Your SlideShare is downloading. ×
0
“Technological advances, combined with the ubiquity of
the Internet, have spawned a near-infinite range of
potentially gra...
Can we still trust the „cloud‟?
What are the local laws that govern data being
collected, transferred and stored?
BIGGEST INHIBITOR TO THE
ADOPTION OF CLOUD COMPUTING

Data Security
SENSITIVE DATA IN THE CLOUD
More data, more storage
Personally identifiable information examples
• Credit card information...
CLOUD SECURITY - STAKEHOLDERS
Data
collector/owner

Cloud service
providers

•Outsourcing:
How to select
a cloud vendor?
•...
ISSUES ON CLOUD SECURITY

Security

Residency

Privacy

Is the data
protected from
theft, leakage,
spying or attacks?

Whe...
Info on 3rd
party service
and distributed
infrastructure
Deliver
resiliency,
availability and
flexibility of
cloud service...
COMPLIANCE REQUIREMENTS
• Some countries have laws restricting storage of data
outside their physical country borders: Ind...
HONG KONG
• Section 33(2)(f) of Personal Data (Privacy) Ordinance,
• Forming standards through HK/Guangdong Expert
Committ...
INTERCEPTION OF COMMUNICATIONS:
REGULATIONS IN HK
• Article 30 of the Basic Law: freedom and privacy of
communication of H...
TWO ISSUES TO THINK ABOUT
- Data residency: Transfer of personal information or
moving data storage device outside of loca...
KEY QUESTIONS TO ASK
• What do we need? What is our goal?
• Where are the risks?
• What are the systems, processes, polici...
CRITICAL AREAS
Governance

Operation

Governance and Enterprise Risk
Management

Traditional Security, Business
Continuity...
PLANNING AHEAD:
STRATEGIC APPROACH
• Service models: SaaS, PaaS, IaaS?
• Multiple layers:
Physical security (facilities)
...
IDENTIFY, LOCATE AND DEFINE THE RISKS
Identification and valuation of assets
Identification and analysis of threats
and vu...
CONSISTENCY BETWEEN
YOU AND YOUR PROVIDER
• Alignment of impact analysis criteria and definition
of likelihood
• Specify a...
OPERATION: KEY AREAS
• Disaster Recovery and Business Continuity
• Breach notification and data residency
• Data managemen...
Charles Mok
Legislative Councillor (Information Technology)
charles@charlesmok.hk
www.charlesmok.hk
Facebook: Charles Mok ...
The Impact of Cloud: Cloud Computing Security and Privacy
The Impact of Cloud: Cloud Computing Security and Privacy
Upcoming SlideShare
Loading in...5
×

The Impact of Cloud: Cloud Computing Security and Privacy

606

Published on

Presentation to HKQAA: The Impact of Cloud: Cloud Computing Security and Privacy (2013.10.29)

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
606
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
55
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Transcript of "The Impact of Cloud: Cloud Computing Security and Privacy"

