Master Droit Innovation Communication Culture - Franck Franchin - © 20131
Master Droit Innovation Communication Culture - Franck Franchin - © 2013}  Quick Wording Overview}  Quick Technology Ove...
Master Droit Innovation Communication Culture - Franck Franchin - © 20133“Asking Google to educate consumers about privacy...
Master Droit Innovation Communication Culture - Franck Franchin - © 2013}  Cloud}  CSP – Cloud Service Provider}  SOA (...
Master Droit Innovation Communication Culture - Franck Franchin - © 20135MainframeClient-ServerWebSOACloud1980	  1990	  20...
Master Droit Innovation Communication Culture - Franck Franchin - © 2013}  Many Services : CPUs, Storage, Middleware,Back...
Examples}  Microsoft Office 365}  Salesforce.com}  Google Apps}  Microsoft Azure}  Amazon EC2, S3}  Google App Engin...
Master Droit Innovation Communication Culture - Franck Franchin - © 20138LegacyInfrastructure(as a Service)Platform(as a S...
Master Droit Innovation Communication Culture - Franck Franchin - © 2013}  Private Cloud:◦  Infrastructure Owned or Rente...
Master Droit Innovation Communication Culture - Franck Franchin - © 20130.0%$10.0%$20.0%$30.0%$40.0%$50.0%$60.0%$70.0%$80....
Master Droit Innovation Communication Culture - Franck Franchin - © 2013}  More than 60% of cloud users think the abovety...
Master Droit Innovation Communication Culture - Franck Franchin - © 2013}  Security is not a competitive advantage}  It’...
Most often used Less often used}  Firewalls}  Anti-virus and anti-malware}  Encryption for data inmotion}  Patch manag...
Master Droit Innovation Communication Culture - Franck Franchin - © 201314
Master Droit Innovation Communication Culture - Franck Franchin - © 2013}  80% of survey respondents access cloudapplicat...
Master Droit Innovation Communication Culture - Franck Franchin - © 2013}  Provisioning, Directory Synchronization & Iden...
Master Droit Innovation Communication Culture - Franck Franchin - © 2013}  Lifecycle of Cloud Technologies}  Lifecycle o...
Master Droit Innovation Communication Culture - Franck Franchin - © 2013}  An average cloud customer typically cannot vis...
Master Droit Innovation Communication Culture - Franck Franchin - © 2013}  Search – Yahoo or Google keep your data for 18...
Master Droit Innovation Communication Culture - Franck Franchin - © 2013}  The data controller (CIL) differs upon cloud m...
Master Droit Innovation Communication Culture - Franck Franchin - © 2013}  Data Assessment and Categorization (minimum on...
Master Droit Innovation Communication Culture - Franck Franchin - © 2013}  The Foreign Intelligence Surveillance Act of 1...
Master Droit Innovation Communication Culture - Franck Franchin - © 2013}  The US law allows American agencies to access ...
Master Droit Innovation Communication Culture - Franck Franchin - © 2013}  The famous 95/46/EC Directive}  The European ...
Master Droit Innovation Communication Culture - Franck Franchin - © 2013}  The U.S.-EU Safe Harbor Framework provides gui...
Master Droit Innovation Communication Culture - Franck Franchin - © 2013}  Payment card security standards body PCI Secur...
Master Droit Innovation Communication Culture - Franck Franchin - © 2013}  TFTP (Terrorist Financing Tracking System)/SWI...
Master Droit Innovation Communication Culture - Franck Franchin - © 2013}  Nova Scotia Case - As part of a criminalprosec...
Master Droit Innovation Communication Culture - Franck Franchin - © 201329Source:	  h-p://geekandpoke.typepad.com/	  
Master Droit Innovation Communication Culture - Franck Franchin - © 2013}  Foreign Intelligence Surveillance Act (http://...
Upcoming SlideShare
Loading in …5
×

Cloud & Privacy - Lecture at University Paris Sud - March 18th, 2013

535 views
463 views

Published on

Cloud & Privacy - Lecture at University Paris Sud Sceaux - March 18th, 2013
Master in Law, Innovation, Communication and Culture

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
535
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Cloud & Privacy - Lecture at University Paris Sud - March 18th, 2013

