johan vandendriessche privacy & compliance issues with cloud computing

Download johan vandendriessche privacy & compliance issues with cloud computing

Post on 18-Nov-2014




3 download

Embed Size (px)




  • 1. Privacy & Compliance Issues with Cloud Computing (in Theory and Practice) Johan Vandendriessche 24 March 2011
  • 2. Some key concepts Cloud Computing (by layer) SaaS Google Docs Gmail Google App Engine PaaS Microsoft Azure Platform Oracle/AWS IaaS Amazon Web Services FlexiScale
  • 3. Some key concepts Cloud Computing (by type)
  • 4. Some key concepts Cloud Computing (by type) Managed by Ownership of Dedicated hardware infrastructurePublic Cloud Service Cloud Service No Provider ProviderPrivate, external Cloud Service Cloud Service Yes Provider ProviderPrivate, internal Internal Organization Internal Organization YesHybrid Mixed Mixed Depends on the contract with the CSP Source: J. Ruiter and M. Warnier, Privacy Regulations for Cloud Computing Compliance and Implementation in Theory and Practice.
  • 5. Some key concepts Compliance Strict sense: conforming to a rule, such as a specification, policy, standard or law Tendency to include operational risks in regulations, thereby extending the notion compliance to certain operational risk assessments MiFiD CBFA Circular Letter PPB 2004/5 on good practices in relation to outsourcing by financial institutions and investment companies Privacy (Data Protection) Set of limitations in relation to the processing of personal data Essential compliance obligation!
  • 6. Importance of data protection compliance UK Fine of 2.275.000 imposed by FSA on Zurich Insurance Company due to data loss by service provider (outsourced data processing) Data loss related to 46.000 clients due to an unencrypted backup tape No evidence that the data had been misused or compromised, but it was clear that Zurich had no effective data protection systems in place or systems to manage the risks to the security of customer data resulting from the outsourcing arrangement Germany Fine of 1.100.000 EUR imposed by Berlin DPA on Deutsche Bahn Screening of employee and supplier data to combat corruption Monitoring communication sent via external e-mail accounts by employees France Regular fines by CNIL
  • 7. Scope of Data Protection Law Limitations in relation to the processing of personal data Personal data: any information in relation to an identified or identifiable physical person [] Very large legal interpretation to the concept of personal data Not necessarily sensitive information (although stricter rules apply to special categories of personal data) Processing: any operation or set of operations which is performed upon personal data [] Purpose: impose strict (civil and criminal) liability to the entity that is processing the personal data Data controller Data processor (service provider)
  • 8. Principles of Data Protection Law Principles Processing of personal data is prohibited, unless allowed by the Data Protection Law The data processing must comply with specific principles Proportionality Purpose limitation Limited in time (Individual and collective) Transparency Data quality Data security (Individual and collective) Enforcement measures No export of personal data to non-EEA countries, unless adequate protection is offered
  • 9. Security Obligations Security obligation General obligation Specific obligations Obligations in relation to the use of data processors Belgian Data Protection Commission has issued a list of security measures that can be implemented Reference Measures Description of 10 information security measures Based on ISO 27000 series
  • 10. Security Obligations General obligation to implement security measures Technical measures User access management IT security (anti-virus, firewall, ) Fire prevention measures Organizational measures Data categorization (confidentiality level) Employee policies Protection against any unauthorized processing Adequate level of protection taking into account: Available technology and costs; Nature of concerned personal data and the potential risks Both types of measures are interchangeable
  • 11. Data Processing by Service Providers Data processing operations are often carried out by service providers (data processors) Security measures in case of data processors Choice of data processor (quality requirement) Security measures must be contractually imposed & verified Determine the extent of liability of the data processor Data controller is subject to strict liability Data controller can be held liable for the acts of the data processor Limit the mission of the data processor Conclude a written data processing agreement Paper document Electronic document
  • 12. Cloud Service Providers (CSP) Cloud Service Provider (CSP) is generally a data processor Cloud Computing agreements Standard click-wrap-agreements Generally considered valid under Belgian law in a B2B context Meets the requirements of electronic medium in data protection legislation Security measures must be imposed and audited Issue: how to audit security measures in a Cloud setting? Potentially multinational Locations may change Auditing CSPs may become very expensive Solution: certification of the CSP (check the scope of the certificates!) SAS 70 Type II ISO 9000 series ISO 27000 series
  • 13. Issues relating to international dataflowsInternal Market for Personal Data= European Economic Area (EEA) Data Transfer 1 CSP inside EEA Data Controller (but other EEA inside EEA Member State) Data Export Data Transfer 3 Data Import 2 Data Controller CSP outside EEA inside EEA Data CSP inside Controller EEA outside EEA Data Import Data Export
  • 14. Issues relating to international dataflows Dataflow within the EEA (1) Law of the country of establishment of data controller applies to data processing operation Subsequent transfers to sub-processors lo