SlideShare a Scribd company logo

IRISSCON 2014 Privacy Cloud Computing

Paul Hogan
Paul Hogan
1 of 21
Download to read offline
© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.
© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary. Disclaimer: This presentation does not represent legal advice or purport to be a legal interpretation of legislation, regulation or standard rules. Whilst every effort is made to ensure the information is accurate, responsibility cannot be accepted for any liability incurred or loss suffered as a consequence of relying on any material published herein. Appropriate professional advice should be taken before acting or refraining to act on the basis of this presentation
© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary. What is Cloud Computing • Depends on who you ask • Lots of terminology
© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary. Drivers, Benefits and Risks
© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary. Cloud Computing - Benefits Flexibility Access to Applications Availability Cost Reductions
© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary. Cloud Computing –Risks
© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary. Cloud Computing Top 9 Threats 1) Data Breaches 2) Data Loss 3) Account Hijacking 4) Insecure APIs 5) Denial of Service 6) Malicious Insiders 7) Abuse of Cloud Services 8) Insufficient Due Diligence 9) Shared Technology Issues https://downloads.cloudsecurityalliance.org/initiatives/top_threats/The_Notorious_Nine_Cloud_Computing_Top_Threats_in_2013.pdf
© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary. Legal Considerations - Cloud • Copyright and Related Rights Acts 2000, 2004 and 2007; • Data Protection Acts 1988 and 2003; • Freedom of Information Act 1997 and 2003; • The Child Trafficking and Pornography Acts 1998 and 2004; • Defamation Act 2009; • Prohibition of Incitement to Hatred Act
© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary. Focus on Data Protection in the Cloud • Security of Personal Data • Location of Personal Data
© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary. What is Personal Data any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity” (Data Protection Directive 95/46/EC, A2) ..data relating to a living individual who is or can be identified either from the data, or from the data in conjunction with other information that is, or is likely to come into the possession of the data controller.. (Data Protection (Amendment) Act 2003)
© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary. Responsibilities: Data Controllers and Data Processors Data Controller The Data Controller (“the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data”) Data Controller remains responsible if data outsourced to Data Processor (“ a person …who processes personal data on behalf of a data controller”)
© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary. Responsibilities - 8 Rules 1. Fairly Obtained 2. Specified and Lawful purpose 3. Not Incompatible with purpose 4. Safe and Secure 5. Accurate and up to date 6. Adequate, relevant and not excessive 7. Retention only for as long as necessary 8. Copy to individual on request.
© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary. Security Obligations-Rule 4: Safe and Secure “..Appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.” “Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected. “ (Article 17 DIRECTIVE 95/46/EC) Data Controller
© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary. Security Obligations: Working with Cloud Providers “... the controller must, where processing is carried out on his behalf, choose a processor providing sufficient guarantees in respect of the technical security measures and organizational measures governing the processing to be carried out, and must ensure compliance with those measures.” “The carrying out of processing by way of a processor must be governed by a contract or legal act binding the processor to the controller and stipulating in particular that: the processor shall act only on instructions from the controller; the obligations set out in paragraph 1 (Article 17 DIRECTIVE 95/46/EC) ,as defined by the law of the Member State in which the processor is established, shall also be incumbent on the processor. (Article 17 DIRECTIVE 95/46/EC) Data Controller
© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary. Location of Personal Data • EU/EEA • Approved Countries • USA - Safe Harbor • Model Contracts • Binding Corporate Rules • Clear and unambiguous consent of the individual data subject(s)
© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary. What you Need to Do • Establish criterial that expect from CSPs • Security / Control / Privacy as well as functional • Procure in accordance with criteria • Due Diligence: Satisfy security / privacy/ compliance • Written contract: SLA and PLA (Privacy Level Agreement) • ‘Click Wrap’ Contracts
© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary. Privacy Level Agreement (PLA) A PLA describes the level of privacy and data protection it undertakes to maintain with respect to relevant data processing.
© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary. Privacy Level Agreement (PLA) 1. Identity of the CSP 2. Data prohibited to be sent/processed 3. Ways data will be processed 4. Data Transfer 5. Data Security Measures 6. Monitoring 7. Audit 8. Breach Notification 9. Data Portability 10. Data Detention / Deletion 11. Accountability 12. Cooperation 13. Law Enforcement Access 14. Remedies 15. Dispute Resolution 16. Cyber Insurance Policy
© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary. Guidance • Cloud Security Alliance (CSA) • Security Guidelines for Critical Areas of Focus in Cloud Computing V3.0 • Cloud Controls Matrix (CCM) • Privacy Level Agreement • European Network and Information Security Agency (ENSIA) • Cloud computing benefits risks and recommendations for information security • Data Protection Commissioner • http://www.dataprotection.ie/ • NSAI • Adopting the Cloud - decision support for cloud computing
© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary. Just when you thought it was safe to get back in the water In 2009 Google was awarded a U.S. patent for its floating data centres that are powered by waves and cooled by sea water.
© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.