  1. 1. Master Droit Innovation Communication Culture - Franck Franchin - © 20131
  2. 2. Master Droit Innovation Communication Culture - Franck Franchin - © 2013}  Quick Wording Overview}  Quick Technology Overview}  Privacy Stakes}  Legal & Regulations Concerns}  Q&A2
  3. 3. Master Droit Innovation Communication Culture - Franck Franchin - © 20133“Asking Google to educate consumers about privacyis like asking the fox to teach the chickens how toensure the security of their coop”Consumer Watchdog, March 2013
  4. 4. Master Droit Innovation Communication Culture - Franck Franchin - © 2013}  Cloud}  CSP – Cloud Service Provider}  SOA (Service Oriented Architecture), WOA (Web Oriented Architecture)}  Web Services, XML}  SLA – Service Level Agreement}  BYOD (« Bring Your Own Device »)}  Virtualization, Virtual Machines}  Scalability, Resource Sharing, Metering}  Security / Safety/ Availability / Resilience / Privacy}  CIA (Confidentiality Integrity and Availability)}  Encryption, PKI}  Auditability}  Compliance (PCI-DSS, HIPAA, ISO/IEC 27001)4
  5. 5. Master Droit Innovation Communication Culture - Franck Franchin - © 20135MainframeClient-ServerWebSOACloud1980  1990  2000  2010  1970  
  6. 6. Master Droit Innovation Communication Culture - Franck Franchin - © 2013}  Many Services : CPUs, Storage, Middleware,Backup, Translation, Payroll…}  On demand service: just a few minutes neededso that resources may be rent and available}  Wide access: no bandwidth limits (basically…)}  Metering service: pay as you consume, cost-effectiveness, no resources waste}  Effective scalability: Quick, cost-effective andefficient down- or up-sizing}  Resource-sharing: Cost reduction6Source:  NIST  
  7. 7. Examples}  Microsoft Office 365}  Salesforce.com}  Google Apps}  Microsoft Azure}  Amazon EC2, S3}  Google App Engine}  Microsoft Azure}  Amazon EC2}  Oracle IaaS7
  8. 8. Master Droit Innovation Communication Culture - Franck Franchin - © 20138LegacyInfrastructure(as a Service)Platform(as a Service)StorageServersNetworkOSMiddlewareVirtualizationDataApplicationsRuntimeStorageServersNetworkOSMiddlewareVirtualizationDataApplicationsRuntimeCoudProvider-managedCoudProvider-managedCustomer-managedCustomer-managedStorageServersNetworkOSMiddlewareVirtualizationApplicationsRuntimeDataSoftware(as a Service)CoudProvider-managedStorageServersNetworkOSMiddlewareVirtualizationApplicationsRuntimeDataCustomer-managed
  9. 9. Master Droit Innovation Communication Culture - Franck Franchin - © 2013}  Private Cloud:◦  Infrastructure Owned or Rented by Customer◦  Internal or External to Customer Premises}  Community Cloud:◦  Shared Infrastructure by a specific business or academicscommunity or by a State◦  Internal or External to community members Premises}  Public Cloud:◦  Infrastructure owned by the Cloud Service Provider◦  Rented by Customer to the Provider}  Hybrid Cloud:◦  Mixed Cloud Services with data exchange and applicationsportability9
  10. 10. Master Droit Innovation Communication Culture - Franck Franchin - © 20130.0%$10.0%$20.0%$30.0%$40.0%$50.0%$60.0%$70.0%$80.0%$Security$Performance$Availability$Hard$to$Integrate$Hard$to$Customize$CostFEffecIve?$Back$inFhouse?$Regulatory$Compliance$Source:(IDC(2008(Summer(10
  11. 11. Master Droit Innovation Communication Culture - Franck Franchin - © 2013}  More than 60% of cloud users think the abovetypes of information are too risky to beimplemented into the cloud:◦  Intellectual Properties◦  Financial Information◦  Health Information◦  Employee Records}  As amazing as it may sound, only 39% areskeptic about storing ‘credit cardinformation’ (data collected before Sony Network hack)11
  12. 12. Master Droit Innovation Communication Culture - Franck Franchin - © 2013}  Security is not a competitive advantage}  It’s customer’s responsability to secure the cloud}  Applications have to be evaluated for securitythreats prior to deployment in the cloud}  Less than 10% of Opex & Capex is dedicated tosecurity}  Customers are interested by the cloud because oflower cost and faster deployment not security norregulation compliance like privacy12
  13. 13. Most often used Less often used}  Firewalls}  Anti-virus and anti-malware}  Encryption for data inmotion}  Patch management}  Log management}  Single sign-on}  Data loss prevention}  Correlation or eventmanagement}  Access governancesystems}  Encryption for wirelesscommunication13
  14. 14. Master Droit Innovation Communication Culture - Franck Franchin - © 201314
