Data Residency: Challenges and the Need for Standards. Webinar May 11, 2017

Similar documents
Where s My Data? Managing the Data Residency Challenge

IIoT standards at work. Andrew Watson OMG Technical Director

Cloud Customer Architecture for Securing Workloads on Cloud Services

Practical Guide to Cloud Management Platforms.

Practical Guide to Cloud Computing Version 2. Read whitepaper at

Practical Guide to Hybrid Cloud Computing. Cloud-Computing.

Introduction to TOIF. Dr. Nikolai Mansourov CTO, KDM Analytics Liaison to OASIS. November 8, 2017 Copyright 2017 OMG. All rights reserved.

Practical Guide to Platform as a Service.

Copyright 2011, OMG. All rights reserved.

The OMG GRC GRID. High Level Overview. Object Management Group GRC Program

Welcome to OMG! December 8, 2017 Copyright 2017 OMG. All rights reserved. 1

General Data Protection Regulation (GDPR) and the Implications for IT Service Management

The Software Assurance Ecosystem: OMG s Approach to Systems & Software Assurance

OMG: The Home of Modelling Standards. Andrew Watson OMG Technical Director

Data Localization. Data Localization

Building YOUR Privacy Program: One Size Does Not Fit All. IBM Security Services

Networking Session - A trusted cloud ecosystem How to help SMEs innovate in the Cloud

Report on ISO/IEC/JTC1/SC27 Activities in Digital Identities

Law & Policy Meets Data in the Cloud: Data Sovereignty Across Asia. Bernie Trudel Chairman, Asia Cloud Computing Association

GDPR: A QUICK OVERVIEW

Frequently Asked Questions

Welcome to the Industrial Internet Forum

Improving digital infrastructure for a better connected Thailand

Are You Protected. Get Ahead of the Curve

EMC GLOBAL DATA PROTECTION INDEX KEY FINDINGS & RESULTS FOR AMERICAS

EMC GLOBAL DATA PROTECTION INDEX STUDY KEY RESULTS & FINDINGS FOR THE USA

EMC GLOBAL DATA PROTECTION INDEX KEY FINDINGS & RESULTS FOR UAE

Regional and subregional approaches to the Digital Economy: Lessons from Asia-Pacific and Latin America

Customers want to transform their datacenter 80% 28% global IT budgets spent on maintenance. time spent on administrative tasks

Information Security Management Systems Standards ISO/IEC Global Opportunity for the Business Community

EMC GLOBAL DATA PROTECTION INDEX KEY FINDINGS & RESULTS FOR APJ

The IECEE CB Scheme facilitates Global trade of Information Technology products.

Building an Assurance Foundation for 21 st Century Information Systems and Networks

The Safe, Secure and Reliable Industrial Internet: A Standards Story March 2017

MUTUAL RECOGNITION MECHANISMS. Tahseen Ahmad Khan

Copyright 2011 EMC Corporation. All rights reserved.

Technology and data privacy Global perspectives

E X E C U T I V E B R I E F

This document is a preview generated by EVS

Critical Information Infrastructure Protection Law

EMC GLOBAL DATA PROTECTION INDEX KEY FINDINGS & RESULTS FOR HONG KONG

ICT Legal Consulting on GDPR: the possible value of certification in data protection compliance and accountability

Executive brief Create a Better Way to Work: OpenText Release 16

EMC GLOBAL DATA PROTECTION INDEX KEY FINDINGS & RESULTS FOR INDIA

Introduction to the Export Services Branch Programmes and Services Ministry of International Trade

EMC GLOBAL DATA PROTECTION INDEX KEY FINDINGS & RESULTS FOR INDONESIA

ICTLC Paolo Balboni, Ph.D.

