Infrastructure Security: The Host Level

 When reviewing host security and assessing risks

consider the context of cloud services delivery models
(SaaS, PaaS, and IaaS) and deployment models
(public, private, and hybrid).
 There are no known new threats to hosts that are
specific to cloud computing.
 But Some virtualization security threats—such as VM
escape, system configuration drift etc. are occurred.
 These threats make weak access control to the
hypervisor that carry into the public cloud computing
environment.
 Infrastructure Security: The Host Level

 The dynamic nature (elasticity) of cloud computing can

bring new operational challenges from a security
management point perspective.
 Managing vulnerabilities and patches is therefore much
harder as the rate of change is much higher than in a
traditional data center.
 Due to the fact that the clouds holds the power of
thousands of compute nodes, combined with the
homogeneity of the operating system.
 Which means that threats can be amplified quickly and
easily—called the “velocity of attack” factor in the
Infrastructure Security: The Host Level

 SaaS and PaaS Host Security

 CSPs do not publicly share information related to
their host platforms, host operating systems, and the
processes that are in place for securing the host.
 But hackers can exploit that information when they are
trying to intrude into the cloud service.
 Hence, in the context of SaaS (e.g., Salesforce.com,
Workday.com) or PaaS (e.g., Google App Engine,
Force.com) cloud services, host security is opaque
(thick) to customers securing the hosts.
Infrastructure Security: The Host Level

 Importance of Virtualization in Host Level :

Infrastructure Security
 Virtualization is a key enabling technology that
improves host hardware utilization.
 It is common for CSPs to employ virtualization
platforms, including Xen and VMware hypervisors, in
their host computing platform architecture.
 How do the CSP is using virtualization technology and
the provider’s process for securing the virtualization
layer ?
Infrastructure Security: The Host Level

 Both the PaaS and SaaS platforms abstract and hide the
host operating system from end users with a host
abstraction layer.
 One key difference between PaaS and SaaS is the
accessibility of the abstraction layer that hides the
operating system services that applications consume.
 In the case of SaaS, the abstraction layer is not visible
to users and is available only to the developers and the
CSP’s Administrators.
Infrastructure Security: The Host Level

 Where PaaS users are given indirect access to the host

abstraction layer in the form of a PaaS application
programming interface (API).
 Hence, security responsibilities in SaaS and PaaS
services are transferred to the CSP for protecting hosts
from host-based security threats.
 Unlike PaaS and SaaS, IaaS customers are primarily
responsible for securing the hosts provisioned in the
cloud.
 Almost all IaaS services available today employ
virtualization at the host layer.
 Infrastructure Security: The Host Level

 Host security in IaaS should be categorized as follows:

i. Virtualization software security
 The software layer that sits on top of bare metal and
provides customers the ability to create and destroy
virtual instances.
 Virtualization at the host level can be accomplished
using any of the virtualization models, including OS-
level virtualization, paravirtualization (a combination
of the hardware version and versions of Xen and
VMware), or hardware-based virtualization (Xen,
VMware, Microsoft Hyper-V).
 Infrastructure Security: The Host Level

 It is important to secure this layer of software that sits

between the hardware and the virtual servers.
 In a public IaaS service, customers do not have access

to this software layer. It is managed by the CSP only.

ii. Threats to the hypervisor
 The integrity and availability of the hypervisor are of

utmost importance.
 And they are key to guaranteeing the integrity and

availability of a public cloud built on a virtualized

environment.
 Infrastructure Security: The Host Level

 A vulnerable hypervisor could expose all user

domains to malicious insiders.
 Further, hypervisors are potentially susceptible to

subversion attacks.
iii. Virtual Server Security
 The virtual instance of an operating system that is
provisioned on top of the virtualization layer and is
visible to customers from the Internet;
 e.g., various flavors of Linux, Microsoft, and Solaris.
Infrastructure Security: The Host Level

