2. Outline
1. Cloud Contracting
2. Cloud Security
3. Government Access to Data in the
Cloud
4. EU Safe Harbor and Transfers of
Personal Data from Europe
8. Contracting
• Service Levels
–Availability, scheduled maintenance,
emergency maintenance
–Performance, response time, latency
• Security
–Certification
–Encryption in transit,
at rest, in backups
10. Security in Practice
• Major cloud providers implement reasonable
or appropriate measure.
• You are responsible for your configuration.
• You get Service Levels, but no other
warranties.
• Liability is limited, typically to 12-month’s fees.
11. Security in Practice
• Major cloud providers implement reasonable
or appropriate measure.
• You are responsible for your configuration.
• You get Service Levels, but no other
warranties.
• Liability is limited, typically to 12-month’s fees.
12.
13. Security in Practice - AWS
• 3.1 AWS Security. Without limiting Section 10
or your obligations under Section 4.2, we will
implement reasonable and appropriate
measures designed to help you secure Your
Content against accidental or unlawful loss,
access or disclosure.
14. Security in Practice - AWS
• 4.2 Other Security and Backup. You are
responsible for properly configuring and using
the Service Offerings and taking your own
steps to maintain appropriate security,
protection and backup of Your Content, which
may include the use of encryption technology
to protect Your Content from unauthorized
access and routine archiving Your Content.
15. Security in Practice - AWS
THE SERVICE OFFERINGS ARE PROVIDED “AS IS.” WE AND OUR AFFILIATES
AND LICENSORS MAKE NO REPRESENTATIONS OR WARRANTIES OF
ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE
REGARDING THE SERVICE OFFERINGS OR THE THIRD PARTY CONTENT,
INCLUDING ANY WARRANTY THAT THE SERVICE OFFERINGS OR THIRD PARTY
CONTENT WILL BE UNINTERRUPTED, ERROR FREE OR FREE OF
HARMFUL COMPONENTS, OR THAT ANY CONTENT, INCLUDING YOUR
CONTENT OR THE THIRD PARTY CONTENT, WILL BE SECURE OR NOT
OTHERWISE LOST OR DAMAGED. EXCEPT TO THE EXTENT PROHIBITED BY
LAW, WE AND OUR AFFILIATES AND LICENSORS DISCLAIM ALL WARRANTIES,
INCLUDING ANY IMPLIED WARRANTIES OF MERCHANTABILITY, SATISFACTORY
QUALITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, OR
QUIET ENJOYMENT, AND ANY WARRANTIES ARISING OUT OF ANY COURSE OF
DEALING OR USAGE OF TRADE.
16. Security in Practice - Azure
We maintain appropriate technical and
organizational measures, internal controls, and data
security routines intended to protect Customer
Data against accidental loss or change,
unauthorized disclosure or access, or unlawful
destruction. Current information about our security
practices can be found within the Trust Center. You
are wholly responsible for configuring your
Customer Solution to ensure adequate security,
protection, and backup of Customer Data.
17. Security in Practice - Azure
We will comply with all laws applicable to our
provision of the Services, including applicable
security breach notification laws, but not including
any laws applicable to you or your industry that are
not generally applicable to information technology
services providers. You will comply with all laws
applicable to your Customer Solution, Customer
Data, and your use of the Services, including any
laws applicable to you or your industry.
18. Security in Practice - Azure
Limited warranty. We warrant that the Services
will meet the terms of the SLAs during the Term.
Your only remedies for breach of this warranty
are those in the SLAs.
19. Security in Practice - Azure
DISCLAIMER. Other than this warranty, we
provide no warranties, whether express,
implied, statutory, or otherwise, including
warranties of merchantability or fitness for a
particular purpose. These disclaimers will apply
except to the extent applicable law does not
permit them.
20. Privacy in the Cloud - AWS
You may specify the AWS regions in which Your
Content will be stored and accessible by End
Users. We will not move Your Content from your
selected AWS regions without notifying you,
unless required to comply with the law or
requests of governmental entities. You consent
to our collection, use and disclosure of
information associated with the Service
Offerings in accordance with our Privacy Policy...
22. Government Access to Data
• Cybersecurity Information Sharing Act
• Allows sharing of cybersecurity threat data
with the DHS
• Passed in Senate and House, in reaction to
Sony, Anthem, and OPM breaches
• Broad sharing of personal information with
the government with few privacy protection in
place
24. Possible Alternatives
• Standard Contractual Clauses (Model Clauses)
• Binding Corporate Rules
• Derogations in Law
–Necessary for performance of contract
–Unambiguous, informed, freely given,
specific consent
• January 31, 2016 deadline by European
privacy regulators
25. General Data Protection Regulation
• EU member states in final stages of
negotiations
• Expected in the next year or so
• Includes data breach notification obligation
• Fines as high as 2% of annual turnover