ppt - Cloud Security Alliance

advertisement
Data Protection in the
Cloud – unclouding the
Issues
Billy Hawkes
Irish Data Protection Commissioner
Cloud Security Alliance
Frankfurt, 9 May 2012
Back to the Future…….?
Data Controller to Data Processor(“Cloud”)
“The Cloud” – What are the
Data Protection Issues?
• Security of Personal Data
• Location of Personal Data
• Access to Personal Data
What is “Personal Data”?
• “any information relating to an
identified or identifiable natural
person ('data subject'); an identifiable
person is one who can be identified,
directly or indirectly, in particular by
reference to an identification number
or to one or more factors specific to
his physical, physiological, mental,
economic, cultural or social identity”
(Data Protection Directive 95/46/EC, A2)
Who is Responsible?
• The Data Controller (“the natural or legal
person, public authority, agency or any other
body which alone or jointly with others
determines the purposes and means of the
processing of personal data”)
• Data Controller remains responsible if data
outsourced to Data Processor (“ a person
…who processes personal data on behalf of a
data controller”)

Cloud Provider
What Responsibilities?
•
Transparency (A. 10,11) •

•
•
•
Process fairly & lawfully
•
(A.6)

•
adequate information
•
Consent, contract, legal
obligation, vital interests,
public interest task, legitimate
•
interests (A.7)
Specified , explicit and
•
legitimate purpose (A.6)
Adequate, Relevant &
not excessive (A. 6)
Accurate, up-to-date (A.6)
Retain for no longer
than is necessary (A.6)
Right of Access (A. 12)
Data Security (A. 17)

Intl. Transfers
Right to Object (A. 14)

Marketing, Other
Restrictions on Automated
Decisions (A. 15)
What Security Obligations?
• “..Appropriate technical and organizational
measures to protect personal data against
accidental or unlawful destruction or accidental loss,
alteration, unauthorized disclosure or access, in
particular where the processing involves the
transmission of data over a network, and against all
other unlawful forms of processing.”
• “Having regard to the state of the art and the cost of
their implementation, such measures shall ensure a
level of security appropriate to the risks
represented by the processing and the nature of
the data to be protected. “
(Data Protection Directive, A17)
“Outsourcing” Obligations?
The controller must, where processing is carried
out on his behalf, choose a processor providing
sufficient guarantees in respect of the technical
security measures and organizational measures
governing the processing to be carried out, and
must ensure compliance with those measures”
• “.
• “..governed by a contract or legal act binding the processor to
the controller and stipulating in particular that- the processor
shall act only on instructions from the controller
• - the (security) obligations set out in paragraph 1, as
defined by the law of the Member State in which the processor
is established, shall also be incumbent on the processor.
Location of Personal Data?
• OK if transferred within EU/EEA. Also OK if:



To Approved countries: Switzerland, Canada,
Argentina, Isle of Man, Guernsey, Jersey, Faroe
Islands, Israel, USA [“Safe Harborites” & PNR data
only] [soon New Zealand and Uruguay]
Covered by Model Contracts or Binding Corporate
Rules (BCRs)
Article 26 (1) Exceptions (contract requirements
etc)
New EU Law: Data
Controllers
• Privacy by Design

Privacy Impact Assessments
• Data Portability
• “Right to be Forgotten”


Requirement for retention policy
On request, delete unless clash with other
rights (freedom of expression etc)
• Strengthened Data Security

Data Breach Notification
New EU Law: Data Processors
• More prescriptive Obligations :



Documentation
Data Protection Officer
Cooperation with DPA
• International Transfers:


BCRs for Processors
Contractual Clauses (as for Controllers)
Data Security in The Cloud
• “….the cloud’s economies of scale and flexibility
are both a friend and a foe from a security point
of view. The massive concentrations of
resources and data present a more attractive
target to attackers, but cloud-based defences
can be more robust, scalable and cost-effective”

European Network and Information Security Agency (ENISA)
Report on Cloud Computing, November 2009
http://www.enisa.europa.eu/act/rm/files/deliverables/cloudcomputing-risk-assessment
Data Protection Challenge
• “Cloud computing poses several data protection risks
for cloud customers and providers. In some cases, it
may be difficult for the cloud customer (in its role as
data controller) to effectively check the data handling
practices of the cloud provider and thus to be sure that
the data is handled in a lawful way. This problem is
exacerbated in cases of multiple transfers of data, e.g.,
between federated clouds. On the other hand, some
cloud providers do provide information on their data
handling practices. Some also offer certification
summaries on their data processing and data security
activities and the data controls they have in place, e.g.,
SAS70 certification”

ENISA Report, November 2009
Challenges for Outsourcer
• Are you satisfied your data will be secure in the
“cloud”?




security certification: ISO 27001, SAS 70/SSAE 16
Access controls, data recoverability, data breaches
Right to Audit
Location of Data (inside or outside EEA)
• Does your contract with the CP give you
sufficient control?

“Ultimately, you can outsource responsibility but
you can't outsource accountability” (ENISA)
Challenges for Cloud Provider
• Are you willing to take on the separate data
security obligations under EU Data Protection
Law?

Is this reflected in your contracts?
• Are you willing to accommodate EU restrictions
on international data transfers?

Clarity on location of data?
Data Protection Guidance:
“Sopot Memorandum” (1)
• Recommendations of International Working
Group on Data Protection in
Telecommunications (“Berlin Group”): Working
Paper on Cloud Computing, April 2012
• http://www.datenschutzberlin.de/attachments/873/Sopot_Memorandu
m_Cloud_Computing.pdf?1335513083
• EU Working Party 29 Guidance soon
“Sopot Memorandum” (2)
• Data Controllers: carry out privacy impact
and privacy assessments
• Cloud Providers: greater transparency,
security and accountability:


More information on potential data security
breaches
more balanced contractual clauses to promote data
portability and data control by cloud users
Thank You
Office of the Data Protection Commissioner
Canal House
Station Road
Portarlington
Co Laois
Phone: LoCall 1890 252231
057 8684800
Fax:
057 8684757
Email:
info@dataprotection.ie
Website: www.dataprotection.ie
Download