 Customers of IaaS have full access to the virtualized

guest VMs that are hosted and isolated from each
other by hypervisor technology.
 A public IaaS, such as Amazon’s Elastic Compute
Cloud (EC2), offers a web services API to perform
management functions such as provisioning,
decommissioning, and replication of virtual servers.
 These system management functions, when managed
appropriately, can provide elasticity for resources to
grow or shrink in line with workload demand.
Infrastructure Security: The Host Level

 From an attack surface perspective, the virtual server

(Windows, Solaris, or Linux) may be accessible to
anyone on the Internet.
 So sufficient network access mitigation steps should
be taken to restrict access to virtual instances.
 Typically, the CSP blocks all port access to virtual
servers and recommends that customers use port 22
(Secure Shell or SSH) to administer virtual server
instances.
 Infrastructure Security: The Host Level

 Some of the new host security threats in the public IaaS

include:
1. Stealing keys used to access and manage hosts (e.g.,
SSH private keys)
2. Attacking unpatched, vulnerable services listening on
standard ports (e.g., FTP, NetBIOS, SSH)
3. Hijacking accounts that are not properly secured (i.e.,
weak or no passwords for standard accounts)
4. Attacking systems that are not properly secured by host
firewalls
5. Deploying Trojans embedded in the software component
Infrastructure Security: The Host Level

 Securing virtual servers.

 Securing the virtual server in the cloud requires strong
operational security procedures coupled with
automation of procedures.
 Here are some recommendations:
1. Use a secure-by-default configuration. Harden the
image and use a standard hardened image for
instantiating VMs (the guest OS) in a public cloud.
2. Track the inventory of VM images and OS versions
that are prepared for cloud hosting.
Infrastructure Security: The Host Level

3. Protect the integrity of the hardened image from

unauthorized access.
4. Safeguard the private keys required to access hosts in
the public cloud.
5. Include no authentication credentials in the virtualized
images except for a key to decrypt the file system key.
6. Do not allow password-based authentication for shell
access.
7. Require passwords for sudo or role-based access (e.g.,
Solaris, SELinux).
Infrastructure Security: The Host Level

8. Run a host firewall and open only the minimum ports

necessary to support the services on an instance.
9. Run only the required services and turn off the unused
services (e.g., turn off FTP, print services, network file
services, and database services if they are not
required).
10. Install a host-based IDS such as OSSEC or Samhain.
11. Enable system auditing and event logging, and log
the security events to a dedicated log server.
12. Incase of suspect, shut down the instance, snapshot
block volumes, and back up the root file system.
Infrastructure Security: The Host Level

13. Institute a process for patching the images in the cloud

—both offline and instantiated images.
14. Periodically review logs for suspicious activities.

Table 3-2 lists security controls at the host level. 

 Threat outlook High
 Preventive controls Host firewall, access control,
patching, hardening of system, strong authentication
 Detective controls Security event logs, host-based

IDS/IPS.
 Infrastructure Security: The Application Level

 Application or software security should be a critical

element of security program.
 The application security spectrum ranges from
standalone single-user applications to sophisticated
multiuser e-commerce applications used by millions of
users.
 Web applications such as content management systems
(CMSs), wikis, portals, bulletin boards, and discussion
forums are used by small and large organizations.
 Infrastructure Security: The Application Level

 A large number of organizations also develop and

maintain custom-built web applications for their
businesses using various web frameworks
(PHP,.NET,J2EE, Ruby on Rails, Python, etc.).
 Web applications in the cloud accessed by users with
standard Internet browsers, such as Firefox, Internet
Explorer, or Safari, from any computer connected to the
Internet.
 Since the browser has emerged as the end user client for
accessing in-cloud applications, it is important for
application security programs to include browser security
 Infrastructure Security: The Application Level

 Application-Level Security Threats

 The existing threats exploit well-known application
vulnerabilities including cross-site scripting (XSS), SQL
injection, malicious file execution, and other vulnerabilities
resulting from programming errors and design flaws.
 Hackers are constantly scanning web applications for
application vulnerabilities.
 Hackers are then exploiting the vulnerabilities for various
illegal activities including financial fraud, intellectual
property theft, converting trusted websites into malicious
servers serving client-side to exploit and phishing scams.
 Infrastructure Security: The Application Level

