How to work your cloud around the UK ICO s Data Protection Act

Transcription

1 How to work your cloud around the UK ICO s Data Protection Act Paul Simmonds Co-editor - Cloud Security Alliance "Guidance" v3.0 Co-founder & Board of Management - Jericho Forum CEO, Global Identity Foundation Former Global CISO AstraZeneca & ICI CipherCloud All rights reserved.

2 The Cloud s Explosive Growth Expanding From SMB to Global Enterprises and the Public Sector In the UK 83 percent of companies have decided on a strategy for adopting cloud, with SaaS is the most commonly used type of cloud service In the UK, business units make decisions on cloud 45 percent of the time, in comparison to IT with 44 percent The report, commissioned by IT consultants Capgemini and released on Thursday, surveyed 460 organisations globally and 50 in the UK CipherCloud All rights reserved.

3 Where is Your Data? 49% of organizations sending sensitive data to the cloud CipherCloud All rights reserved.

4 How is Data Secured? 72% of organizations don t know how their cloud service provider secures their data CipherCloud All rights reserved.

5 Increased Government Surveillance The Patraeus-gate affair has highlighted the vulnerability of Cloud In the same week Google acknowledged the total number of requests for information from governments has jumped nearly 50 percent, that's over 30,000 accounts in the first half of 2012 Companies like Microsoft, Dropbox, LinkedIn, and Twitter are starting to report similar government requests CipherCloud All rights reserved.

6 Court Rules Data Jurisdiction At Server Location The UK High Court has ruled a company is only responsible for 'making available' online content in the country where the servers are located and not in the country where the content is read or used. Microsoft Says It Will Give Your Data to the U.S. Government, Even If It's Not in the U.S. Microsoft has admitted that it will hand over data to the U.S. government, if properly requested, even if that data is stored somewhere other than the U.S. The issue, according to ZDNet's Zack Whittaker, is that because Microsoft is a U.S. company it has to comply with the Patriot Act, and that means handing over data that may be offshore. The same rules would apply to Amazon Web Services and any other U.S. based cloud provider that has servers overseas CipherCloud All rights reserved.

7 By 2015, more than 70% of organizations still prone to data breaches due to poor data access controls and encryption CipherCloud All rights reserved.

8 Governments are Preparing to Legislate First the EU, then the UK ICO have now recognised the Cloud EU Article 29 Data Protection Working Party UK Information Commissioner s Office July 2012 October CipherCloud All rights reserved.

9 Governments are Preparing to Legislate First the EU, then the UK ICO have now recognised the Cloud EU Article 29 Data Protection Working Party cloud computing services can trigger a number of data protection risks, mainly a lack of control over personal data UK Information Commissioner s Office you can outsource some of the processing of that data but how that data is used and protected remains your responsibility July 2012 October CipherCloud All rights reserved.

10 Cloud is No Excuse Ultimately, you can outsource responsibility but you can't outsource accountability.if there's a data breach, the client agency or organisation remains responsible. ENISA Cloud Computing, Benefits, risks and recommendations for information security Victoria Privacy Commissioner, Australia CipherCloud All rights reserved.

11 Responsibility Begins and Ends With You Your Data Where is it? What are they doing with it? Who is using it? Would you know if they lost it? CipherCloud All rights reserved.

12 Cloud is No Excuse When data is transferred to a cloud, the responsibility for protecting and securing the data typically remains with the collector or custodian of that data. Cloud Security Alliance, Guidance v CipherCloud All rights reserved.

13 Who is Responsible? where encryption software has not been used to protect the data, regulatory action may be pursued CipherCloud All rights reserved.

14 ation/cloud_computing_guidance_for_organisations.ashx Or just Google: "cloud computing" ico CipherCloud All rights reserved.

15 Protecting your data 31...because an organisation chooses to contract for cloud computing services... does not mean that the organisation is no longer responsible for determining the purposes for which and manner in which the personal data is to be processed. The organisation will continue to be a data controller and will be required to meet its obligations under the DPA. UK ICO Guidance on the use of cloud computing, CipherCloud All rights reserved.

16 Protecting your data 63. Encryption allows a cloud customer to ensure that the personal data they are responsible for can only be accessed by authorised parties who have the correct key. UK ICO Guidance on the use of cloud computing, CipherCloud All rights reserved.

