Presentation on the ISACA Astana Chapter webinar 27-Apr-2023

1. State regulation
of information
protection in the
cloud: international
and Kazakhstani
experience
Vsevolod Shabad
+7 777 726 4790
vshabad@vshabad.com

2. Briefly about me: the international octopus
IT Cybersecurity
Cloud
Technologies
Risk
Management
Compliance
Data Science
& ML
Project
Management
Culture
Changes
Fraud
Prevention
🇷🇺 🇰🇿
🇷🇸 🇧🇬
🇸🇬
🇹🇷

3. Introduce YOURSELF and share YOUR expectations!

4. Due Care is the bridge between “paper”
and “real” cybersecurity shores
• Incident Management*
• Detection
• Response
• Mitigation
• Reporting
• Recovery
• Remediation
• Lessons learned
• Vulnerability Management
• …
* These phase names got from the CISSP CBK Reference (6th Edition)
You are guilty by default!
(unless you show the documents
and real security measures)

5. All things should be balanced
Three sorts of cloud regulations
• Personal data
• Critical infrastructure
• Specific industry regulations (banks, …)
Three sides of regulations
• Company
• Government
• Customers
Formal compliance with law
The real concerns of regulators
*
*
Kazakhstan also required the host the resources in .KZ and .ҚAZ domain zones on the territory of Kazakhstan

6. Why the personal data protection matters here?
• Privacy is one of the fundamental human rights
• Article 8 of the European Convention on Human Rights (47 countries)
• Article 18 of the Constitution of the Republic of Kazakhstan
• Fines for personal data protection rules violations can be very severe
(hundreds of millions of euros)
• It is relatively easy to prove violations of personal data protection rules
• Even if the cloud provider is guilty of violations, the company still have
primary responsibility for them

7. Key terms of GDPR
• ‘Controller’ means the natural or legal person, public authority, agency
or other body which, alone or jointly with others, determines the purposes
and means of the processing of personal data; where the purposes and
means of such processing are determined by Union or Member State law,
the controller or the specific criteria for its nomination may be provided
for by Union or Member State law
• ‘Processor’ means a natural or legal person, public authority, agency
or other body which processes personal data on behalf of the controller
This means that, in the vast majority of cases, the company itself as a Data Controller
is accountable for personal data protection violations unless it proves that the cloud provider
committed violations by going beyond the company instructions (i. e. by turning from a Data
Processor to a Data Controller role)

8. Why does critical infrastructure matter here?*
• In some cases, national laws on the protection of critical infrastructure
may apply to web applications
• EU directive 2022/2555 (NIS2) scope includes the following companies
(Paragraph 6 of Annex II “Other Critical Sectors):
• Providers of online marketplaces
• Providers of online search engines
• Providers of social networking services platforms
Small or medium-sized enterprises are mostly out of the scope of the NIS2 directive
* In Kazakhstan, the government defines a specific list of critical entities; in Europe – only the sectors
of the economy

9. What are regulators concerned about?
• Violation of the rights and freedoms of citizens as a "weak side"
in relation to companies (service providers)
• A large-scale threat to the life and health of citizens – for example,
if an adversary attacks the city's water purification system
• A threat to the entire industry – for example, a general banking panic
with a large-scale cyber incident in a leading bank, if the information
gets publicised in the press
State protection of citizens' rights and freedoms is key to gaining public trust and, consequently,
fostering economic development! To ensure productive discussions with regulators, it's crucial
to debate not only various prohibitions but also the impact of these restrictions on the industry
and the country's overall economy!

10. What are regulators concerned about?
Typical examples of situations when a regulator should intervene:
• Unlawful disclosure of personal data
• Unlawful collection of personal data
• Unlawful cross-border transfer of personal data
• Inaccessibility of critical information infrastructure
• Unlawful disclosure of banking secrecy
• …
The regulator intervenes not only when an incident occurs, or a complaint is received!
The regulator closely monitors and may initiate an investigation by its own initiative
if the company is a dominant market participant or if the regulator considers its activities
to be excessively risky

11. Personal data
(Luxembourg, EU)
• Legislation – GDPR (2016)
• (Non-obvious) Scope of application
– any company monitoring
subjects’ behaviour within the EU
territory (Anti-DDoS? Cookie?)
• Legal fines – from €10M / 2%
worldwide annual turnover
up to €20M / 4% worldwide
annual turnover
• Maximum actual fine – Amazon,
2021 (€746M)
Ex-CEO @ Amazon
Jeff Bezos

12. Personal data (UK)
• Legislation – UK Data Protection Act
(1998), the predecessor of GDPR
• Case: large-scale data leak at the US
credit bureau Equifax (2017)
• The number of affected personal
data subjects is 146 million,
including 15.7 million Britons
• A fine of £ 500’000 in the UK
(in addition to the $575M in the US)
• The CEO was resigned
Ex-CEO @ Equifax
Richard Smith

13. Personal data
(Singapore)
• Legislation – Personal Data
Protection Act 2012
• (Non-obvious) Scope of application -
any company monitoring subjects’
behaviour within the Singapore
territory (Anti-DDoS? Cookie?)
• Legal fines – up to 10%
of Singapore’s annual turnover
• Possibility of up to 3 years in prison
for individuals
• Maximum actual fine – 250K SGD
($188K) for the SingHealth and 750K
SGD ($564K) for the IHiS
CEO @ IHiS
Bruce Liang