Recommended

CSA Concepts of Sovereignty & Cloud User Rights
CSA Concepts of Sovereignty & Cloud User RightsCSA Concepts of Sovereignty & Cloud User Rights
CSA Concepts of Sovereignty & Cloud User RightsCloudSecurityAllianceAustralia
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) Karina Matos
 
MySQL GDPR Whitepaper
MySQL GDPR WhitepaperMySQL GDPR Whitepaper
MySQL GDPR WhitepaperVlad Alexandru
 
CyNation: 7 Things You Should Know about EU GDPR
CyNation: 7 Things You Should Know about EU GDPRCyNation: 7 Things You Should Know about EU GDPR
CyNation: 7 Things You Should Know about EU GDPRIryna Chekanava
 
PECB Webinar: The End of Safe Harbour! What happens Next?
PECB Webinar: The End of Safe Harbour! What happens Next?PECB Webinar: The End of Safe Harbour! What happens Next?
PECB Webinar: The End of Safe Harbour! What happens Next?PECB
 
CyNation - 7 things you should know about EU-GDPR
CyNation - 7 things you should know about EU-GDPRCyNation - 7 things you should know about EU-GDPR
CyNation - 7 things you should know about EU-GDPRShadi A. Razak
 
Webinar: CYREN WebSecurity for Enterprise
Webinar: CYREN WebSecurity for EnterpriseWebinar: CYREN WebSecurity for Enterprise
Webinar: CYREN WebSecurity for EnterpriseCyren, Inc
 
GDPR Changing Mindset
GDPR Changing MindsetGDPR Changing Mindset
GDPR Changing MindsetNetworkIQ
 

Recommended

CSA Concepts of Sovereignty & Cloud User Rights
CSA Concepts of Sovereignty & Cloud User RightsCSA Concepts of Sovereignty & Cloud User Rights
CSA Concepts of Sovereignty & Cloud User RightsCloudSecurityAllianceAustralia
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) Karina Matos
 
MySQL GDPR Whitepaper
MySQL GDPR WhitepaperMySQL GDPR Whitepaper
MySQL GDPR WhitepaperVlad Alexandru
 
CyNation: 7 Things You Should Know about EU GDPR
CyNation: 7 Things You Should Know about EU GDPRCyNation: 7 Things You Should Know about EU GDPR
CyNation: 7 Things You Should Know about EU GDPRIryna Chekanava
 
PECB Webinar: The End of Safe Harbour! What happens Next?
PECB Webinar: The End of Safe Harbour! What happens Next?PECB Webinar: The End of Safe Harbour! What happens Next?
PECB Webinar: The End of Safe Harbour! What happens Next?PECB
 
CyNation - 7 things you should know about EU-GDPR
CyNation - 7 things you should know about EU-GDPRCyNation - 7 things you should know about EU-GDPR
CyNation - 7 things you should know about EU-GDPRShadi A. Razak
 
Webinar: CYREN WebSecurity for Enterprise
Webinar: CYREN WebSecurity for EnterpriseWebinar: CYREN WebSecurity for Enterprise
Webinar: CYREN WebSecurity for EnterpriseCyren, Inc
 
GDPR Changing Mindset
GDPR Changing MindsetGDPR Changing Mindset
GDPR Changing MindsetNetworkIQ
 