  15. 15. Master Droit Innovation Communication Culture - Franck Franchin - © 2013}  80% of survey respondents access cloudapplications for business purposes via theirsmartphones}  71% do so via a tablet}  and 81% use a non-company computer}  71% admitted to accessing cloud applications,such as Dropbox or Google Drive, that havenot been sanctioned by their IT department. 
OneLogin – 2013 Survey15
  16. 16. Master Droit Innovation Communication Culture - Franck Franchin - © 2013}  Provisioning, Directory Synchronization & IdentityManagement Issues at large scale}  Certificate and Key Revocation}  Single Point of Failure : Connection between The CloudProvider and the Customer}  Full-Private Encryption (aka data non ‘readable’ by CloudProvider) is VERY difficult (homomorphic encryption…)}  Cloud Usage by Hackers and Cybercrime (Amazon Case) !◦  Password Cracking by brute force◦  DDoS Attacks◦  Captcha Cracking◦  IP Blacklisting16
  17. 17. Master Droit Innovation Communication Culture - Franck Franchin - © 2013}  Lifecycle of Cloud Technologies}  Lifecycle of Cloud Provider}  Contract lock-in, destroying or sanitizing information at theend of the service relationship}  Encryption (who owns/manages the keys ?)}  Compliance Management}  Legal Issues (foreign court orders or subpoenas, foreignagencies warrants)}  Data Retention}  Multiple-Countries Location
(Sub-contracting to low-cost countries)}  Data and Goodwill Ownership}  Sweet Target for Hackers and Cybercrime}  Massive Crash due to cyber-attacks or one major failure17
  18. 18. Master Droit Innovation Communication Culture - Franck Franchin - © 2013}  An average cloud customer typically cannot visit acloud data centre and perform an audit on all oftheir infrastructure components across multipledata centres}  The audit itself could also violate the privacy ofother cloud customers, and thus the EDPD, byexposing and identifying private data, as theauditors would have to access the entire cloudinfrastructure}  Virtualization (cross-hardware, cross-data centre,cross-countries) makes audit and privacyregulations compliance a nightmare18
  19. 19. Master Droit Innovation Communication Culture - Franck Franchin - © 2013}  Search – Yahoo or Google keep your data for 18months !}  Webmail – Google goes through every word of everyGmail that’s sent or received to sell targeted ads.}  Google Docs}  Street View (Wifi traffic and pwd scans… hum ?)}  Conference Management Systems - very used inacademic research community with documentsharing (papers, reviews, patent drafts)FREE SERVICE DOES NOT EXIST !19
  20. 20. Master Droit Innovation Communication Culture - Franck Franchin - © 2013}  The data controller (CIL) differs upon cloud model:◦  Private cloud: If the organisation is using a private cloud therecan only be one data controller as they have control over howthe data is processed in the cloud.◦  Community cloud: The likelihood of more than one datacontroller accessing the cloud service is high. The cloudprovider is the data processor and there are many cloudcustomers/organisations sharing data through the cloud. Inthis circumstance the roles and shared responsibilities of eachdata controller need to be clear.◦  Public cloud: The role of the data controller/organisationbecomes more complicated as the organisation will have verylittle control over the operations of the cloud provider.
BUT the organisation is still responsible for the data theychoose to process in this way and remain the data controller.20
  21. 21. Master Droit Innovation Communication Culture - Franck Franchin - © 2013}  Data Assessment and Categorization (minimum ona yearly base)
Not all data needs to be in the cloud}  Privacy Assessment (customers, business partnersand employees data)}  Cloud users awareness about data in the Cloud}  Monitoring and Auditing (minimum on a yearlybase)
Confidence and Compliance are built on Control}  WRITTEN CONTRACT (prohibit online licenseagreements which dynamic evolve and change for‘enhancing customer experience’…)21
  22. 22. Master Droit Innovation Communication Culture - Franck Franchin - © 2013}  The Foreign Intelligence Surveillance Act of 1978 prescribesprocedures for requesting judicial authorization for electronicsurveillance and physical search of persons engaged inespionage or international terrorism against the United Stateson behalf of a foreign power.}  The Stored Communications Act of 1986 is a law thataddresses voluntary and compelled disclosure of "stored wireand electronic communications and transactional records"held by third-party internet service providers (ISPs)}  Patriot Act - Signed by President George W. Bush on October26, 200, renew by President Bush on March 9, 2006}  The Foreign Intelligence Surveillance Act Amendment Act(FISAA - 2008) allows US authorities to spy on cloud data thatincludes Amazon Cloud Drive, Apple iCloud and Google Drive.22
