Upload
paul-hogan
View
27
Download
0
Tags:
Embed Size (px)
Citation preview
© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.
© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.
Disclaimer: This presentation does not represent legal advice or purport to
be a legal interpretation of legislation, regulation or standard rules. Whilst
every effort is made to ensure the information is accurate, responsibility
cannot be accepted for any liability incurred or loss suffered as a
consequence of relying on any material published herein. Appropriate
professional advice should be taken before acting or refraining to act on
the basis of this presentation
© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.
What is Cloud Computing
• Depends on
who you ask
• Lots of
terminology
© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.
Drivers, Benefits and Risks
© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.
Cloud Computing - Benefits
Flexibility
Access to Applications
Availability
Cost Reductions
© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.
Cloud Computing –Risks
© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.
Cloud Computing Top 9 Threats
1) Data Breaches
2) Data Loss
3) Account Hijacking
4) Insecure APIs
5) Denial of Service
6) Malicious Insiders
7) Abuse of Cloud Services
8) Insufficient Due Diligence
9) Shared Technology Issues
https://downloads.cloudsecurityalliance.org/initiatives/top_threats/The_Notorious_Nine_Cloud_Computing_Top_Threats_in_2013.pdf
© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.
Legal Considerations - Cloud
• Copyright and Related Rights Acts 2000, 2004 and 2007;
• Data Protection Acts 1988 and 2003;
• Freedom of Information Act 1997 and 2003;
• The Child Trafficking and Pornography Acts 1998 and 2004;
• Defamation Act 2009;
• Prohibition of Incitement to Hatred Act
© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.
Focus on Data Protection in the Cloud
• Security of Personal Data
• Location of Personal Data
© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.
What is Personal Data
any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one whocan be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity”
(Data Protection Directive 95/46/EC, A2)
..data relating to a living individual who is or can be identified either from the data, or from the data in conjunction with other information that is, or is likely to come into the possession of the data controller..
(Data Protection (Amendment) Act 2003)
© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.
Responsibilities: Data Controllers and Data Processors
Data
Controller
The Data Controller (“the natural or legal
person, public authority, agency or any other
body which alone or jointly with others
determines the purposes and means of the
processing of personal data”)
Data Controller remains responsible if
data outsourced to Data Processor (“ a
person …who processes personal data on
behalf of a data controller”)
© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.
Responsibilities - 8 Rules
1. Fairly Obtained
2. Specified and Lawful purpose
3. Not Incompatible with purpose
4. Safe and Secure
5. Accurate and up to date
6. Adequate, relevant and not excessive
7. Retention only for as long as necessary
8. Copy to individual on request.
© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.
Security Obligations-Rule 4: Safe and Secure
“..Appropriate technical and organizational measures to protect personal data against
accidental or unlawful destruction or accidental loss, alteration, unauthorized
disclosure or access, in particular where the processing involves the transmission of
data over a network, and against all other unlawful forms of processing.”
“Having regard to the state of the art and the cost of their implementation, such
measures shall ensure a level of security appropriate to the risks represented by the
processing and the nature of the data to be protected. “(Article 17 DIRECTIVE 95/46/EC)
Data
Controller
© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.
Security Obligations: Working with Cloud Providers
“... the controller must, where processing is carried out on his behalf, choose a
processor providing sufficient guarantees in respect of the technical security
measures and organizational measures governing the processing to be carried
out, and must ensure compliance with those measures.”
“The carrying out of processing by way of a processor must be governed by a
contract or legal act binding the processor to the controller and stipulating in
particular that:
the processor shall act only on instructions from the controller;
the obligations set out in paragraph 1 (Article 17 DIRECTIVE 95/46/EC) ,as defined by the law of the
Member State in which the processor is established, shall also be incumbent on the
processor.
(Article 17 DIRECTIVE 95/46/EC)
Data
Controller
© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.
Location of Personal Data
• EU/EEA
• Approved Countries
• USA - Safe Harbor
• Model Contracts
• Binding Corporate Rules
• Clear and unambiguous consent
of the individual data subject(s)
© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.
What you Need to Do
• Establish criterial that expect from CSPs• Security / Control / Privacy as well as functional
• Procure in accordance with criteria
• Due Diligence: Satisfy security / privacy/ compliance
• Written contract: SLA and PLA (Privacy Level Agreement)• ‘Click Wrap’ Contracts
© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.
Privacy Level Agreement (PLA)
A PLA describes the level of privacy
and data protection it undertakes to
maintain with respect to relevant
data processing.
© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.
Privacy Level Agreement (PLA)
1. Identity of the CSP
2. Data prohibited to be sent/processed
3. Ways data will be processed
4. Data Transfer
5. Data Security Measures
6. Monitoring
7. Audit
8. Breach Notification
9. Data Portability
10. Data Detention / Deletion
11. Accountability
12. Cooperation
13. Law Enforcement Access
14. Remedies
15. Dispute Resolution
16. Cyber Insurance Policy
© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.
Guidance
• Cloud Security Alliance (CSA)• Security Guidelines for Critical Areas of Focus in Cloud Computing V3.0
• Cloud Controls Matrix (CCM)
• Privacy Level Agreement
• European Network and Information Security Agency (ENSIA)• Cloud computing benefits risks and recommendations for information security
• Data Protection Commissioner• http://www.dataprotection.ie/
• NSAI• Adopting the Cloud - decision support for cloud computing
© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.
Just when you thought it was safe to get back in the water
In 2009 Google was awarded a U.S. patent for its floating data centres that are powered by waves and cooled by sea water.
© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.