Privacy and the GDPR: How Cloud computing could be your failing

TM
© IT Governance Ltd 2016
Copyright IT Governance Ltd 2016 – v1.0
Privacy and the GDPR: How Cloud computing could be your failing
Adrian Ross
GRC Consultant
IT Governance Ltd
Nigel Hawthorn
EMEA Marketing Director
Skyhigh Networks

TM
Introduction
• Adrian Ross
– GRC consultant
– Intellectual property
– Data protection and information security
• Nigel Hawthorn
– Author of GDPR: An Action Guide for IT
– Speaker on data protection, privacy and security
– Chief European spokesperson for Skyhigh Networks
2

TM
IT Governance Ltd: GRC one-stop shop
All verticals, all sectors, all organisational sizes

TM
About Skyhigh
• Provides visibility, control and security of Cloud computing
• For shadow Cloud and approved Cloud services
• Enables faster assessment of Cloud services (50+ attributes)
• Adds full logging for data loss investigation
• Alerts on anomalies when accessing Cloud services
• Helps set policies for Cloud access
• For SaaS, IaaS and PaaS
• Adds DLP, threat protection, access control and encryption
• Enabling Cloud security for enterprises

TM
Agenda
• An overview of the General Data Protection Regulation (GDPR).
• Breach notification requirements under the GDPR and a showcase of recent
data breaches and their costs.
• Organisations’ responsibilities when storing data in the Cloud, and the roles
of controller and processor.
• The outcome of subcontracting on Cloud service providers and notifications
on activities in the Cloud.
• The role and responsibilities of the Cloud adoption team.
• ISO 27018 and implementing security controls for PII in the Cloud.
5

TM
An overview of the General Data Protection Regulation
(GDPR)
A defining moment for digital rights in Europe and beyond
º Point of reference is Article 8 of the Charter of Fundamental Rights.
º The result of negotiations between the European Parliament,
Council and Commission.
º A harmonising regulation.
º Intended to be one of the longest laws on the Union’s statute book.
º Applies to organisations inside or outside the EU that process
personal data.
º Introduces legal obligations on controllers and processors.
º Fines of up to 2% or 4% of total annual worldwide turnover.
º Immediately applicable in each Member State.
º Applies from 25 May 2018.

TM
The GDPR: Top ten aspects of the Regulation
• Increased fines -
• Opt-in consent -
• Breach notification -
• Territorial scope -
• Joint liability -
• Right to removal -
• Removes ambiguity -
• Data transfer -
• Common enforcement -
• Collective redress -
4% of global turnover or €20,000,000.
Clear, no opt-out, use data only as agreed.
72 hours to regulators, users “without delay”.
All organisations with data on EU individuals.
Data controllers and processors.
The users are in charge.
28 laws become one.
Data keeps privacy rights as it moves globally.
Authorities will be strict.
Class action lawsuits from individuals.

TM
Data breach notification
• How do you know you have had a breach?
– Traffic anomalies, search for lost credentials on dark web, user input?
• How will you check the scope of the incident?
• Can you stop a breach in progress?
• You have 72 hours to tell the regulator after becoming aware of the breach.
• You must inform the data subjects “without undue delay”.
• This is when speculation can run riot – be precise.
• Define various communication plans, depending on circumstances.
• You do not need to tell the data subjects if the traffic has been encrypted.
Expect a data breach – define the organisation’s plan

TM
Data loss receipt - TalkTalk

TM
Assume the worst
• First tweet – 11:13pm Saturday night – 5th November 2016

TM
Trust boundaries in the Cloud
• Scope extends to the trust boundary
– On both sides!
– Adapted from Cloud Computing www.itgovernance.co.uk/shop/p-465-cloud-computing-
assessing-the-risks.aspx – Figure 2
• What happens beyond the trust boundary?

TM
The responsibility of the controller when storing data in the Cloud
• Implement appropriate technical and organisational measures;
• Implement appropriate data protection policies;
• Adhere to approved codes of conduct or certification mechanisms;
• Controller still needs legitimising reason for transfer;
• Data protection principles still apply;
• Use of model clause meets the above criteria;
• Legal obligation is on the controller to ensure compliance with law;
• Legal obligation is on the controller to inform data subject of transfer.

TM
The responsibility of the processor when storing data in the Cloud
A legal contract must ensure that the processor:
• processes the personal data only on documented instructions from the controller;
• ensures that persons authorised to process the personal data observe
confidentiality;
• takes appropriate security measures;
• respects the conditions for engaging another processor;
• assists the controller by applying appropriate technical and organisational
measures;
• assists the controller in ensuring compliance with the obligations to security of
processing;
• deletes or returns all the personal data to the controller after the end of the
provision of services;
• makes available to the controller all information necessary to demonstrate
compliance with the Regulation.

