Presentation is loading. Please wait.

Presentation is loading. Please wait.

Www.cloudsecurityalliance.org Security and Privacy SLAs for Cloud services Dr. Jesus Luna, CSA Research Director EMEA Copyright © 2015 Cloud Security Alliance.

Similar presentations


Presentation on theme: "Www.cloudsecurityalliance.org Security and Privacy SLAs for Cloud services Dr. Jesus Luna, CSA Research Director EMEA Copyright © 2015 Cloud Security Alliance."— Presentation transcript:

1 www.cloudsecurityalliance.org Security and Privacy SLAs for Cloud services Dr. Jesus Luna, CSA Research Director EMEA Copyright © 2015 Cloud Security Alliance

2 www.cloudsecurityalliance.org Copyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org Copyright © 2015 Cloud Security Alliance How do you choose a Cloud Service Provider? Performance Price Reputation  What about security and privacy? Service-related:

3 www.cloudsecurityalliance.org Copyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org Copyright © 2014 Cloud Security Alliance (Some) cloud security BARRIERS The lack of transparency of some Cloud Service Providers or brokers Lack of clarity in Service Level Agreements Cloud security not easy to understand for SME’s

4 www.cloudsecurityalliance.org Copyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org Copyright © 2011 Cloud Security Alliance In 3 words: LACK OF TRUST

5 HOW DO WE BUILD TRUST IN CLOUD COMPUTING?

6 www.cloudsecurityalliance.org Copyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org Copyright © 2015 Cloud Security Alliance Cloud Service Level Agreements Documented agreement between the cloud service provider (CSP) and cloud service customer that identifies services and associated quality levels (i.e., cloud service level objectives or SLOs). Security and Privacy specification in Cloud SLAs (secSLAs and PLAs) aims to provide useful/measurable (security/privacy) information to Customers, beyond what we can find on certifications.

7 www.cloudsecurityalliance.org Copyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org Copyright © 2015 Cloud Security Alliance secSLA + PLA: Advantages More transparency = Customer trust! Create a standardized way to specify/manage security and privacy among CSPs and Customers. Enable realistic levels of automation for the whole security life cycle: Plan (negotiation), Do (enforcement), Check (monitoring), Act (remediation).

8 Enabling secSLA automation: the SPECS project

9 www.cloudsecurityalliance.org Copyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org Copyright © 2015 Cloud Security Alliance European Project SPECS CeRICT, Italy (coordinator) TUD, Germany IeAT, Romania CSA, United Kingdom XLAB, Slovenia EISI, Ireland FP7-ICT-10-610795 Project Start: 1/11/2013 Project Type: STREP Duration: 30 Months

10 SPECS Platform Hosted Platform provisions resources from partner CSP’s Offers (Security) Services to Customers Buys/Brokers resources from CSP’s www.cloudsecurityalliance.org Copyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org Copyright © 2015 Cloud Security Alliance

11 Example: secSLAcontent Example: secSLA content www.cloudsecurityalliance.org Copyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org Copyright © 2015 Cloud Security Alliance Describe the services covered by the SLA: VM instances, Storage services, etc. Describe the CSP’s security commitments (Service Level Objectives) and associated metrics: Metrics: % of Critical Vulnerabilities, Frequency of 3rd party audits, Cryptographic Strength, etc. SLO: Availability > 99,999%, Full Backup Frequency < 24hrs, etc. Describe (economic) penalties associated to secSLA violation

12  Based on relevant standards/best practices (including EU guidelines)  Security SLA that includes user preferences  Machine readable SLA Example: secSLAmodel Example: secSLA model Fine grained security requirements Coarse grained security requirements 12

13 Developing a Cloud SLA for Privacy: CSA PLA

14 Privacy Level Agreement v1 www.cloudsecurityalliance.org Copyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org Copyright © 2015 Cloud Security Alliance Privacy Level Agreements (PLA) v1 is a powerful transparency and voluntary disclosure mechanism for those CSPs offering services in the European Economic Area (EEA). PLA is intended to provide: Cloud customers and potential customers with a tool to assess a CSP’s commitment to address information privacy and personal data protection practices (and to support informed decisions); and CSPs with a tool (template) for making privacy and data protection disclosures that address the recommendations provided throughout 2012 by the Article 29 WP and several EU DPAs.