14. Personal data
(Kazakhstan)
• Legislation – Kazakhstan Law № 94-V
"On Personal Data and Their Protection”
• Scope of application – the territory
of Kazakhstan
• Legal fines – up to 1000x minimal salary
(about $7600)
• Maximum actual fine – 100x minimal salary,
and 500x minimal salary in case
of non-compliance after the law order
to eliminate violations

15. Critical infrastructure and industry regulations
• Germany (EU) – the German Federal Network Agency (Bundesnetzagentur)
imposed a €10M fine in 2018 on energy company Energieversorgung Offenbach
(EVO) for insufficient cybersecurity measures
• USA – The Federal Energy Regulatory Commission (FERC) imposed a $10M fine
on Duke Energy in 2018 for insufficient cybersecurity measures
• Kazakhstan (the maximum actual fine is 100x minimal salary):
• for 2022 – 48 officials were held liable for the amount of 1’172’475 KZT
and 17 legal entities for the amount of 3’492’535 KZT
• for 1Q 2023 – 74 officials were held liable for the amount of 2’026’875 KZT
and 8 legal entities for the amount of 672’750 KZT

16. Who can cause
the most damage
in the case
of cybersecurity
negligence?
Government!

17. Five key obligations of the company
• Process customer information in accordance
with the stated purposes
• Respond to legitimate customer requests
(for example, providing a copy of collected PII)
• Notify the regulator and customers about incidents
on time
• Provide localisation of personal data
• Have a functioning ISMS
• sometimes regulators make very detailed requirements
+

18. What does cloud migration give?
• Ability to delegate many security
functions to a cloud provider
• Ability to quickly and cheaply
automate many security
processes
• Ability to quickly and cheaply
provide scalability & redundancy
for the online services
• Necessity to delegate many security
functions to a cloud provider
• Risk of violation of some legal
requirements (for example,
localisation of PII)
• Risk of misuse of data by a cloud
provider (especially, SaaS)

19. Some examples – ISO 27001:2022, Annex A
• 8.5 “Secure authentication technologies and procedures
shall be implemented based on information access
restrictions and the topic-specific policy on access control”
• 8.11 “Data masking shall be used in accordance
with the organization’s topic-specific policy on access
control and other related topic-specific policies,
and business requirements, taking applicable legislation
into consideration”
• 8.16 “Networks, systems and applications shall be
monitored for anomalous behaviour and appropriate
actions taken to evaluate potential information security
incidents”

20. Another example – PCI DSS compliance checking

21. The infrastructure is separated,
but the cybersecurity processes are end-to-end!
Through 2025,
99% of cloud security failures
will be the customer’s fault
(https://www.gartner.com/smarterwithgartner/is-the-cloud-secure)
AWS Shared Responsibility Model
For instance:
Incident Management is an end-to-end
process, and the orchestration
of components and tools (AWS GuardDuty,
SNS, Lambda Functions, ...) is always
the company's responsibility!

22. What can we do?
Choose the cloud provider wisely
•Pay attention to the SOC2 or ISO 27017 certification of the cloud provider
Build and certify end-to-end ISMS
•Build a reasonable threat model and ISMS on this basement
Ensure formal compliance of the ISMS with the legal requirements
•Remember – there are many regulators, and often their requirements are challenging to conform same time
Informally reconcile the threat model and ISMS with regulators
•The key is to listen to concerns and answer them convincingly
Test the end-to-end processes of the ISMS
•The test results, including unsuccessful ones, are convincing evidence of the effectiveness of the ISMS for both regulators and customers
Stage migrate applications and data to the cloud

23. Example
• The Kazakhstani bank plans to host some
applications in a foreign well-known public cloud
• Inventory of applicable legislations and regulators
• Shortlisting suitable cloud providers
• Development of a threat model (STRIDE) and planning
of security controls (Preventive, Detective, Reactive)
with the involvement of cloud provider architects
• Approving the threat model and security controls
with your lawyers and regulators
• Implementing security controls and staged migration
of applications and data to the cloud
?

24. Example: what should we concern about?
• Cross-border transfer of personal data
(Legislation – Article 16 of Kazakhstan Law № 94-V
"On Personal Data and Their Protection”, GDPR Chapter V):
• The explicit client consent (with the opportunity for withdrawal
at any time)
• The possibility of restricting access to client’s data
(when consent is withdrawn) in case the data cannot be deleted
• The presence of the country where the data centre of the selected
cloud provider region is located in the list of approved countries
(European Commission Adequacy Decision -
https://commission.europa.eu/law/law-topic/data-
protection/international-dimension-data-protection/adequacy-
decisions_en)
• The explicit explanation of why the selected country
ensures the proper protection of personal data
(Article 16.22 of Kazakhstan Law № 94-V)
• Local storage of personal data
(Article 12 of Kazakhstan Law № 94-V)
1

25. Example: what should we concern about?
• The necessity to encrypt data in the cloud with
a key on the bank's side (National Bank Rules # 48,
Article 60.2)
• Use only cloud services that support KMS
(such as AWS DynamoDB or Azure SQL)
• Use KMS with keys generated in On-Premise HSM
(for example, Azure Key Vault Managed HSM
and AWS KMS custom key store allows this)
2

26. Brief Summary:
success factors
for migration
to the public cloud
• An apparent reason why to do it
(mission, values, risks)
• Understanding applicable legislations
• Risk-driven ISMS with end-to-end processes
• Respectful, risk-based conversations
with regulators
• The competent team supported
by management

27. I'll be happy to help
in any way I can!
+7 777 726 4790
vshabad@vshabad.com
https://linkedin.com/in/vshabad