 Hence all web frameworks and all types of web

applications are at risk of web application security
defects.
 It has been a common practice to use a combination of
perimeter security controls and network- and host-based
access controls to protect web applications deployed in a
tightly controlled environment, including corporate
intranets and private clouds.
 Web applications built and deployed in a public cloud
platform will be subjected to a high threat level, attacked,
and potentially exploited by hackers to support
fraudulent and illegal activities.
 Infrastructure Security: The Application Level

 In the threat model, web applications deployed in a

public cloud must be designed for an Internet threat
model, and security must be embedded into the
Software Development Life Cycle (SDLC) as shown
below:
 Infrastructure Security: The Application Level

 DoS and DDoS

 Additionally, we should be aware of application-level
DoS and DDoS attacks that can potentially disrupt
cloud services for an extended time.
 These attacks typically originate from compromised
computer systems attached to the Internet.
 For example, a DDoS attack on Twitter on August 6,
2009, brought the service down for several hours
Infrastructure Security: The Application Level

 FIGURE 3-3. DDoS attack on Twitter

 Infrastructure Security: The Application Level

 Apart from disrupting cloud services, resulting in poor

user experience and service-level impacts.
 DoS attacks can quickly drain your company’s
cloud services budget.
 DoS attacks on pay-as-you-go cloud applications will
result in a dramatic increase cloud utility bill.
 Hence we see increased use of network bandwidth,
CPU, and storage consumption.
 This type of attack is also being characterized as
economic denial of sustainability (EDoS).
 Infrastructure Security: The Application Level

 End User Security

 As a customer of a cloud service, are responsible for end
user security tasks, security procedures to protect
Internet-connected PC.
 Protection measures include use of security software,
such as anti-malware, antivirus, personal firewalls,
security patches, and IPS-type software on your
Internet-connected computer.
 All Internet browsers routinely suffer from software
vulnerabilities that make them vulnerable to end user
security attacks.
 Infrastructure Security: The Application Level

 To achieve end-to-end security in a cloud, it is essential

for customers to maintain good browser hygiene.
 Which means keeping the browser (e.g., Internet Explorer,
Firefox, Safari etc.) patched and updated to mitigate
threats related to browser vulnerabilities.
 Who Is Responsible for Web Application Security in the
Cloud?
 Depending on the cloud services delivery model (SPI)
and service-level agreement (SLA), the scope of security
responsibilities will fall on the shoulders of both the
customer and the cloud provider.
 Infrastructure Security: The Application Level

 Table 3-3 lists security controls at the application level.

 Threat outlook Medium
 Preventive controls Identity management, access control
assessment, browser hardened with latest patches,
multifactor authentication via delegated authentication,
endpoint security measures including antivirus and IPS
 Detective controls Login history and available reports
from SaaS vendors
 Data Security and Storage

 In todays world of network, Host and Appli. Level infrastructure

security, data security becomes more important when using cloud
computing at all “levels”: infrastructure-as-a-service (IaaS), platform-
as-a-service (PaaS), and software-as-a-service (SaaS).
 There are several aspects of data security, including:
  Data-in-transit
 Data-at-rest
 Processing of data, including multi-tenancy
 Data lineage (ancestry)
  Data provenance (origin)
  Data remanance
Data Security and Storage
Aspects of Data Security

 With regard to data-in-transit, the primary risk is in not

using a vetted encryption algorithm.
 It is also important to ensure that a protocol provides
confidentiality as well as integrity (e.g., FTP over SSL
[FTPS], Hypertext Transfer Protocol Secure [HTTPS],
and Secure Copy Program [SCP]).
 With high secure protocol used for transferring data across
the Internet mitigate the risk of data loss.
 Data-at-rest used by a cloud-based application is generally
not encrypted, because encryption would prevent indexing
or searching of data.
 Data Security and Storage
Aspects of Data Security