17 Protecting your data 66. The cloud customer should also consider if it is appropriate to use encryption on data at rest, ie when stored within the cloud service. This will depend on the nature of the personal data and the type of processing being undertaken in the cloud. This will be an important consideration when sensitive personal data is being processed. UK ICO Guidance on the use of cloud computing, CipherCloud All rights reserved.

18 Protecting your data 67. In an IaaS or data storage scenario, it is much easier for the cloud customer to insist that all data is encrypted before it leaves his, or the cloud user s device. However, in a SaaS cloud this is more difficult to achieve because the cloud provider may need access to the data in order to perform the necessary processing. UK ICO Guidance on the use of cloud computing, CipherCloud All rights reserved.

19 Protecting your data 68. If encryption is used as a technical measure to secure data, it is important to ensure the security of the key. A robust key management arrangement is crucial to maintain the level of protection encryption can offer. UK ICO Guidance on the use of cloud computing, CipherCloud All rights reserved.

20 Headlines - Cloud services outside the UK The DPA requires that personal data shall not be transferred to any country or territory outside the European Economic Area... Cloud customers should ask a potential cloud provider for a list of countries where data is likely to be processed and for information relating to the safeguards in place there. The cloud provider should be able to explain when data will be transferred to these locations CipherCloud All rights reserved.

21 These are the questions you need to answer CipherCloud All rights reserved.

22 Jericho Forum Commandments Access to data 9. Access to data should be controlled by security attributes of the data itself Access / security could be implemented by encryption 10. Data privacy (and security of any asset of sufficiently high value) requires a segregation of duties/privileges Permissions, keys, privileges etc. must ultimately fall under independent control, or there will always be a weakest link at the top of the chain of trust Administrator access must also be subject to these controls 11. By default, data must be appropriately secured when stored, in transit and in use High security should not be enforced for everything; appropriate implies varying levels with potentially some data not secured at all CipherCloud All rights reserved.

23 Security Considerations Normal IT Security considerations are equally relevant to Cloud Computing Key Questions and Considerations Data access Data residency Data disclosure Data ownership Data disposal Data remanence Data loss/leak Data archiving Data encryption Who has access to my data? Where is my data physically located? Can law enforcement compel data disclosure? Is the cloud provider allowed to mine my data? Will all my data be deleted when I leave? Can my data be left to be reconstructed? Can provider cause a leak or loss of my data? Will the proper policies be applied to my data? Is my data encrypted at rest, in transit and in use? CipherCloud All rights reserved.

24 What Data to I need to Protect and How? Key Questions and Considerations Which Data? Applicability? Where is my Data? Is my Data protected? What is the business process? Who controls the admins? Who controls the keys? Could my data be subpoenaed? Do I have Orange 1, or Red 1 data that needs protecting? Which laws, or regulations are applicable to my data? Is my data being held outside our perimeter? Has my data been secured sufficiently? Can my data be secure and the business process still run? Could an admin see or manipulate your data? Unless you control the keys, you don t control the data. And if it was, would you ever know? Note 1: CipherCloud All rights reserved.

25 Best Practices on Data Protection Guidance on the use of cloud computing and protecting your data Encryption of Data at Rest Sufficient certified encryption standards Ensure granular encryption control Use methods that preserve function Use identity and access controls Key Management Ensure you, not the provider, has the key Maintain sufficient access controls to keys Rotate keys to increase protection Provide archiving and backup for resilience CipherCloud All rights reserved.

26 The Future of European Data Protection Changes Under Consideration: 1) Change from a DP Directive to a DP Regulation 2) Fines up to 1 million or 2% of global annual turnover 3) 24 hour breach notification 4) Consistent EU-wide enforcement 5) Interpretation & advice by local (country) DP authorities CipherCloud All rights reserved.

27 The Future of European Data Protection Changes Under Consideration: 1) Clarification: explicit consent given, rather than assumed. 2) Accountability principle 3) A privacy by design principle 4) Documented privacy impact assessments CipherCloud All rights reserved.

28 Responsibility Begins and Ends With You Your Data Where is it? What are they doing with it? Who is using it? Would you know if they lost it? CipherCloud All rights reserved.

29 What To Do Secure sensitive data in real time, before it's sent to the cloud Use format & operations-preserving encryption and tokenization thus Eliminating data security, privacy, residency, & compliance concerns CipherCloud All rights reserved.

30 Related Reading Jericho Forum Cloud Cube Jericho Forum Commandments CSA Security Guidelines 3.0 Freely available at & cloudsecurityalliance.org CipherCloud All rights reserved.