2017 THALES DATA THREAT REPORT

2014 Luxury & Fashion Industry Conference for Multinationals

Managing Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow

EMC GLOBAL DATA PROTECTION INDEX KEY FINDINGS & RESULTS FOR BRAZIL

EMC GLOBAL DATA PROTECTION INDEX KEY FINDINGS & RESULTS FOR ITALY

FACTS AND OPPORTUNITIES IN BRAZIL. Gartner IT Security Summit Washington DC, June 2008

NIST Standard Enterprise Big Data Ecosystem

DDS Interoperability Demo

The Role of SANAS in Support of South African Regulatory Objectives. Mr. Mpho Phaloane South African National Accreditation System

Open Document Format. It s Your Information Make the Choice to Ensure It Stays That Way ODF ALLIANCE. The OpenDocument Format: It's Your Information 1

Government IT Modernization and the Adoption of Hybrid Cloud

Cloud Transformation and Significance of Security

ISO/IEC JTC 1/SC 32 N 2490

General Overview & Annex 1: Global Smart Grid Inventory

Making hybrid IT simple with Capgemini and Microsoft Azure Stack

Managing Jurisdictional Risks for Public Cloud Services

Data Protection and GDPR

The Significant Role of European Union s GDPR in Data Governance

In Accountable IoT We Trust

EMC GLOBAL DATA PROTECTION INDEX KEY FINDINGS & RESULTS FOR TURKEY

Cloud28+ Compliance in Cross Border Business

PRESENTATION OVERVIEW

Google Cloud & the General Data Protection Regulation (GDPR)

SOC 3 for Security and Availability

Standardization Activities for Cloud Computing

Cyber Risk and Networked Medical Devices

EMC GLOBAL DATA PROTECTION INDEX KEY FINDINGS AND RESULTS FOR FRANCE

Do you handle EU residents personal data? The GDPR update is coming May 25, Are you ready?

Are you protected? Get ahead of the curve Global data protection index

End to End BPM: From process modeling to execution with Signavio and Red Hat. Red Hat Summit Wednesday May 3.

INTO THE CLOUD WHAT YOU NEED TO KNOW ABOUT ADOPTION AND ENSURING COMPLIANCE

EY Norwegian Cloud Maturity Survey Current and planned adoption of cloud services

PRC Cyber Security Law --- How does it affect a UK business? Xun Yang Of Counsel, Commercial IP and Technology

FDIC InTREx What Documentation Are You Expected to Have?

Introduction of the Industrial Internet Consortium. May 2016

Perspectives of BIM implementation in Romania

Data Security and Privacy Principles IBM Cloud Services

EMC GLOBAL DATA PROTECTION INDEX KEY FINDINGS & RESULTS FOR JAPAN

Benefits of Open Cross Border Data Flows

REPORT 2015/149 INTERNAL AUDIT DIVISION

Cloud Computing and the Cloud Standards Customer Council

NIST Designation of CABs: Upcoming Changes for the US and EU Review for Japan

The Impact of HIPAA Privacy and Security on IT and Business Process Outsourcing

Industry 4.0 and the importance of norms and standards within collaborative, digitized process networks

An Introduction to SySML

Getting ready for GDPR. Philipp Hobler EMEA Field CTO Global Technology Office Dell EMC Data Protection Solutions

Building a Secure and Compliant Cloud Infrastructure. Ben Goodman Principal Strategist, Identity, Compliance and Security Novell, Inc.

Mobile Connect Driving Global Economic Growth Through Secure Mobile Identity

EMC GLOBAL DATA PROTECTION INDEX KEY FINDINGS & RESULTS FOR AUSTRALIA

SMART MANUFACTURING: TECHNOLOGIES AND GLOBAL MARKETS

STANDARDS TO HELP COMPLY WITH EU LEGISLATION. EUROPE HAS WHAT IT TAKES INCLUDING THE WILL?