15 www.cloudsecurityalliance.org Copyright © 2012 Cloud Security Alliance Content of PLA v1 www.cloudsecurityalliance.org Copyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org Copyright © 2015 Cloud Security Alliance  Contact information  Ways in which data will be processed  Data transfer  Data security measures  Monitoring  Personal Data Breach Notification  Data portability, Migration and Transfer back assistance  Data retention, restitution and deletion  Accountability  Cooperation  Law Enforcement Access

16 Privacy Level Agreement v2 www.cloudsecurityalliance.org Copyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org Copyright © 2015 Cloud Security Alliance Objective 1: Define a PLA outline for the global market based on the experience of PLA v1. Objective 2: Define a privacy compliance mechanism for the European Union based on PLA v1, moving from a transparency mechanism into a compliance tool, and to seek for the endorsement of the Art.29 Working Party.

17 6. PERSONAL DATA BREACH NOTIFICATION A personal data breach is defined by EU Directive 2002/58/EC in Article 2 (i) as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a publicly available electronic communications service in the Community.” Specify how, and within what timeframe, customer will be notified of personal data breach affecting CSP and/or its subcontractors Yes for electronic communication service providers YesApplicable Specify how the competent Supervisory Authority(ies) and data subjects will be informed of personal data breaches, and within what timeframe Yes for electronic communication service providers YesApplicableNot Applicable 7. DATA PORTABILITY, MIGRATION, AND TRANSFER BACK ASSISTANCE Specify the formats, preservation of logical relations, and any costs associated with the portability of data, applications and services Yes (This obligation can be inferred from the actual EU data protection legal framework; it is referred to in a number of A29WP Opinions and spcifically set forth in the draft General Data Protection Regulation) -Applicable Describe whether, how, and at what cost CSP will assist customers in the possible migration of the data to another provider or back to an in-house IT environment Yes (This obligation can be inferred from the actual EU data protection legal framework) -Applicable

18 Cloud secSLAs and PLAs: are we there yet?

19 www.cloudsecurityalliance.org Copyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org Copyright © 2015 Cloud Security Alliance Challenges Standards (vocabularies, metrics, …), and best practices (making Cloud SLAs usable for SMEs). ISO/IEC 19086 Cloud supply chains/multi-cloud systems. Certifications or SLA’s or both?

20 www.cloudsecurityalliance.org Copyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org Copyright © 2015 Cloud Security Alliance Contacts Help Us Secure Cloud Computing www.cloudsecurityalliance.org www.cloudsecurityalliance.org www.cloudsecurityalliance.org info@cloudsecurityalliance.org info@cloudsecurityalliance.org jluna@cloudsecurityalliance.org jluna@cloudsecurityalliance.org LinkedIn: www.linkedin.com/groups?gid=1864210 LinkedIn: www.linkedin.com/groups?gid=1864210www.linkedin.com/groups?gid=1864210 Twitter: @cloudsa Twitter: @cloudsa SPECS: http://www.specs-project.eu/ SPECS: http://www.specs-project.eu/http://www.specs-project.eu/

21 www.cloudsecurityalliance.org Copyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org THANK YOU! Copyright © 2015 Cloud Security Alliance

22 www.cloudsecurityalliance.org Copyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org Copyright © 2015 Cloud Security Alliance Enter the cloud “The cloud can deliver a net gain of 2.5 million new European jobs, and an annual boost of EUR 160 billion to EU GDP (around 1%), by 2020.” European Cloud Strategy, 2013 “Cloud gives you the ability to very quickly stand up an infrastructure and test new ideas” IBM, 2013 “Driving innovation AND lowering costs? That’s a lot of pressure. The solution is the cloud” SAP, 2014


Download ppt "Www.cloudsecurityalliance.org Security and Privacy SLAs for Cloud services Dr. Jesus Luna, CSA Research Director EMEA Copyright © 2015 Cloud Security Alliance."

Similar presentations


Ads by Google