  1. 1. “Technological advances, combined with the ubiquity of the Internet, have spawned a near-infinite range of potentially grave security threats to governments, commercial entities and individuals.” Paul Rosenzweig
  2. 2. Can we still trust the „cloud‟? What are the local laws that govern data being collected, transferred and stored?
  3. 3. BIGGEST INHIBITOR TO THE ADOPTION OF CLOUD COMPUTING Data Security
  4. 4. SENSITIVE DATA IN THE CLOUD More data, more storage Personally identifiable information examples • Credit card information • Medical records • Tax records • Customer account records • Human resources information • Banking and insurance records • Browsing history, emails and other communication
  5. 5. CLOUD SECURITY - STAKEHOLDERS Data collector/owner Cloud service providers •Outsourcing: How to select a cloud vendor? •How to maintain direct control to safeguard data integrity? •How to satisfy data residency and privacy requirements •How to remain flexible and provide costeffective service? Regulator •Formulation of relevant standards and practices •How to ensure adoption and compliance? •Would sensitive data end up overseas? Customers/endusers •Are my data safe in the cloud? •Would I know if there is security or privacy breach?
  6. 6. ISSUES ON CLOUD SECURITY Security Residency Privacy Is the data protected from theft, leakage, spying or attacks? Where is the data stored? geographically disbursed? Who can see personally identifiable information (PII)? What is the level of control and protection? What to do with data in transit & outside territory? Storing, transferring, locating and protecting PII
  7. 7. Info on 3rd party service and distributed infrastructure Deliver resiliency, availability and flexibility of cloud services Maintaining ownership and control of data Challenges of cloud and security
  8. 8. COMPLIANCE REQUIREMENTS • Some countries have laws restricting storage of data outside their physical country borders: India, Switzerland, Germany, Australia, South Africa and Canada • EU: Data Protection Directive; Safe Harbor Principles – no sending PII outside European Economic area unless protections guaranteed • USA: US Patriot Act, 40+ states have breach notification laws (25 states have exemption for encrypted personal data) • Canada: Freedom of Information and Protection of Privacy Act
  9. 9. HONG KONG • Section 33(2)(f) of Personal Data (Privacy) Ordinance, • Forming standards through HK/Guangdong Expert Committee on Cloud Computing Services and Standards • Guidelines and information via infocloud.gov.hk
  10. 10. INTERCEPTION OF COMMUNICATIONS: REGULATIONS IN HK • Article 30 of the Basic Law: freedom and privacy of communication of Hong Kong residents shall be protected by law • Law enforcement agencies: Interception of Communications and Surveillance Ordinance (Cap 589) • Non-public officers and non-governmental bodies: Telecommunications Ordinance (s24, s27, s29), Personal Data (Privacy) Ordinance, s161 of Crimes Ordinance
  11. 11. TWO ISSUES TO THINK ABOUT - Data residency: Transfer of personal information or moving data storage device outside of local jurisdiction - Data encryption: Data should be encrypted before being sent to the cloud, and that data owner retains the encryption keys
  12. 12. KEY QUESTIONS TO ASK • What do we need? What is our goal? • Where are the risks? • What are the systems, processes, policies and practices we need to mitigate risks? • How to protect our data assets and keep cloud platform secure? • How to ensure transparency and compliance? • How to evaluate potential cloud service providers?
  13. 13. CRITICAL AREAS Governance Operation Governance and Enterprise Risk Management Traditional Security, Business Continuity and Disaster Recovery Legal and Electronic Discovery Data Center Operations Compliance and Audit Incident Response, Notification and Remediation Information Lifecycle Management Application Security Portability and Interoperability Encryption and Key Management Identity and Access Management Virtualization
  14. 14. PLANNING AHEAD: STRATEGIC APPROACH • Service models: SaaS, PaaS, IaaS? • Multiple layers: Physical security (facilities) Network security (infrastructure) System security (IT systems) Application and data security
  15. 15. IDENTIFY, LOCATE AND DEFINE THE RISKS Identification and valuation of assets Identification and analysis of threats and vulnerabilities Risk and incident scenarios Analysis of the likelihoods of scenarios, risk acceptance levels and criteria risk treatment plans with multiple options (control, avoid, transfer, accept)
  16. 16. CONSISTENCY BETWEEN YOU AND YOUR PROVIDER • Alignment of impact analysis criteria and definition of likelihood • Specify assessment and risk management requirement e.g. vulnerability assessment, audit logs, activity monitoring • Detailed in Service Level Agreements, contract requirements, and provider documentation
  17. 17. OPERATION: KEY AREAS • Disaster Recovery and Business Continuity • Breach notification and data residency • Data management at rest • Data protection in motion • Encryption key management • Identification and Access controls • Long-term resiliency of the encryption system
  18. 18. Charles Mok Legislative Councillor (Information Technology) charles@charlesmok.hk www.charlesmok.hk Facebook: Charles Mok B Twitter: @charlesmok
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×