 Although an organization’s data-in-transit might be encrypted during

transfer to and from a cloud provider, and its data-at-rest might be
encrypted if using simple storage. (i.e., if it is not associated with a
specification application).
 Whether the data in an organization has put into the cloud is
encrypted or not.
 It is useful and might be required (for audit or compliance purposes)
to know exactly where and when the data was specifically located
within the cloud.
 For example, the data might have been transferred to a cloud
provider, such as Amazon Web Services (AWS), on date x1 at time y1
and stored in a bucket on Amazon’s S3.
 Data Security and Storage
Aspects of Data Security

 then processed on date x2 at time y2 on an instance being

used by an organization on Amazon’s Elastic Compute
Cloud (EC2) then restored in another bucket, Amazon’s
S3 before being brought back into the organization for
storage in an internal data warehouse operations group
on date x3 at time y3.
 Following the path of data (mapping application data
flows or data path visualization) is known as data lineage,
and it is important for an auditor’s assurance.
 Data Security and Storage
Aspects of Data Security

 Even if data lineage can be established in a public cloud,

there is an even more challenging requirement and
problem: i.e. proving data provenance.
 It is not just proving the integrity of the data, but the
more specific is provenance of the data.
 Integrity of data refers to data that has not been changed
in an unauthorized manner or by an unauthorized person.
 Provenance means not only that the data has integrity, but
also that, it is computationally accurate;
 Data Security and Storage
Aspects of Data Security

 For example, consider the following financial equation:

 SUM((((2*3)*4)/6)−2) = $2.00
 If the answer were different, there would be an integrity
problem.
 The assumption is that the $2.00 is in U.S. dollars, but the
assumption could be incorrect if a different dollar is used.
 In this example, if the equation satisfies those assumptions,
the equation has integrity but not provenance due to a different
dollar.
 There are many real-world examples in which data integrity is
insufficient and data provenance is also required.
 Data Security and Storage
Aspects of Data Security

 A final aspect of data security is data remanance. “Data

remanence is the residual representation of data that has
been in some way nominally erased or removed.
 This residue may be due to data being left intact by a
nominal delete operation, or through physical
properties of the storage medium.
Data Security and Storage
Data Security Mitigation

 Although data-in-transit can and should be encrypted,

any use of that data in the cloud, beyond simple
storage, requires that it be decrypted.
 Using a PaaS-based application or SaaS, customer-
unencrypted data will also almost certainly be hosted in
a multi-tenancy environment (in public clouds).
 This add exposure to the difficulties in determining the
data’s lineage, data provenance and failure to
adequately address basic security concern and the risks
of data security for customers are significantly
increased.
 Data Security and Storage
Data Security Mitigation

 The only viable option for mitigation is to ensure that any

sensitive or regulated data is not placed into a public
cloud or encrypt data placed into the cloud for simple
storage.
 Data Security and Storage
Provider Data and Its Security

 Specifically with regard to customer data, what metadata

does the provider have about data, how is it secured ?
 Additionally, provider collects and protect a huge amount
of security-related data. For example, at the network level,
provider should be collecting, monitoring, and protecting
firewall, intrusion prevention system (IPS), security
incident and event management (SIEM), and apply router
flow data.
 At the host level provider should be collecting system
logfiles, and at the application level SaaS providers should
be collecting application log data, including
authentication and authorization information.
 Data Security and Storage
Provider Data and Its Security

 Storage
 For data stored in the cloud (i.e., storage-as-a-service), we are referring
to IaaS and not data associated with an application running in the
cloud on PaaS or SaaS.
 The same three information security concerns are associated with this
data stored in the cloud.
 confidentiality, integrity, and availability
 Confidentiality
 When it comes to the confidentiality of data stored in a public cloud,
two potential concerns are :
 First, what access control exists to protect the data? Access control
consists of both authentication and authorization.
 Second, how is the data that is stored in the cloud actually protected?
 Data Security and Storage
Provider Data and Its Security

 For all practical purposes, protection of data stored in the

cloud involves the use of encryption.
 So, is a customer’s data actually encrypted when it is stored
in the cloud? And if so, with what encryption algorithm, and
with what key strength?
 It depends, and specifically, it depends on which CSP we are
using.
 For example, EMC’s MozyEnterprise does encrypt a
customer’s data.
 Dut AWS S3 does not encrypt a customer’s data. Customers
are able to encrypt their own data themselves prior to
 Data Security and Storage
Provider Data and Its Security