Data protection and data integrity
Data protection and data integrity Data protection and data integrity
Data protection and data integrityAxon Lawyers
 
The Definitive GDPR Guide for Event Professionals
The Definitive GDPR Guide for Event ProfessionalsThe Definitive GDPR Guide for Event Professionals
The Definitive GDPR Guide for Event ProfessionalsHubilo
 
Webinar: CYREN WebSecurity for Healthcare
Webinar: CYREN WebSecurity for HealthcareWebinar: CYREN WebSecurity for Healthcare
Webinar: CYREN WebSecurity for HealthcareCyren, Inc
 
GDPR Workshop
GDPR WorkshopGDPR Workshop
GDPR WorkshopCurt Lewis
 
Payroll Data & GDPR: What you need to know?
Payroll Data & GDPR: What you need to know?Payroll Data & GDPR: What you need to know?
Payroll Data & GDPR: What you need to know?BrightPay Payroll and Auto Enrolment Software
 
Diretiva Comunitária Proteção de Dados Pessoais
Diretiva Comunitária Proteção de Dados Pessoais Diretiva Comunitária Proteção de Dados Pessoais
Diretiva Comunitária Proteção de Dados Pessoais PROLogin Produto e Serviços, Lda
 
Legal And Regulatory Dp Challenges For The Financial Services Sector
Legal And Regulatory Dp Challenges For The Financial Services SectorLegal And Regulatory Dp Challenges For The Financial Services Sector
Legal And Regulatory Dp Challenges For The Financial Services SectorMSpadea
 
SIA Webinar: The OHS Professional and Cyber Security
SIA Webinar: The OHS Professional and Cyber SecuritySIA Webinar: The OHS Professional and Cyber Security
SIA Webinar: The OHS Professional and Cyber SecurityAustralian Institute of Health & Safety
 
MySQL + GDPR
MySQL + GDPRMySQL + GDPR
MySQL + GDPRMark Swarbrick
 
Jisc cloud services: helping our members deliver their cloud strategies
Jisc cloud services: helping our members deliver their cloud strategiesJisc cloud services: helping our members deliver their cloud strategies
Jisc cloud services: helping our members deliver their cloud strategiesJisc
 
Introduction to CSIRTs
Introduction to CSIRTsIntroduction to CSIRTs
Introduction to CSIRTsAPNIC
 
Privacy Advisory Service
Privacy Advisory ServicePrivacy Advisory Service
Privacy Advisory ServiceIron Mountain
 
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701PECB
 
General Data Protection Regulation (GDPR) and ISO 27001
General Data Protection Regulation (GDPR) and ISO 27001General Data Protection Regulation (GDPR) and ISO 27001
General Data Protection Regulation (GDPR) and ISO 27001Owako Rodah
 
GDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risksGDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risksIT Governance Ltd
 
Safeguarding Your Brand With Secure IT Asset Disposition
Safeguarding Your Brand With Secure IT Asset DispositionSafeguarding Your Brand With Secure IT Asset Disposition
Safeguarding Your Brand With Secure IT Asset DispositionIron Mountain
 
Digital Forensics 101 – How is it used to protect an Organization’s Data?
Digital Forensics 101 – How is it used to protect an Organization’s Data?Digital Forensics 101 – How is it used to protect an Organization’s Data?
Digital Forensics 101 – How is it used to protect an Organization’s Data?PECB
 
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...PECB
 
MySQL Security + GDPR - 2018 MySQL Days
MySQL Security + GDPR - 2018 MySQL DaysMySQL Security + GDPR - 2018 MySQL Days
MySQL Security + GDPR - 2018 MySQL DaysMark Swarbrick
 
MCGlobalTech Consulting Service Presentation
MCGlobalTech Consulting Service PresentationMCGlobalTech Consulting Service Presentation
MCGlobalTech Consulting Service PresentationWilliam McBorrough
 
Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)
Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)
Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)AltheimPrivacy
 
Contracting for Better Cybersecurity
Contracting for Better CybersecurityContracting for Better Cybersecurity
Contracting for Better CybersecurityShawn Tuma
 