Vertical Healthcare HUAWEI Europe overview

Cisco Spark and GDPR. Thomas Flambeaux. Collaboration Consulting Solution Engineer, Security and Compliance. Cisco Connect 2018 Copenhagen April 12th

Transcription:

Data Residency: Challenges and the Need for Standards Webinar May 11, 2017 1

2 Speakers Tracie Berardi Sr. Marketing Manager, OMG Moderator Andrew Watson Technical Director, OMG Claude Baudoin Principal, cébé IT & Knowledge Management Energy Domain Consultant, OMG Member of the CSCC Steering Committee

Introducing OMG One of the most successful forums for creating open integration standards in the computer industry Middleware platforms (DDS, CORBA and related specs) Modeling platforms (UML, BPMN, SysML and related work) System Assurance (SACM, DAF for SSCD...) Vertical domain specifications (Finance, Healthcare, C4I,...) Member-controlled industrial consortium Both vendors and users Not-for-profit Adopted specifications are freely available to all Visit http://www.omg.org Path to adoption by ISO and other standards bodies 3

Worldwide Membership ACORD Eclipse Fndn. MEGA OSD Software AG Adaptive EDM Council Microsoft PNA Sparx Adelard LLP FICO Micro Focus PrismTech State St Airbus Grp Ford MID GmbH PROSTEP AG Thales Appian FSTC/BITS MITRE PTC Thematix AT&T Fujitsu Mitsubishi PwC TIBCO BAE Systems Gen. Electric ModelFoundry Rolls-Royce Toshiba Bizagi Harris NASA RTI Trisotech Bloomberg HPe NARA SAP Twin Oaks Boeing Huawei NIST Scheer E2E VDMbee CA IBM No Magic Signavio Visumpoint Camunda KDM Analytic Northrop Simula Labs W3C Dell EMC Lockheed Oracle Softeam (200+ more) 4

Introducing the CSCC THE Customer s Voice for Cloud Standards! Provide customer-led guidance to multiple cloud standards-defining bodies Establishing criteria for open standards based cloud computing 650+ Organizations participating 2017 Projects Data Residency discussion paper Security for Cloud Services Ref. Architecture Impact of Cloud Computing on Healthcare v2 Hybrid Integration Reference Architecture API Management Reference Architecture Blockchain Reference Architecture Multi-cloud Management whitepaper And more! 2016 Deliverables Prac Guide to Hybrid Cloud Computing Public Cloud Service Agreements, V2 Cloud Security Standards, V2 IoT Ref. Architecture e-commerce Ref. Architecture Impact of Cloud Computing on Healthcare, V2 Enterprise Social Collaboration Ref. Architecture 2015 Deliverables Web App Hosting Ref. Architecture Mobile Ref. Architecture Big Data & Analytics Ref. Architecture Security for Cloud Computing, V2 Practical Guide to Cloud SLAs, V2 Practical Guide to PaaS 2013/2014 Deliverables Convergence of Social, Mobile, Cloud Analysis of Public Cloud SLAs Cloud Security Standards Migrating Apps to Public Cloud Services Social Business in the Cloud Deploying Big Data in the Cloud Practical Guide to Cloud Computing, V2 Migrating Apps: Performance Rqmnts Cloud Interoperability/Portability http://cloud-council.org 5

History of This Effort March 2015: initial request from an OMG member June 2015: first OMG Data Residency WG meeting (Berlin) Sep.-Dec. 2015: 2 nd and 3 rd meetings, prepared an RFI March-June 2016: 4 th - 5 th meetings, processed RFI results, decide to create a discussion paper as first deliverable Sep.-Dec. 2016: 6 th - 7 th meetings, preliminary draft of discussion paper, agreement to collaborate with CSCC and issue two separate but almost identical papers Q1 17: collect contributions, edit paper, go the OMG approval process (8 th meeting, Washington DC) April 17: create CSCC companion white paper, review process, release May 17: press releases and this webinar June 17: working group meeting and tutorial in Brussels 6

The Two Papers Both about 35 pages CSCC paper omits the history of the OMG effort and the discussion of OMG s potential roadmap for standards 7

Data Residency Definition, Scope There are a number of definitions of data residency as is usually the case in a new domain We propose this definition: Data residency is the set of issues and practices related to the location of data and metadata, the movement of (meta)data across geographies and jurisdictions, and the protection of that (meta)data against unintended access and other locationrelated risks Scope Not just about the protection of personally identifiable information (PII) Also concerns the right to move sovereign data, such as oil reserves data; international licensing of genomics data; distribution of biometrics data for security purposes; etc. 8