 Next consideration concerns with CSPs is what

encryption algorithm it uses. Not all encryption
algorithms are created equal.
 Cryptographically, many algorithms provide insufficient
security.
 Only algorithms that have been publicly vetted by a
formal standards body (e.g., NIST) or at least informally
by the cryptographic community should be used.
 Symmetric encryption Figure below involves the use of a
single secret key for both the encryption and decryption
of data.
 Data Security and Storage
Provider Data and Its Security

 Only symmetric encryption has the speed and

computational efficiency to handle encryption of large
volumes of data.
 The example in Figure is related to email, the same concept
(i.e., a single shared, secret key) is used in data storage
encryption.
 Data Security and Storage
Provider Data and Its Security

 The example in Figure below is related to email, the same

concept (i.e., a public key and a private key) is not used in
data storage encryption.
 Data Security and Storage
Provider Data and Its Security

 The next consideration for you is what key length is used.

 With symmetric encryption, the longer the key length
(i.e., the greater number of bits in the key), the stronger
the encryption.
 Although long key lengths provide more protection, they
are also more computationally intensive, and may strain
the capabilities of computer processors.
 Hence, key lengths should be a minimum of 112 bits for
Triple DES (Data Encryption Standard) and 128- bits for
AES (Advanced Encryption Standard)—both NIST-
approved algorithms.
 Data Security and Storage
Provider Data and Its Security

 Integrity
 In addition to the confidentiality of data, there is a need
to focus about the integrity of the data.
 Confidentiality does not imply integrity; data can be
encrypted for confidentiality purposes, but integrity
requires the use of message authentication codes (MACs).
 The simplest way to use MACs on encrypted data is to
use a block symmetric algorithm in cipher block chaining
(CBC) mode, and to include a one-way hash function.
 Data Security and Storage
Provider Data and Its Security

 Another aspect of data integrity is important, especially

with bulk storage using IaaS.
 Once a customer has several gigabytes of its data up in
the cloud for storage.
 How does the customer check on the integrity of the
data stored there?
 There are IaaS transfer costs associated with moving
data into and back down from the cloud.
 What a customer really wants to do is to validate the
integrity of its data while that data remains in the cloud.
 Data Security and Storage
Provider Data and Its Security

 Without having to download and reupload that data.

 This task is even more difficult because it must be done in
the cloud without explicit knowledge of the whole data
set.
 Additionally, data set is probably dynamic and changing
frequently.
 Hence as a proof of retrievability—a mathematical way is
needed to verify the integrity of the data as it is
dynamically stored in the cloud.
 Data Security and Storage
Provider Data and Its Security

 Availability
 Assuming that a customer’s data has maintained its
confidentiality and integrity the availability about the data
is to be concerned.
 There are currently three major threats in this regard :
 The first threat to availability is network-based attacks.
 The second threat to availability is the CSP’s own
availability.
 Data Security and Storage
Provider Data and Its Security

 In addition to above service threats outages, in some cases

data stored in the cloud has actually been lost.
 Hence, in consideration to the above threats to availability
CSPs take measures of data availability.
 For example, “data stored in Amazon S3, Amazon
SimpleDB, or Amazon Elastic Block Store is redundantly
stored in multiple physical locations as a normal part of
those services and at no additional charge.”
Data Security and Storage
Provider Data and Its Security

 All three of these considerations (confidentiality,

integrity, and availability) should be encapsulated in
a CSP’s service-level agreement (SLA) to its
customers.
 Security Management in the Cloud

 With the adaption of public cloud services, a large part of

network, system applications, and data will move under
third-party provider control.
 The cloud services delivery model will create islands
(clouds) of virtual perimeters as well as a security model
with responsibilities shared between the customer and the
cloud service provider (CSP).
 This shared responsibility model will bring new security
management challenges to the organization’s IT
operations staff.
 Security Management in the Cloud

