1. 1© Copyright 2010 EMC Corporation. All rights reserved. Hey Enterprise! I’ve got my OWN Cloud! IAPP 2010 Privacy Academy Wayne Pauley, EMC Corporation

2. 2© Copyright 2010 EMC Corporation. All rights reserved. It Should be Easy, So What is Cloud? Characteristics Service Models Deployment Models On Demand & Self-Service Broad Network Access Resource Pooling Rapid Elasticity Measured Service Software as a Service (SaaS) Platform as a Service (PaaS) Infrastructure as a Service (IaaS) Private Cloud Public Cloud Hybrid Cloud Community Cloud Reference: NIST Definition

3. 3© Copyright 2010 EMC Corporation. All rights reserved. Cloud Vendor Taxonomy Reference: OpenCrowd

4. 4© Copyright 2010 EMC Corporation. All rights reserved. Cloud Security & Compliance Reference: Cloud Security Alliance

5. 5© Copyright 2010 EMC Corporation. All rights reserved. Private & Hybrid Cloud Tier 1 Licensing, Support, Risk Tier 2-4 Private Cloud Hybrid Infra Apps: Cloud as Target Websites, Portals, Grid Test/Dev – Scale, R&D SaaS Salesforce, SAP, Oracle, MS Hybrid Cloud Risk Averse on Tier 1 Apps SaaS: Salesforce, NetSuite Tier 2-4: Non OLTP/ATOM Apps Infra Apps: Cloud as Target for Backup, Archive, or Security Public Cloud Convenience Outweighs Risk CAPEX VS OPEX Self-Service Back Office, Development, & Production Public Cloud Convenience Outweighs Risk Low Cost or Free Email, eCommerce, Social Nets, Gaming Segmentation – by Business Size

6. 6© Copyright 2010 EMC Corporation. All rights reserved. Public Cloud Availability, Scale, Maintenance Online Courses & Labs Email, Docs/Collaboration, Research Blackboard, eCollege, Google Apps, MS Azure Private Cloud Regulators watching, not yet approving Location of data, sharing resources at issue Extend private cloud to SP’s Interested in cost reduction and burst scale Public Cloud Public Information (low risk) Scale & Cost OpenStack, FISMA Qualified USA.gov, Google Gov Public Cloud / Hybrid Cloud Government HITECH Incentives Access to Big Compute Power Data Repositories, Data Mining MS Health, Google Health, etc. Consumer apps, Rx, EHR, Monitoring and Alerting Systems Segmentation – by Vertical

7. 7© Copyright 2010 EMC Corporation. All rights reserved. Impact on Privacy Regulations –Multi-tenancy / Shared Resources –Data Location(s) –Transitivity –Backup/Recovery –SAS 70, PCI, and HIPAA Certifications Mitigation of Exposure –Audit/Assessment Requirements –Evidentiary Requirements –Background Checks Standards –CSA, ENISA, CloudAudit, SharedAssessments

8. 8© Copyright 2010 EMC Corporation. All rights reserved. Example Evaluation Model Security & Privacy Scorecard 4 Domains to Assess –Security –Privacy –Auditability –Service Levels Reference: Cloud Provider Transparency, IEEE Security & Privacy

9. 9© Copyright 2010 EMC Corporation. All rights reserved. Transformations From This From This To This & To This

10. 10© Copyright 2010 EMC Corporation. All rights reserved.

11. 11© Copyright 2010 EMC Corporation. All rights reserved. THANK YOU

12. 12© Copyright 2010 EMC Corporation. All rights reserved. References Cloud Provider Transparency: An Empirical Evaluation. (2010) Wayne Pauley, IEEE Security & Privacy (in press) Cloud Security Alliance – www.cloudsecurityalliance.orgwww.cloudsecurityalliance.org NIST - http://csrc.nist.gov/groups/SNS/cloud-computing/cloud-def- v15.dochttp://csrc.nist.gov/groups/SNS/cloud-computing/cloud-def- v15.doc OpenCrowd - http://cloudtaxonomy.opencrowd.com/http://cloudtaxonomy.opencrowd.com/