Risks Related to Data Residency Violating of a government law or regulation Unintended/unauthorized access by a foreign organization Demand by a foreign government s authorities to access data Having to provide a foreign government with secret keys to inspect encrypted data Violation of domestic content policies Increased cost of doing business in a given country Inability of a multinational organization to provide shared employee services, such as payroll and benefits Losing business to a local competitor Inability to qualify for government or private contracts Multiplication of locally managed data centers with smaller and less experienced security teams Diminished disaster recovery capabilities Delays in business transformation and technology modernization Consumer and citizen mistrust of technology, organizations, governments 9

Challenges: Example 1 Migration to the cloud Am I allowed to put my data in the cloud if it is going to be stored in another country, or if there is a possibility that the cloud provider might move it to another country later without my knowledge or consent? Regulations may be unclear Regulations may be used as a rationale to reject the cloud even when they do not really exist (Mexico government example) Authorization may require high-level approval (Danish bank example) 10

Challenges: Example 2 Genomic data sets Can I license a data set from another country to perform research on a larger sample? How do I prove to regulators that the data no longer contains personally identifiable information (PII)? 11

Challenges: Example 3 Processing data on petroleum reserves In countries with national companies, subsurface data is often considered a national asset Exploration is subcontracted to foreign companies Can it remotely control an automated drilling operation from a monitoring center in another country? Can it move data to a foreign location in order to do better analytics? If it returns data interpreted in a center in another country, does it have to pay duties on the added value of those results? 12

Challenges: Example 4 Law enforcement vs. personal communication A US citizen is suspected of criminal activity Some evidence may reside in their e-mail stored in the cloud by a US provider However, the data is stored outside of the US, in a country with strong data protection laws Which law prevails? Is the provider damned if they do, damned if they don t give the US government access to the data? 13

Use Case Matrix 14

Laws and Regulations Multiple, inconsistent, overlapping, and still evolving laws and regulations around the world Range from non-existent to severe Sometimes (but not always) apply to government data / public records, not to private companies data The European Union s General Data Protection Regulation (GDPR) of 2016 is among the most comprehensive Multiple motivations behind the laws: Protecting the privacy of citizens Enabling police and tax authorities to inspect data Protectionism force companies to create domestic facilities Monetize the flow of data 15

Some Country-Specific Cases See Appendix in the papers but remember that the situation keeps evolving Australia Canada China Denmark European Union France Germany India Indonesia Korea Malaysia Netherlands Nigeria Norway Russia Turkey Ukraine United States Venezuela Vietnam 16

Existing Relevant Standards There is currently no standard that deals specifically with data residency Data residency is related to the security and privacy aspects of Several NIST publications (800-144, 500-299, 1500) Several ISO/IEC standards (27001, 27017, 27018) The work of the CSA s International Standardization Council (ISC) Work being considered in ISO/IEC JTC 1/SC 38 The Voluntary Data Protection Code of CISPE (Cloud Infrastructure Service Providers in Europe) Some technical standards may prove useful Information Exchange Framework (IEF) OMG Data Tagging and Labeling OMG work in progress XACML extensible Access Control Markup Language ORDL Open Digital Rights Language 17

What is Needed Documentation and education These papers are a good start Cataloguing of laws and regulations See the Digital Trade Database from the European Centre for International Political Economy (ECIPE) Formal description of laws and regulations Because natural language is ambiguous and does not lend itself to automated policy enforcement Formal description of the content of data Extension of data tagging and labeling or IEF policy With both of the above, we might be able to better manage residency Several difficult challenges Willingness to participate requires recognizing there are issues Implementation may be difficult due to legacy systems 18

Summary and How to Participate Data residency is a serious challenge for suppliers as well as users Can (and already does) hurt the ability to do business It may well get worse before it gets better Organizations need to learn about it and develop business and technical approaches OMG is looking into what standards may help Metadata describing data location constraints? Formal description of data residency laws and regulations? Call to action Participate in OMG Data Residency Working Group and/or in the various Working Groups of the CSCC 19

Thanks Q&A Time More information at www.omg.org/data-residency and www.cloud-council.org/resource-hub 20

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback