IRISSCON 2014 Privacy Cloud Computing

© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.

© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.

Disclaimer: This presentation does not represent legal advice or purport to

be a legal interpretation of legislation, regulation or standard rules. Whilst

every effort is made to ensure the information is accurate, responsibility

cannot be accepted for any liability incurred or loss suffered as a

consequence of relying on any material published herein. Appropriate

professional advice should be taken before acting or refraining to act on

the basis of this presentation


What is Cloud Computing

• Depends on

who you ask

• Lots of

terminology


Drivers, Benefits and Risks


Cloud Computing - Benefits

Flexibility

Access to Applications

Availability

Cost Reductions


Cloud Computing –Risks


Cloud Computing Top 9 Threats

1) Data Breaches

2) Data Loss

3) Account Hijacking

4) Insecure APIs

5) Denial of Service

6) Malicious Insiders

7) Abuse of Cloud Services

8) Insufficient Due Diligence

9) Shared Technology Issues

https://downloads.cloudsecurityalliance.org/initiatives/top_threats/The_Notorious_Nine_Cloud_Computing_Top_Threats_in_2013.pdf


Legal Considerations - Cloud

• Copyright and Related Rights Acts 2000, 2004 and 2007;

• Data Protection Acts 1988 and 2003;

• Freedom of Information Act 1997 and 2003;

• The Child Trafficking and Pornography Acts 1998 and 2004;

• Defamation Act 2009;

• Prohibition of Incitement to Hatred Act


Focus on Data Protection in the Cloud

• Security of Personal Data

• Location of Personal Data


What is Personal Data

any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one whocan be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity”

(Data Protection Directive 95/46/EC, A2)

..data relating to a living individual who is or can be identified either from the data, or from the data in conjunction with other information that is, or is likely to come into the possession of the data controller..

(Data Protection (Amendment) Act 2003)


Responsibilities: Data Controllers and Data Processors

Data

Controller

The Data Controller (“the natural or legal

person, public authority, agency or any other

body which alone or jointly with others

determines the purposes and means of the

processing of personal data”)

Data Controller remains responsible if

data outsourced to Data Processor (“ a

person …who processes personal data on

behalf of a data controller”)


Responsibilities - 8 Rules

1. Fairly Obtained

2. Specified and Lawful purpose

3. Not Incompatible with purpose

4. Safe and Secure

5. Accurate and up to date

6. Adequate, relevant and not excessive

7. Retention only for as long as necessary

8. Copy to individual on request.


Security Obligations-Rule 4: Safe and Secure

“..Appropriate technical and organizational measures to protect personal data against

accidental or unlawful destruction or accidental loss, alteration, unauthorized

disclosure or access, in particular where the processing involves the transmission of

data over a network, and against all other unlawful forms of processing.”

“Having regard to the state of the art and the cost of their implementation, such

measures shall ensure a level of security appropriate to the risks represented by the

processing and the nature of the data to be protected. “(Article 17 DIRECTIVE 95/46/EC)

Data

Controller


Security Obligations: Working with Cloud Providers

“... the controller must, where processing is carried out on his behalf, choose a

processor providing sufficient guarantees in respect of the technical security

measures and organizational measures governing the processing to be carried

out, and must ensure compliance with those measures.”

“The carrying out of processing by way of a processor must be governed by a

contract or legal act binding the processor to the controller and stipulating in

particular that:

the processor shall act only on instructions from the controller;

the obligations set out in paragraph 1 (Article 17 DIRECTIVE 95/46/EC) ,as defined by the law of the

Member State in which the processor is established, shall also be incumbent on the

processor.

(Article 17 DIRECTIVE 95/46/EC)

Data

Controller


Location of Personal Data

• EU/EEA

• Approved Countries

• USA - Safe Harbor

• Model Contracts

• Binding Corporate Rules

• Clear and unambiguous consent

of the individual data subject(s)


What you Need to Do

• Establish criterial that expect from CSPs• Security / Control / Privacy as well as functional

• Procure in accordance with criteria

• Due Diligence: Satisfy security / privacy/ compliance

• Written contract: SLA and PLA (Privacy Level Agreement)• ‘Click Wrap’ Contracts


Privacy Level Agreement (PLA)

A PLA describes the level of privacy

and data protection it undertakes to

maintain with respect to relevant

data processing.


Privacy Level Agreement (PLA)

1. Identity of the CSP

2. Data prohibited to be sent/processed

3. Ways data will be processed

4. Data Transfer

5. Data Security Measures

6. Monitoring

7. Audit

8. Breach Notification

9. Data Portability

10. Data Detention / Deletion

11. Accountability

12. Cooperation

13. Law Enforcement Access

14. Remedies

15. Dispute Resolution

16. Cyber Insurance Policy


Guidance

• Cloud Security Alliance (CSA)• Security Guidelines for Critical Areas of Focus in Cloud Computing V3.0

• Cloud Controls Matrix (CCM)

• Privacy Level Agreement

• European Network and Information Security Agency (ENSIA)• Cloud computing benefits risks and recommendations for information security

• Data Protection Commissioner• http://www.dataprotection.ie/

• NSAI• Adopting the Cloud - decision support for cloud computing

http://www.dataprotection.ie/


Just when you thought it was safe to get back in the water

In 2009 Google was awarded a U.S. patent for its floating data centres that are powered by waves and cooled by sea water.


Documents

IRISSCON 2014 Privacy Cloud Computing