More Related Content

What's hot

Data protection and data integrity
Data protection and data integrity Data protection and data integrity
Data protection and data integrityAxon Lawyers
 
The Definitive GDPR Guide for Event Professionals
The Definitive GDPR Guide for Event ProfessionalsThe Definitive GDPR Guide for Event Professionals
The Definitive GDPR Guide for Event ProfessionalsHubilo
 
Webinar: CYREN WebSecurity for Healthcare
Webinar: CYREN WebSecurity for HealthcareWebinar: CYREN WebSecurity for Healthcare
Webinar: CYREN WebSecurity for HealthcareCyren, Inc
 
Legal And Regulatory Dp Challenges For The Financial Services Sector
Legal And Regulatory Dp Challenges For The Financial Services SectorLegal And Regulatory Dp Challenges For The Financial Services Sector
Legal And Regulatory Dp Challenges For The Financial Services SectorMSpadea
 
Jisc cloud services: helping our members deliver their cloud strategies
Jisc cloud services: helping our members deliver their cloud strategiesJisc cloud services: helping our members deliver their cloud strategies
Jisc cloud services: helping our members deliver their cloud strategiesJisc
 
Introduction to CSIRTs
Introduction to CSIRTsIntroduction to CSIRTs
Introduction to CSIRTsAPNIC
 
Privacy Advisory Service
Privacy Advisory ServicePrivacy Advisory Service
Privacy Advisory ServiceIron Mountain
 
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701PECB
 
General Data Protection Regulation (GDPR) and ISO 27001
General Data Protection Regulation (GDPR) and ISO 27001General Data Protection Regulation (GDPR) and ISO 27001
General Data Protection Regulation (GDPR) and ISO 27001Owako Rodah
 
GDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risksGDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risksIT Governance Ltd
 
Safeguarding Your Brand With Secure IT Asset Disposition
Safeguarding Your Brand With Secure IT Asset DispositionSafeguarding Your Brand With Secure IT Asset Disposition
Safeguarding Your Brand With Secure IT Asset DispositionIron Mountain
 
Digital Forensics 101 – How is it used to protect an Organization’s Data?
Digital Forensics 101 – How is it used to protect an Organization’s Data?Digital Forensics 101 – How is it used to protect an Organization’s Data?
Digital Forensics 101 – How is it used to protect an Organization’s Data?PECB
 
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...PECB
 
MySQL Security + GDPR - 2018 MySQL Days
MySQL Security + GDPR - 2018 MySQL DaysMySQL Security + GDPR - 2018 MySQL Days
MySQL Security + GDPR - 2018 MySQL DaysMark Swarbrick
 
MCGlobalTech Consulting Service Presentation
MCGlobalTech Consulting Service PresentationMCGlobalTech Consulting Service Presentation
MCGlobalTech Consulting Service PresentationWilliam McBorrough
 

What's hot (20)

Data protection and data integrity
Data protection and data integrity Data protection and data integrity
Data protection and data integrity
 
The Definitive GDPR Guide for Event Professionals
The Definitive GDPR Guide for Event ProfessionalsThe Definitive GDPR Guide for Event Professionals
The Definitive GDPR Guide for Event Professionals
 
Webinar: CYREN WebSecurity for Healthcare
Webinar: CYREN WebSecurity for HealthcareWebinar: CYREN WebSecurity for Healthcare
Webinar: CYREN WebSecurity for Healthcare
 
GDPR Workshop
GDPR WorkshopGDPR Workshop
GDPR Workshop
 
Payroll Data & GDPR: What you need to know?
Payroll Data & GDPR: What you need to know?Payroll Data & GDPR: What you need to know?
Payroll Data & GDPR: What you need to know?
 
Diretiva Comunitária Proteção de Dados Pessoais
Diretiva Comunitária Proteção de Dados Pessoais Diretiva Comunitária Proteção de Dados Pessoais
Diretiva Comunitária Proteção de Dados Pessoais
 
Legal And Regulatory Dp Challenges For The Financial Services Sector
Legal And Regulatory Dp Challenges For The Financial Services SectorLegal And Regulatory Dp Challenges For The Financial Services Sector
Legal And Regulatory Dp Challenges For The Financial Services Sector
 
SIA Webinar: The OHS Professional and Cyber Security
SIA Webinar: The OHS Professional and Cyber SecuritySIA Webinar: The OHS Professional and Cyber Security
SIA Webinar: The OHS Professional and Cyber Security
 
MySQL + GDPR
MySQL + GDPRMySQL + GDPR
MySQL + GDPR
 
Jisc cloud services: helping our members deliver their cloud strategies
Jisc cloud services: helping our members deliver their cloud strategiesJisc cloud services: helping our members deliver their cloud strategies
Jisc cloud services: helping our members deliver their cloud strategies
 
Introduction to CSIRTs
Introduction to CSIRTsIntroduction to CSIRTs
Introduction to CSIRTs
 
Privacy Advisory Service
Privacy Advisory ServicePrivacy Advisory Service
Privacy Advisory Service
 
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
 
General Data Protection Regulation (GDPR) and ISO 27001
General Data Protection Regulation (GDPR) and ISO 27001General Data Protection Regulation (GDPR) and ISO 27001
General Data Protection Regulation (GDPR) and ISO 27001
 
GDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risksGDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risks
 
Safeguarding Your Brand With Secure IT Asset Disposition
Safeguarding Your Brand With Secure IT Asset DispositionSafeguarding Your Brand With Secure IT Asset Disposition
Safeguarding Your Brand With Secure IT Asset Disposition
 
Digital Forensics 101 – How is it used to protect an Organization’s Data?
Digital Forensics 101 – How is it used to protect an Organization’s Data?Digital Forensics 101 – How is it used to protect an Organization’s Data?
Digital Forensics 101 – How is it used to protect an Organization’s Data?
 
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
 
MySQL Security + GDPR - 2018 MySQL Days
MySQL Security + GDPR - 2018 MySQL DaysMySQL Security + GDPR - 2018 MySQL Days
MySQL Security + GDPR - 2018 MySQL Days
 
MCGlobalTech Consulting Service Presentation
MCGlobalTech Consulting Service PresentationMCGlobalTech Consulting Service Presentation
MCGlobalTech Consulting Service Presentation
 

Similar to IRISSCON 2014 Privacy Cloud Computing

Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)
Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)
Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)AltheimPrivacy
 
Contracting for Better Cybersecurity
Contracting for Better CybersecurityContracting for Better Cybersecurity
Contracting for Better CybersecurityShawn Tuma
 
Webinar: Dispelling the Myths about Cloud Security
Webinar: Dispelling the Myths about Cloud SecurityWebinar: Dispelling the Myths about Cloud Security
Webinar: Dispelling the Myths about Cloud SecurityCyren, Inc
 
Ethics and Security of Cloud Computing for Lawyers
Ethics and Security of Cloud Computing for LawyersEthics and Security of Cloud Computing for Lawyers
Ethics and Security of Cloud Computing for LawyersRobert Ambrogi
 
Introdction to Cloud Regulation for Enterprise by 2Bsecure
Introdction to Cloud Regulation for Enterprise by 2BsecureIntrodction to Cloud Regulation for Enterprise by 2Bsecure
Introdction to Cloud Regulation for Enterprise by 2BsecureIdan Tohami
 
CipherCloud for Salesforce - Solution Overview
CipherCloud for Salesforce - Solution OverviewCipherCloud for Salesforce - Solution Overview
CipherCloud for Salesforce - Solution OverviewCipherCloud
 
Contracting in the Cloud by Tammy Bortz
Contracting in the Cloud by Tammy BortzContracting in the Cloud by Tammy Bortz
Contracting in the Cloud by Tammy Bortzitnewsafrica
 
Understanding Global Data Protection Laws: Webinar
Understanding Global Data Protection Laws: WebinarUnderstanding Global Data Protection Laws: Webinar
Understanding Global Data Protection Laws: WebinarCipherCloud
 
GDPR and ISO 27001 - how to be compliant
GDPR and ISO 27001 - how to be compliantGDPR and ISO 27001 - how to be compliant
GDPR and ISO 27001 - how to be compliantIlesh Dattani
 