  23. 23. Master Droit Innovation Communication Culture - Franck Franchin - © 2013}  The US law allows American agencies to access all privateinformation stored with firms within Washington’sjurisdiction, without a warrant, if the information is felt to bein the US interests.}  That means any company with a presence in the US andregardless of where the data is stored or the existence of anyconflicting obligations under the laws where the data islocated}  Some US-based cloud services and hosting companies mightnot be able to comply with the EDPD : customers whoseprivate data should have been disclosed under FISA won’t bealways notified (which is not compliant with EC directives)23
  24. 24. Master Droit Innovation Communication Culture - Franck Franchin - © 2013}  The famous 95/46/EC Directive}  The European Data Protection Directiverequires companies to inform users whenthey disclose personal information}  There are clauses in the Directive that allowdata to be stored outside of the EU}  Evolution in progress since 2012 ; but stronglobbying against data breach notificationenforcement and data aggregation processingrestrictions24
  25. 25. Master Droit Innovation Communication Culture - Franck Franchin - © 2013}  The U.S.-EU Safe Harbor Framework provides guidance forU.S. organizations on how to provide adequate protection forpersonal data from the EU as required by the EuropeanUnions Directive on Data Protection.}  Participation is voluntary}  Based on principles agreed by Directive 95/46 (October,1995)}  Five major points :◦  Data owner has been informed of data processing and transfer◦  Data owner can revoke the rights he granted.◦  Explicit agreement◦  Access and change right (aka droit d’accès et de rectification)◦  Data security (confidentiality, integrity, availability)25
  26. 26. Master Droit Innovation Communication Culture - Franck Franchin - © 2013}  Payment card security standards body PCI Security StandardsCouncil (PCI SSC) has released new guidance for merchantsusing cloud-based systems for customer payment data}  “Many merchants mistakenly believe that if they outsourceeverything to a cloud service provider, much of of theresponsibility goes away for being PCI compliant – unfortunately, that’s simply not the case,” Bob Russo, generalmanager at the PCI Security Standards Council “A merchantneeds to ensure that a cloud services provider is PCI-compliant not just for its own piece, but for the entirespectrum, including what that provider is specifically doingfor the merchant.”26
  27. 27. Master Droit Innovation Communication Culture - Franck Franchin - © 2013}  TFTP (Terrorist Financing Tracking System)/SWIFT (28 Juin 2010)}  Europol in charge of}  Audit conducted by Europol in Nov 2010,with warning report issued in March 2011}  Too generic requests are made by US (Dpt ofTreasury) but acknowledged by Europol}  So generic, it’s impossible to confirm theserequests are compliant with European DataProtection Directives27
  28. 28. Master Droit Innovation Communication Culture - Franck Franchin - © 2013}  Nova Scotia Case - As part of a criminalprosecution in US, the Court requested thatthe US subsidiary disclosed documents storedin Cayman Islands.}  Valetta Case – Australian subsidiary of thisMaltin bank was summoned by australianCourt to disclose documents stored in Malta28
  29. 29. Master Droit Innovation Communication Culture - Franck Franchin - © 201329Source:  h-p://geekandpoke.typepad.com/  
  30. 30. Master Droit Innovation Communication Culture - Franck Franchin - © 2013}  Foreign Intelligence Surveillance Act (http://www.gpo.gov/fdsys/pkg/BILLS-110hr6304enr/pdf/BILLS-110hr6304enr.pdf)}  Patriot Act (http://www.justice.gov/archive/ll/highlights.htm)}  European Data Protection Directive (http://eur-lex.europa.eu/smartapi/cgi/sga_doc?smartapi!celexplus!prod!CELEXnumdoc&lg=FR&numdoc=31995L0046)}  Safe Harbor (https://safeharbor.export.gov/list.aspx)}  European Parliament – “Fighting Cyber crime and protecting privacy in thecloud” (http://www.europarl.europa.eu/committees/en/studiesdownload.html?languageDocument=EN&file=79050)}  CSA (Cloud Security Alliance) – “Privacy Level Agreement – PLA” (http://)}  Cloud Computing in Higher Education and Research Institutions and the USAPatriot Act (http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2181534)30

×