and not EuroPrise, IT-Grundschutz (ISO 27001), PIA etc. ?

  • SAS70 Type II in needed by cloud users

in the US which is the focus of the cloud market

  • SAS 70 Type II is not about services but
  • nly about the whole service
  • rganisation

Introduction Privacy in Cloud Services Audits and Assessments

  • EuroPrise
  • PIA
  • BSI IT-

Grundschutz

  • Common

Criteria

  • Assessment

s of Cloud Services

slide-41
SLIDE 41

Ina Schiering, Cloud Computing - Starting Points for Privacy and Transparency 41

Assessments of Cloud Services

Open source initiatives (OpenStack, Eucalyptus): Broader range of cloud providers, regional adapted cloud services and more possibilities for control Process oriented standards for cloud

  • perations, based on service operations

frameworks like ITIL (see DMTF whitepaper) facilitate assessments Legal requirements will lead to compliant cloud services

Introduction Privacy in Cloud Services Audits and Assessments

  • EuroPrise
  • PIA
  • BSI IT-

Grundschutz

  • Common

Criteria

  • Assessment

s of Cloud Services

slide-42
SLIDE 42

Ina Schiering, Cloud Computing - Starting Points for Privacy and Transparency 42

Conclusion

Cloud computing is not a new technology but a new access concept for IT services

  • No new problems but known problems
  • Impacts are worse because of the dynamic

and size of clouds

  • Assessments for privacy can be used for

cloud services, but restrict flexibility Possible next steps: Adapt assessments to dynamically changing cloud networks, but standard cloud APIs are needed addressing automated check of requirements

Introduction Privacy in Cloud Services Audits and Assessments

  • EuroPrise
  • PIA
  • BSI IT-

Grundschutz

  • Common

Criteria

  • Assessments
  • f Cloud

Services

slide-43
SLIDE 43

Ina Schiering, Cloud Computing - Starting Points for Privacy and Transparency 43

Thank you for your attention

Questions ?