cloud computing megállapodások – ellenőrző lista eu-s szemszögből - suba ferenc alelnök,...

12

Click here to load reader

Upload: eurocloud-magyarorszag-egyesuelet

Post on 13-Jan-2015

1.198 views

Category:

Technology


3 download

DESCRIPTION

Az előadás a EuroCloud Day 2013 - Cloud First! konferencián hangzott el, 2013. szeptember 24-én a Boscolo Budapest Hotelben. Friss hírek a magyar cloud ökorendszerről: http://eurocloud.hu/

TRANSCRIPT

Page 1: Cloud computing megállapodások – ellenőrző lista EU-s szemszögből - Suba Ferenc alelnök, European Network and Information Security Agency (ENISA)

Cloud Computing Agreements

- a checklist from EU perspective

Ferenc Suba J.D., M.A.Vice-Chair,

European Network and Information Security Agency

Senior Advisor for Cybersecurity,

Ministerpresident’s Office of Hungary

Attorney-at-law

Dr. Suba Ferenc Law Office

Page 2: Cloud computing megállapodások – ellenőrző lista EU-s szemszögből - Suba Ferenc alelnök, European Network and Information Security Agency (ENISA)

0. Basics

• Cloud computing: use of computing resources

(hardware and software) delivered as a service over a

network (typically the Internet) + use of the same

physical resources by many through shared virtualised

service

• Infrastructure as a service (IaaS): user manages

application, platform and machines

• Platform as a service (PaaS): user manages

application, platform

• Software as a service (SaaS): user manages

application

• Anything as a service (XaaS): network,

communication, etc.

Page 3: Cloud computing megállapodások – ellenőrző lista EU-s szemszögből - Suba Ferenc alelnök, European Network and Information Security Agency (ENISA)

1. Transparency

• Disclosure of the cloud service provider's locations

(country, region) where the customer data will be stored

and processed

• Disclosure of the cloud service provider's subcontractors

who are vital for providing the cloud services

• Transparency as to which interventions the cloud service

provider or third parties are allowed in the customer's

data and processes

• Providing regular information about changes (e.g. new or

discontinued functions, new subcontractors, other SLA

related issues)

Page 4: Cloud computing megállapodások – ellenőrző lista EU-s szemszögből - Suba Ferenc alelnök, European Network and Information Security Agency (ENISA)

1. Transparency (cont.)

• Transparency as to which software the cloud service

provider will install onto the customer's systems and the

security requirements / risks resulting from this

• Transparency on governmental intervention or viewing

rights, on any legally definable third party rights to view

data and on any obligations that the cloud service

provider has to check stored data at any potential

location

• The cloud service provider to explain their legal and

ownership structure and decision-making powers

Page 5: Cloud computing megállapodások – ellenőrző lista EU-s szemszögből - Suba Ferenc alelnök, European Network and Information Security Agency (ENISA)

2. Service Level Agreement

(SLA)• Defined security services clearly highlighted by Security SLA or in

the SLA

• Ensuring operation or provision of data if the cloud service

provider becomes insolvent, subject to change of controll, observing

confidentiality undertakings and data protection requirements

• Protection of intellectual property: in the case of IaaS and PaaS,

intellectual property, including original works created using the cloud

infrastructure, may be stored

• Risk Allocation and limitations of liability: obligations that

present significant risk be linked to monetary remediation or

indemnification clauses for any breach of that contract obligation +

careful evaluation of any standard clauses covering limitations of

liability

Page 6: Cloud computing megállapodások – ellenőrző lista EU-s szemszögből - Suba Ferenc alelnök, European Network and Information Security Agency (ENISA)

3. Data Protection and Compliance

• Guaranteeing data protection under national law

• Compliance with the data protection guidelines

and laws to which the cloud user is subject

• When processing data: legal basis for the

transmission:

- Data Protection Act

- Consent

• Cloud user = data controller (SaaS, PaaS, IaaS)

• Cloud provider = data processor

Page 7: Cloud computing megállapodások – ellenőrző lista EU-s szemszögből - Suba Ferenc alelnök, European Network and Information Security Agency (ENISA)

3. Data Protection and Compliance

(cont.)• When processing personal data on behalf of others: written

agreement between cloud user and cloud provider, minimum

content:

- Describing the object and duration of the order

- Describing precisely the gathering, processing and use of personal

data

- Specifying technical and organisational measures: exact location,

technical and organisational processing environment

- Handling the requests of those concerned as relating to the

correcting, locking and deleting of personal data

- Identifying or forbidding any subcontracting relationships

- The cloud user’s monitoring rights

- The cloud user’s rights to give instructions

- Returning or deleting data when the order ends

Page 8: Cloud computing megállapodások – ellenőrző lista EU-s szemszögből - Suba Ferenc alelnök, European Network and Information Security Agency (ENISA)

3. Data Protection and Compliance

(cont.)

• On transmission and processing data on behalf of

others: storing and processing personal data

Within the EU member states or an EEA signatory

country or outside the EU or an EEA signatory

country, if an adequate level of data protection can

be guaranteed e.g. via:

– An EU Commission decision

– Signatory to the Safe Harbor Agreement (USA)

– Standard EU contract clauses

– Permission from the supervisory authority

Page 9: Cloud computing megállapodások – ellenőrző lista EU-s szemszögből - Suba Ferenc alelnök, European Network and Information Security Agency (ENISA)

3. Data Protection and Compliance

(cont.)

• No involvement of a subcontractor who is unable to

guarantee that personal data will be processed under the

conditions indicated above

• When processing data on behalf of others, customers

have the right to monitor that their personal data is

being processed in compliance with data security

law via

- Onsite checks or

- Reports by an independent expert

• When processing data on behalf of others:

the supervisory authority responsible for the cloud

user has monitoring rights

Page 10: Cloud computing megállapodások – ellenőrző lista EU-s szemszögből - Suba Ferenc alelnök, European Network and Information Security Agency (ENISA)

3. Data Protection and Compliance

(cont.),

• When processing data on behalf of others: the

cloud user has the right to give instructions to

the cloud provider

• The provider should comply with any laws which

the cloud user feels are relevant

Page 11: Cloud computing megállapodások – ellenőrző lista EU-s szemszögből - Suba Ferenc alelnök, European Network and Information Security Agency (ENISA)

Other legal questions

• Division of liabilities:

- lawfulness of content: e-Com. Actintermediary liability for cloud provider

full liability for cloud user

- security incidents: terms of agreement

what is under their resp. control?

responsibility for due diligence

• Which authorities can supervise the cloudprovider? (data protection, consumer protection, law enforcement, cybersecurity, financialsupervisors, telecom regulator?)