TM
This will lead to
• Clearer delineation of lines of responsibility for data.
• A focus on how the Cloud infrastructure is protected.
• An increased focus on how customer data is protected.
• A bigger focus by Cloud providers on what data is stored on
infrastructure.
• Increased costs of compliance for Cloud providers.
• How does a Cloud provider comply with ‘the right to be forgotten’?
• Increased use of metadata about individuals to identify what data is
stored where.
• The EU GDPR can now be viewed as global data protection law.
• ISO 27001 and ISO 27018 now brought more into focus.

TM
Dealing with the complexity of Cloud and subcontracting
How Many Unsanctioned Apps &
Cloud Services Are We Using?

TM
• Per company, unique services

TM
Security controls vary by provider

TM
Authentication and logging

TM
Cloud adoption team: Responsibilities
• Review current data sets and services
– Don’t forget employee data
• Set minimum standards for Clouds and app services
• Implement contracts with approved services
• Define approved Cloud services
– Migrate users to approved services
• Implement policies to block/allow/warn users of risks
• Implement monitoring, DLP, anomaly checking
• Integrate with LDAP, AD, SSO services
• Publish approved Cloud services list
• Review requests for new Cloud services

TM
First two steps: Gain visibility and identify solutions
• Gain visibility into today’s use
– Declare amnesty – ask for input
– Review data traffic
• Identify the high-need services
– Evaluate the business benefits from different solutions
– Define minimum security attributes
– Declare the standard app/service
– Encourage use and enforce controls
– Provide time to migrate
– Block/redirect to approved services
• Build a cross-functional team

TM
Cloud adoption goal
• Start publishing a list of acceptable services/apps
– Explain why these were chosen
• Clearly communicate data categorisation if you have it
– Use a real-life example to explain why
• Review AUP; see if it can be more flexible
– “if no confidential information…”
• Go from the department of ‘no’ to the department of ‘know’
• Add controls to secure Cloud as you would on premises
– SSO, encryption, logging, anomaly investigation, sharing policies, etc.

TM
IT Governance: GDPR self-help
• One-day accredited Foundation course (classroom,
online, distance learning
– www.itgovernance.co.uk/shop/product/certified-eu-general-data-
protection-regulation-foundation-gdpr-training-course
• Four-day accredited Practitioner course (classroom,
online, distance learning)
– www.itgovernance.co.uk/shop/product/certified-eu-general-data-
protection-regulation-practitioner-gdpr-training-course
• Pocket guide www.itgovernance.co.uk/shop/Product/eu-gdpr-a-
pocket-guide
• Implementation manual
http://www.itgovernance.co.uk/shop/Product/eu-general-data-
protection-regulation-gdpr-an-implementation-and-compliance-guide
• Documentation toolkit
www.itgovernance.co.uk/shop/product/eu-general-data-protection-
regulation-gdpr-documentation-toolkit