CipherCloud Webinar - Cloud Encryption & Tokenization 101
CipherCloud Webinar - Cloud Encryption & Tokenization 101CipherCloud Webinar - Cloud Encryption & Tokenization 101
CipherCloud Webinar - Cloud Encryption & Tokenization 101CipherCloud
 
Kawser Hamid : ICO and Data Protection in the Cloud
Kawser Hamid : ICO and Data Protection in the CloudKawser Hamid : ICO and Data Protection in the Cloud
Kawser Hamid : ICO and Data Protection in the CloudGurbir Singh
 
Secure Cloud For Legal Professionals
Secure Cloud For Legal ProfessionalsSecure Cloud For Legal Professionals
Secure Cloud For Legal ProfessionalsZitaAdlTrk
 
Cloud computing in Australia - Separating hype from reality
Cloud computing in Australia - Separating hype from realityCloud computing in Australia - Separating hype from reality
Cloud computing in Australia - Separating hype from realityRussell_Kennedy
 
Using Cloud in an Enterprise Environment
Using Cloud in an Enterprise EnvironmentUsing Cloud in an Enterprise Environment
Using Cloud in an Enterprise EnvironmentMike Crabb
 
04 - VMUGIT - Lecce 2018 - Giampiero Petrosi, Rubrik
04 - VMUGIT - Lecce 2018 - Giampiero Petrosi, Rubrik04 - VMUGIT - Lecce 2018 - Giampiero Petrosi, Rubrik
04 - VMUGIT - Lecce 2018 - Giampiero Petrosi, RubrikVMUG IT
 
To MSSP or not to MSSP IISF 2015
To MSSP or not to MSSP IISF 2015To MSSP or not to MSSP IISF 2015
To MSSP or not to MSSP IISF 2015Paul Hogan
 
GDPR and NIS Compliance - How HyTrust Can Help
GDPR and NIS Compliance - How HyTrust Can HelpGDPR and NIS Compliance - How HyTrust Can Help
GDPR and NIS Compliance - How HyTrust Can HelpJason Lackey
 
Legal Issues Associated with Third-Party Cyber Risk
Legal Issues Associated with Third-Party Cyber RiskLegal Issues Associated with Third-Party Cyber Risk
Legal Issues Associated with Third-Party Cyber RiskShawn Tuma
 
The EU General Protection Regulation and how Oracle can help
The EU General Protection Regulation and how Oracle can help The EU General Protection Regulation and how Oracle can help
The EU General Protection Regulation and how Oracle can help Niklas Hjorthen
 
Understanding GDPR: Myths & Reality of Compliance
Understanding GDPR: Myths & Reality of ComplianceUnderstanding GDPR: Myths & Reality of Compliance
Understanding GDPR: Myths & Reality of ComplianceVeridium
 

Similar to IRISSCON 2014 Privacy Cloud Computing (20)

Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)
Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)
Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)
 
Contracting for Better Cybersecurity
Contracting for Better CybersecurityContracting for Better Cybersecurity
Contracting for Better Cybersecurity
 
Webinar: Dispelling the Myths about Cloud Security
Webinar: Dispelling the Myths about Cloud SecurityWebinar: Dispelling the Myths about Cloud Security
Webinar: Dispelling the Myths about Cloud Security
 
Ethics and Security of Cloud Computing for Lawyers
Ethics and Security of Cloud Computing for LawyersEthics and Security of Cloud Computing for Lawyers
Ethics and Security of Cloud Computing for Lawyers
 
Introdction to Cloud Regulation for Enterprise by 2Bsecure
Introdction to Cloud Regulation for Enterprise by 2BsecureIntrodction to Cloud Regulation for Enterprise by 2Bsecure
Introdction to Cloud Regulation for Enterprise by 2Bsecure
 
CipherCloud for Salesforce - Solution Overview
CipherCloud for Salesforce - Solution OverviewCipherCloud for Salesforce - Solution Overview
CipherCloud for Salesforce - Solution Overview
 
Contracting in the Cloud by Tammy Bortz
Contracting in the Cloud by Tammy BortzContracting in the Cloud by Tammy Bortz
Contracting in the Cloud by Tammy Bortz
 