 There is adequate transparency from cloud services to manage

the governance (shared responsibilities) and implementation of
security management processes (preventive and detective
controls) to assure the business that the data in the cloud is
appropriately protected.
 As a customer of the cloud, there is a need to exercise for
understanding the trust boundary of services in the cloud.
 Understand all the layers and interface with in the cloud service
—network, host, application, database, storage, and web
services including identity services.
 It is also necessary to understand the scope of IT system
management and monitoring responsibilities including access,
change, configuration, patch, and vulnerability management.
 Security Management in the Cloud

 FIGURE : Security management and monitoring scope 

 Security Management in the Cloud

 Although customer may be transferring some of the

operational responsibilities to the provider.
 Then the level of responsibilities will vary and will depend
on a variety of factors, including the service delivery model
(SPI), provider service-level agreement (SLA).
 That support the extension of internal security management
processes and tools.
 Mature IT organizations are known to employ security
management frameworks, such as ISO/ IEC 27000 and the
Information Technology Infrastructure Library (ITIL)
service management framework.
 Security Management in the Cloud

 These industry standard management frameworks provide

guidance for planning and implementing a governance
program with sustaining management processes that
protect information assets.
 A key tenet of ITIL, and one that is applicable to cloud
computing, is that organizations (people, processes) and
information systems are constantly changing.
 Hence, management frameworks such as ITIL will help
with the continuous service improvement that is necessary
to align and realign IT services to changing business
needs.
 Security Management in the Cloud

 Continuous service improvement means identifying and

implementing improvements to the IT services that
support business processes such as sales force automation
using a cloud service provider.
 In short, security management is a constant process and
will be very relevant to cloud security management.
 The goal of the ITIL Security Management framework is
divided into two parts:
 Security Management in the Cloud

 Realization of security requirements

 Security requirements are usually defined in the SLA as
well as in other external requirements, which are
specified as foundation contracts, legislation, and
internally or externally imposed policies.
 Realization of a basic level of security
 This is necessary to guarantee the security and continuity
of the organization and to reach simplified service-level
management for information security management.
 Security Management in the Cloud

 Well-established security management processes are also

aligned with an organization’s IT policies and standards.
 With the goal of protecting the confidentiality, integrity,
and availability of information.
 Figure below: illustrates the ITIL life cycle in a enterprise.
Security management disciplines are represented by
relevant ISO and ITIL functions.
Security Management in the Cloud

FIGURE 6-2. The ITIL life cycle in a enterprise

 Data Privacy
 A common misunderstanding is that data privacy is a
subset of information security.
 The two are indeed interrelated, but privacy brings a host
of concerns all its own.
 What Is Privacy?
  The concept of privacy varies widely among countries,
cultures, and jurisdictions.
 Privacy rights or obligations are related to the collection,
use, disclosure, storage, and destruction of personal data
(or personally identifiable information—PII).
 Data Privacy
 Privacy is about the accountability of organizations to
data subjects, as well as the transparency to an
organization’s practice around personal information.
 There is no universal consensus about what constitutes
personal data.
 The definition adopted by the Organization for Economic
Cooperation and Development (OECD): any information
relating to an identified or identifiable individual (data
subject) is data privacy.
 Data Privacy

 Another definition gaining popularity is the one

provided by the American Institute of Certified Public
Accountants (AICPA) and the Canadian Institute of
Chartered Accountants (CICA) in the Generally
Accepted Privacy Principles (GAPP) standard:
 “The rights and obligations of individuals and
organizations with respect to the collection, use,
retention, and disclosure of personal information.”
 Data Privacy

 What Is the Data Life Cycle?

