Embed Size (px)
DESCRIPTION
Of the many issues to do with the remote hosting of data that organisations have to consider, data sovereignty – how legal jurisdictions affect data security and third-party access – is one of the most sensitive, because knowing who can see your private data and on what basis is central to managing the risk of cloud computing. To help decision-makers address this issue, NEXTDC has sponsored the whitepaper Data Sovereignty and the Cloud in partnership with the UNSW Cyberspace Law and Policy Centre, Aon, and Baker & McKenzie. It is a practical and easy-to-use guide for managers developing policy around the risks and rewards of cloud computing, and a bible for those who need to understand the law, their responsibilities and best practice measures for managing data in the cloud. See whitepaper: http://nextdc.com/data-sovereignty-whitepaper
Citation preview
88%
&
9%
62%between
36%
31% of companies spend 20% budget on cloud
31%
20%
$37billion
in 2013
88% of organisations have at least one data breach each year.
Between 36% and 62% say that their data breaches involved mistakes by third parties such as outsourcers and cloud providers.
The Australian e-commerce market continues to grow; increasing to
over $37 billion in 2013.
Ponemon reveals that corporate security professionals are involved in
the vetting process for cloud providers an alarming 9% of the time.
A Board and Executive Officers’ GuideTechnical, legal and risk governance issues around data hosting and jurisdiction.
Data Sovereignty and the Cloud
Ten commandments
Thou must be aware that information stored in a cloud environment
can conceivably be subject to more than
one nation’s laws.
Thou must acknowledge it is
not the application, but the data which
needs to be profiled and classified so a
policy can automate its residence within a
hybrid cloud.
Thou shalt check whether your cloud service provider has
extended its insurance policy so that it also
includes cover for your data; not all clouds are
created equal.
Thou must remember, by nature a cloud computing
environment invites international
considerations.
Thou must remember that the onus is on the
business, to ensure the cloud provider
used complies with local laws.
Thou should note the ramifications of the revised Privacy Act coming into effect in 2014, where it is not stipulated that
foreign providers must comply with Australian
Privacy Law.
Thou must be aware a foreign owned vendor
may be subject to their country’s laws, even if they operate
in Australia.
Thou should know the US has entered
into mutual legal assistance treaties
with over 50 countries.
Thou shalt investigate whether ‘personal information’ really needs to be stored in identifiable form, since permanent
de-identification can mean privacy rules no
longer apply.
Thou shalt investigate and formulate criteria that determine what
information should be housed in Australia or exclusively under Australian control.
NATIONAL LAW
DATA SOVEREIGNTY
LOCAL LAW INTERNATIONAL LAW
INSURANCE
PRIVACY RULES APPLICATION
INTERNATIONAL TREATIES
FOREIGN VENDORS
DATA PROFILE
PRIVACY ACT
VI VII VIII XIX
I III IV VII
What to look for when selecting a cloud provider
HirinG PrACTiCES
SimiLAr PrACTiCES
rECOrD Of rELiABiLiTy
SECUriTy PrOCEDUrES
DATA CEnTrE LOCATiOnS
BrEACH nOTifiCATiOn PrOTOCOLS
infrASTrUCTUrE
ExPEriEnCE WiTH THE CUSTOmEr’S SySTEmS
finAnCiAL COnDiTiOn
DiSASTEr rECOvEry PLAnS
inSUrAnCE COvErAGE
mETHODS fOr PrEvEnTinG UnAUTHOriSED ACCESS Or inTrODUCTiOn Of mALiCiOUS CODE