Understanding Global Data Protection Laws: Webinar
Understanding Global Data Protection Laws: WebinarUnderstanding Global Data Protection Laws: Webinar
Understanding Global Data Protection Laws: Webinar
 
GDPR and ISO 27001 - how to be compliant
GDPR and ISO 27001 - how to be compliantGDPR and ISO 27001 - how to be compliant
GDPR and ISO 27001 - how to be compliant
 
CipherCloud Webinar - Cloud Encryption & Tokenization 101
CipherCloud Webinar - Cloud Encryption & Tokenization 101CipherCloud Webinar - Cloud Encryption & Tokenization 101
CipherCloud Webinar - Cloud Encryption & Tokenization 101
 
Kawser Hamid : ICO and Data Protection in the Cloud
Kawser Hamid : ICO and Data Protection in the CloudKawser Hamid : ICO and Data Protection in the Cloud
Kawser Hamid : ICO and Data Protection in the Cloud
 
Secure Cloud For Legal Professionals
Secure Cloud For Legal ProfessionalsSecure Cloud For Legal Professionals
Secure Cloud For Legal Professionals
 
Cloud computing in Australia - Separating hype from reality
Cloud computing in Australia - Separating hype from realityCloud computing in Australia - Separating hype from reality
Cloud computing in Australia - Separating hype from reality
 
Using Cloud in an Enterprise Environment
Using Cloud in an Enterprise EnvironmentUsing Cloud in an Enterprise Environment
Using Cloud in an Enterprise Environment
 
04 - VMUGIT - Lecce 2018 - Giampiero Petrosi, Rubrik
04 - VMUGIT - Lecce 2018 - Giampiero Petrosi, Rubrik04 - VMUGIT - Lecce 2018 - Giampiero Petrosi, Rubrik
04 - VMUGIT - Lecce 2018 - Giampiero Petrosi, Rubrik
 
To MSSP or not to MSSP IISF 2015
To MSSP or not to MSSP IISF 2015To MSSP or not to MSSP IISF 2015
To MSSP or not to MSSP IISF 2015
 
GDPR and NIS Compliance - How HyTrust Can Help
GDPR and NIS Compliance - How HyTrust Can HelpGDPR and NIS Compliance - How HyTrust Can Help
GDPR and NIS Compliance - How HyTrust Can Help
 
Legal Issues Associated with Third-Party Cyber Risk
Legal Issues Associated with Third-Party Cyber RiskLegal Issues Associated with Third-Party Cyber Risk
Legal Issues Associated with Third-Party Cyber Risk
 
The EU General Protection Regulation and how Oracle can help
The EU General Protection Regulation and how Oracle can help The EU General Protection Regulation and how Oracle can help
The EU General Protection Regulation and how Oracle can help
 
Understanding GDPR: Myths & Reality of Compliance
Understanding GDPR: Myths & Reality of ComplianceUnderstanding GDPR: Myths & Reality of Compliance
Understanding GDPR: Myths & Reality of Compliance
 