 Personal information should be managed as part of the
data used by the organization.
 It should be managed from the time the information is
conceived through to its final disposition.
 Protection of personal information should consider the
impact of the cloud on each of the following phases as
detailed in Figure below:
 Data Privacy

 FIGURE: data life cycle

 Data Privacy

 The components within each of these phases are:

1. Generation of the information
• Ownership: Who in the organization owns PII, and how is
the ownership maintained if the organization uses cloud
computing?
• Classification: How and when is PII classified? Are there
limitations on the use of cloud computing for specific data
classes?
• Governance: Is there a governance structure to ensure that
PII is managed and protected through its life cycle, even
when it is stored or processed in a cloud computing
environment?
 Data Privacy

2. Use
• Internal versus external: Is PII used only within the
collecting organization, or is it used outside the organization
(e.g., in a public cloud)?
• Third party: Is the information shared with third parties
(e.g., subcontractors or CSPs)?
• Appropriateness: Is the use of the information consistent
with the purpose for which it was collected?.
• Discovery/subpoena: Is the information managed in the
cloud in a way that will enable the organization to comply
with legal requirements in case of legal proceedings?
 Data Privacy

3. Transfer
• Public versus private networks: When information is
transferred to a cloud, is the organization using public
networks, and is it protected appropriately? (PII should
always be protected to address the risk level and legal
requirements.)
• Encryption requirements: Is the PII encrypted? Some
laws require that PII will be encrypted when
transmitted via a public network.
• Access control: Are there appropriate access controls
over PII when it is in the cloud?
 Data Privacy

4. Transformation
• Derivation: Are the original protection and use
limitations maintained when data is transformed or
further processed in the cloud?
• Aggregation: Is data in the cloud aggregated so that it
is no longer related to an identifiable individual?
• Integrity: Is the integrity of PII maintained when it is in
the cloud?
 Data Privacy

5. Storage
• Access control: Are there appropriate controls over access to
PII when stored in the cloud so that only individuals with a
need to know will be able to access it?
• Structured versus unstructured: How is the data stored to
enable the organization to access and manage the data in the
future?
• Integrity/availability/confidentiality: How are data integrity,
availability, and confidentiality maintained in the cloud?
• Encryption: Several laws and regulations require that certain
types of PII should be stored only when encrypted. Is this
requirement supported by the CSP?
 Data Privacy

6. Archival
• Legal and compliance: PII may have specific requirements that dictate
how long it should be stored and archived. Are these requirements
supported by the CSP?
• Off-site considerations: Does the CSP provide the ability for long-
term off-site storage that supports archival requirements?
• Media concerns: Is the information stored on media that will be
accessible in the future?
 Is the information stored on portable media that may be more

susceptible to loss? Who controls the media and what is the

organization’s ability to recover such media from the CSP if needed?
• Retention: For how long will the data be retained by the CSP? Is the
retention period consistent with the organization’s retention period?
 Data Privacy

7. Destruction
• Secure: Does the CSP destroy PII obtained by
customers in a secure manner to avoid potential
breach (break) of the information?
• Complete: Is the information completely destroyed?
Does the destruction completely erase the data, or can
it be recovered?
 Data Privacy

 What Are the Key Privacy Concerns in the Cloud?

 Privacy advocates have raised many concerns about cloud

computing.
 These concerns typically mix security and privacy.

 Some additional considerations to be aware of:

1. Access
 Data subjects have a right to know what personal information

is held and, in some cases, can make a request to stop

processing it.
 This is especially important with regard to marketing

activities; subject to additional regulations and addressed in

the end user privacy policy.
 Data Privacy

 In the cloud, the main concern is the organization’s ability to

provide the individual with access to all personal information with
stated requests.
2. Compliance
 What are the privacy compliance requirements in the cloud? What

are the applicable laws, regulations, standards, and contractual

commitments that govern this information.
 And who is responsible for maintaining the compliance?

 How are existing privacy compliance requirements impacted by the

move to the cloud?

 Clouds can cross multiple jurisdictions; for example, data may be

stored in multiple countries, or in multiple states within the United

States.
 Data Privacy

3. Storage
 Where is the data in the cloud stored? Was it transferred to

another data center in another country?

 Is it coming led with information from other organizations

that use the same CSP?

 Privacy laws in various countries place limitations on the

ability of organizations to transfer some types of personal

information to other countries.
 When the data is stored in the cloud, such a transfer may

occur without the knowledge of the organization, resulting

in a potential violation of the local law.
 Data Privacy

4. Retention
 How long is personal information (that is transferred to

the cloud) retained?