TM
Other useful sources of information
Cloud Acceptable Use Policy
Below
is a template our customers may use for their
users to request access to cloud services.
If
you have any suggestio
ns on how
to im
prove the document,please send them
to (is
there a
CSteam
email alias?)
This policy is
the cloud computin
g acceptable use policy,provided as part of the terms of
employment and in
addition to the Internet Acceptable Use Policy.
Latest version of this
policy can be found onlin
e at:
https://intranet.company.com/cloud-policy.html
Approved cloud services are listed online at:
https://intranet.company.com/approved-cloud.html
The cloud management team
can be contacted on cloudteam@
com
pany.com
Cloud computin
g offers a number of advantages in
cluding low
costs,high performance and
efficient delivery of services. However,without adequate controls,it
also exposes individ
uals
to online threats such as data loss or theft, unauthorized access to corporate networks,loss of
name/password credentials and viruses and other m
alware.
The company allows employee to access safe,secure cloud services with approval from
the
cloud management team
in certain
circumstances.
This cloud computin
g policy is designed to safeguard the employee and the company’s
in
formatio
n. It
is
im
perative that employees NOTopen cloud services accounts or enter in
to
cloud service contracts for the storage,manip
ulatio
n or exchange of company-related
communicatio
ns or company-owned data without approval of the cloud management team.
This is
necessary to protect the integrity and confid
entiality of company data and the security
of the corporate network.
The following guid
elines are intended to establish a process whereby employees can use
cloud services without jeopardizing company data and computing resources.
Scope
This policy applies to all em
ployees in
all departments with no exceptions.
This policy pertains to all external cloud services,e.g. cloud-based email,document storage,
Software-as-a-Service (SaaS),Infrastructure-as-a-Service (IaaS),Platform-as-a-Service (PaaS),
etc. Personal accounts are excluded.
If
you are not sure whether a service is
cloud-based or not,please contact the cloud
management team.
Cloud Computing M
anagement Team
Organizations should be able to em
brace cloud services without risk,to com
ply with
regulatory policies and local data protection laws,identify com
prom
ised accounts and devices
and insider threats.
The decision-m
aking on acceptable cloud services is m
ulti-faceted and so it is recom
m
ended
that custom
ers create a Cloud Com
puting Managem
ent Team
with the following
responsibilities:
·
Decide on approved,acceptable and denied services for the organisation
·
Com
m
unicate that list for em
ployees to check before asking for approval for new
services
·
Define the cloud com
puting acceptable use policy for the com
pany
·
Review
cloud com
puting access, to check that em
ployees are using cloud com
puting in
line with the policies
·
Continuous m
onitoring of cloud com
puting for changes in circum
stances of cloud
providers
·
Continuous m
onitoring of cloud traffic to check for appropriate use, activity that m
ay
indicate loss of credentials,potential insider threats &
em
ployee flight risks,infected
m
achines,over-sharing of confidential data,unsupported device downloads,&
uploads to unusual or previously unknown destinations
·
Make sure that the com
pany is achieving optim
al pricing and that the com
pany is not
engaging with m
any overlapping services
·
Ensuring that other aspects of com
puting integrate with the cloud com
puting services,
such as single-sign-on services
·
The cloud com
puting service m
ust be fully integrated with other IT
functions such as
networking (delivering policies to egress devices),Active Directory,data leak
prevention, logging and active reporting.
·
Check and approve contracts with cloud providers
·
Educate em
ployees on appropriate and inappropriate cloud use
·
Regular reporting on cloud use to senior m
anagem
ent.
The Cloud Com
puting Managem
ent Team
should be m
ulti-disciplined and contain
representatives with these areas of knowledge.
·
IT
Security
·
Finance
·
Risk &
Com
pliance
·
Legal
·
A
representative of the em
ployees
·
A
representative from
senior m
anagem
ent
Decision-m
aking on cloud com
puting should be based on m
ultiple sets of criteria,including
Cloud Request Form
Below
is a tem
plate our custom
ers m
ay use for their users to request access to cloud services.
If
you have any suggestions on how
to im
prove the docum
ent,please send them
to (is there a
CSteam
em
ail alias?)
Em
ployees are allowed to access cloud services to im
prove their productivity.
Sadly,m
any cloud services can be dangerous to use as they m
ay be conduits for data loss due
to lack of security m
easures,poorly configured or even designed
specifically to steal
confidential data. They can also be a source of viruses and other m
alicious code,hosted in
countries with no privacy regulations,break our com
pany policies,regulations or data
protection laws and therefore em
ployees m
ust request access before using cloud services.
The cloud m
anagem
ent team
will respond within 48
hours to give initial approval,denial or
suggest other cloud services that m
ay be equivalent.
The com
pany’s
full cloud acceptable use policy is available online at:
https://intranet.com
pany.com
/cloud-policy.htm
l
Once filled out,please send the form
to:
m
ailto:cloudteam
@
com
pany.com
?subject=Cloud Request
Requester
Departm
ent
Em
ail Address
Phone num
ber
Manager’s
nam
e
Cloud Service Requested
url if known
Purpose for access
Num
ber of em
ployees requiring access
Cost,if any
End date (if tem
porary)
Business Partner Accessing Data (if any)
Skyhigh European Cloud Adoption & Risk Report:
http://info.skyhighnetworks.com/WPCARRQ12016EU_Download_White.html
Cloud Security Alliance 2016 Survey:
http://info.skyhighnetworks.com/WPCSASurvey2016_Download_Green.html
Skyhigh GDPR: An Action Guide for IT:
http://bit.ly/GDPR-Action-Guide

TM
Questions?
aross@itgovernance.co.uk
0845 070 1750
www.itgovernance.co.uk

Privacy and the GDPR: How Cloud computing could be your failing

More Related Content

What's hot

Viewers also liked

Similar to Privacy and the GDPR: How Cloud computing could be your failing

More from IT Governance Ltd

Recently uploaded

Privacy and the GDPR: How Cloud computing could be your failing