IRISSCON 2014 Privacy Cloud Computing

  • 1. © 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.
  • 2. © 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary. Disclaimer: This presentation does not represent legal advice or purport to be a legal interpretation of legislation, regulation or standard rules. Whilst every effort is made to ensure the information is accurate, responsibility cannot be accepted for any liability incurred or loss suffered as a consequence of relying on any material published herein. Appropriate professional advice should be taken before acting or refraining to act on the basis of this presentation
  • 3. © 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary. What is Cloud Computing • Depends on who you ask • Lots of terminology
  • 4. © 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary. Drivers, Benefits and Risks
  • 5. © 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary. Cloud Computing - Benefits Flexibility Access to Applications Availability Cost Reductions
  • 6. © 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary. Cloud Computing –Risks
  • 7. © 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary. Cloud Computing Top 9 Threats 1) Data Breaches 2) Data Loss 3) Account Hijacking 4) Insecure APIs 5) Denial of Service 6) Malicious Insiders 7) Abuse of Cloud Services 8) Insufficient Due Diligence 9) Shared Technology Issues https://downloads.cloudsecurityalliance.org/initiatives/top_threats/The_Notorious_Nine_Cloud_Computing_Top_Threats_in_2013.pdf
  • 8. © 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary. Legal Considerations - Cloud • Copyright and Related Rights Acts 2000, 2004 and 2007; • Data Protection Acts 1988 and 2003; • Freedom of Information Act 1997 and 2003; • The Child Trafficking and Pornography Acts 1998 and 2004; • Defamation Act 2009; • Prohibition of Incitement to Hatred Act
  • 9. © 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary. Focus on Data Protection in the Cloud • Security of Personal Data • Location of Personal Data
  • 10. © 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary. What is Personal Data any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity” (Data Protection Directive 95/46/EC, A2) ..data relating to a living individual who is or can be identified either from the data, or from the data in conjunction with other information that is, or is likely to come into the possession of the data controller.. (Data Protection (Amendment) Act 2003)
  • 11. © 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary. Responsibilities: Data Controllers and Data Processors Data Controller The Data Controller (“the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data”) Data Controller remains responsible if data outsourced to Data Processor (“ a person …who processes personal data on behalf of a data controller”)
  • 12. © 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary. Responsibilities - 8 Rules 1. Fairly Obtained 2. Specified and Lawful purpose 3. Not Incompatible with purpose 4. Safe and Secure 5. Accurate and up to date 6. Adequate, relevant and not excessive 7. Retention only for as long as necessary 8. Copy to individual on request.
  • 13. © 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary. Security Obligations-Rule 4: Safe and Secure “..Appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.” “Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected. “ (Article 17 DIRECTIVE 95/46/EC) Data Controller
  • 14. © 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary. Security Obligations: Working with Cloud Providers “... the controller must, where processing is carried out on his behalf, choose a processor providing sufficient guarantees in respect of the technical security measures and organizational measures governing the processing to be carried out, and must ensure compliance with those measures.” “The carrying out of processing by way of a processor must be governed by a contract or legal act binding the processor to the controller and stipulating in particular that: the processor shall act only on instructions from the controller; the obligations set out in paragraph 1 (Article 17 DIRECTIVE 95/46/EC) ,as defined by the law of the Member State in which the processor is established, shall also be incumbent on the processor. (Article 17 DIRECTIVE 95/46/EC) Data Controller
  • 15. © 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary. Location of Personal Data • EU/EEA • Approved Countries • USA - Safe Harbor • Model Contracts • Binding Corporate Rules • Clear and unambiguous consent of the individual data subject(s)
  • 16. © 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary. What you Need to Do • Establish criterial that expect from CSPs • Security / Control / Privacy as well as functional • Procure in accordance with criteria • Due Diligence: Satisfy security / privacy/ compliance • Written contract: SLA and PLA (Privacy Level Agreement) • ‘Click Wrap’ Contracts
  • 17. © 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary. Privacy Level Agreement (PLA) A PLA describes the level of privacy and data protection it undertakes to maintain with respect to relevant data processing.
  • 18. © 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary. Privacy Level Agreement (PLA) 1. Identity of the CSP 2. Data prohibited to be sent/processed 3. Ways data will be processed 4. Data Transfer 5. Data Security Measures 6. Monitoring 7. Audit 8. Breach Notification 9. Data Portability 10. Data Detention / Deletion 11. Accountability 12. Cooperation 13. Law Enforcement Access 14. Remedies 15. Dispute Resolution 16. Cyber Insurance Policy
  • 19. © 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary. Guidance • Cloud Security Alliance (CSA) • Security Guidelines for Critical Areas of Focus in Cloud Computing V3.0 • Cloud Controls Matrix (CCM) • Privacy Level Agreement • European Network and Information Security Agency (ENSIA) • Cloud computing benefits risks and recommendations for information security • Data Protection Commissioner • http://www.dataprotection.ie/ • NSAI • Adopting the Cloud - decision support for cloud computing
  • 20. © 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary. Just when you thought it was safe to get back in the water In 2009 Google was awarded a U.S. patent for its floating data centres that are powered by waves and cooled by sea water.
  • 21. © 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.© 2000-2014 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.