 Which retention policy governs the data? Does the

organization own the data, or the CSP?

 Who enforces the retention policy in the cloud, and

how are exceptions to this policy managed?

 Data Privacy

5. Destruction
 How does the cloud provider destroy PII at the end of the

retention period?
 How do organizations ensure that their PII is destroyed by the

CSP at the right point and is not available to other cloud users?
 How do they know that the CSP didn’t retain additional

copies?
 Cloud storage providers usually replicate the data across

multiple systems and sites—increased availability is one of the

benefits they provide.
 This benefit turns into a challenge when the organization tries

to destroy the data.

 Data Privacy

 Did the CSP really destroy the data, or just make it

inaccessible to the organization?
 Is the CSP keeping the information longer than

necessary so that it can mine the data for its own

use?
6. Audit and monitoring
 How can organizations monitor their CSP and

provide assurance to relevant stakeholders that

privacy requirements are met when their PII is in the
cloud?
 Data Privacy

7. Privacy breaches
 How do you know that a breach has occurred, how do

you ensure that the CSP notifies you when a breach

occurs.
 And who is responsible for managing the breach

notification process ?
 If contracts include liability for breaches resulting from

negligence of the CSP.

 How is the contract enforced and how is it determined

who is at fault?
 Data Privacy

 Who Is Responsible for Protecting Privacy?

  There are conflicting opinions regarding who is
responsible for security and privacy.
 Some publications assign it to providers; but although it
may be possible to transfer liability via contractual
agreements, it is never possible to transfer
accountability.
 Ultimately, in the view of the public and the law, the
responsibility for data security and privacy falls on the
organization that collected the information in the first
place—the user organization.
 Data Privacy

 History and experience have proven that data breaches

have a cascading effect.
 When an organization loses control of users personal
information, the users are responsible (directly or
indirectly) for subsequent damages resulting from the
loss.
 Disaster Recovery

 Cloud disaster recovery (cloud DR) is a component of

a disaster recovery plan that involves maintaining copies of
enterprise data in a cloud storage environment as a security
measure.
 Some enterprises that are willing to put primary storage in
the cloud are more likely to use cloud-based backup or
disaster recovery.
 There are a number of benefits that make cloud DR
appealing, mostly related to cost savings. 
 The utility storage model is affordable and the need for
other resources -- such as IT infrastructure data center
space – is much reduced.  
 Disaster Recovery

 Cloud computing based on virtualization, takes a very

different approach to disaster recovery.
 With virtualization, the entire server, including the
operating system, applications, patches and data is
encapsulated into a single software bundle or virtual
server. 
 This entire virtual server can be copied or backed up to
an offsite data center in a matter of minutes.
 Disaster Recovery

 Since the virtual server is hardware independent, the

operating system, applications, patches and data can be
safely and accurately transferred from one data center to
a second data center.
 This can dramatically reduce recovery times compared
to conventional (non-virtualized) disaster recovery
approaches where servers need to be loaded with the OS
and application software.
 Figure below shows the disaster recovery tradeoff curve
to the left: 
 Disaster Recovery

 With cloud computing (as represented by the red arrow), disaster

recovery becomes much more cost-effective with significantly
faster recovery times.
 Disaster Recovery

 With cloud computing, warm site disaster recovery

becomes a very cost-effective option where backups of
critical servers can be spun up in minutes on a shared or
private cloud host platform.
 With SAN-to-SAN replication between sites, hot site
DR with very short recovery times also becomes a
much more attractive, cost-effective option.
 This is a capability that was rarely delivered with
conventional DR systems due to the cost and testing
challenges.
Disaster Recovery

 One of the most exciting capabilities of disaster

recovery in the cloud is the ability to deliver multi-site
availability.
 SAN replication not only provides rapid failover to the
disaster recovery site, but also the capability to return
to the production site when the DR test or disaster
event is over.
 One of the added benefits of disaster recovery with
cloud computing is the ability to finely tune the costs
and performance for the DR platform.