Exposing organizational processes via APIs and providing services over the Internet increases productivity, gives better user experience and allows collaboration between organizations. Most organizations are now moving to cloud-base solutions without managing the infrastructure by themselves allowing them to focus on their core business objectives and reduce maintenance cost. By default, cloud services are secure and allow redundancy. The service providers have skilled workers and proper processes to take care of every part of the services they offer, including security and data protection. But this doesn’t mean the organization inherits proper privacy when on the cloud. This session focus on privacy issues that an organization may face when moving to the cloud and how they can manage those risks.
1. How Privacy in the Cloud Affects
Organizations
Thilina Piyasundara
Systems Engineer
WSO2 Cloud Team
2. Agenda
Why Organizations Moving to Cloud?
Risks/Challenges in Cloud
Top Privacy Challenges in Cloud
Legal Obligations
How to Protect Privacy in Cloud?
3. Cloud Services for Organizations
Image source: https://blog.cloudsecurityalliance.org/wp-content/uploads/2014/07/top-20-enterprise-blog.jpeg
4. Why Organizations Moving to Cloud?
● Maintaining Focus on the Business
● Business Agility
● Reduced Capital Expenditures
● Scale
● Access from Anywhere
● Staffing Efficiency
● Security and Disaster Recovery
● API Driven Architectures and Collaboration Between Organizations
11. Legal Obligations
A business that stores information in the cloud must be able to control access
to and use of the information as well as protect the legal rights of the
individuals whose information has been sent to the cloud.
Laws prohibit some data from being used for secondary reasons other than
the purpose for which it was originally collected.
13. Privacy Principles
● Storage and security of personal information
● Access to personal information
● Correctness of personal information
● Limits on use of personal information
● Limits on disclosure of personal information
16. Securing data in creation
● How you collect or generate information?
○ Open forms
○ Insecure websites
○ Publically available data
○ Trust factors
● Solutions
○ Secure web applications
with authorization like
Google Forms
17. Securing data in rest
● How you protect data in rest (storage)?
○ Who can access data?
○ How you store data (raw files/binary/databases)?
○ What encryption algorithms use to encrypt data?
● Solutions
○ Manage user access to storages
○ Support multiple data centers in different geographical locations
○ Support full disk encryption and database encryption
○ Highly available data volumes for instances and object storages for
files/objects
18. Securing data while processing
● Where you process data?
○ Is the data processes in a shared environment?
● Solutions
19. Securing data while transmission
● How you move data from one location to another?
○ Can someone intercept and get your data?
○ Can someone alter your data streams?
● Solutions
○ Use IPSec VPNs
○ Use TLS for web traffic
○ Use DNSSec for DNS
20. Securing data archives
● How you keep backups?
○ Backup frequency
○ Data retention
○ Backup storage security
○ Access to backup data
○ Validate integrity
● Solutions
○ Encrypt before storing
○ Manage user access to archives and encryption keys
○ Replication over geographical locations
21. Destroy data securely
● How you delete data?
○ Data retention
○ Can we make public?
○ Can we forget about backups?
○ What about data storage hardware?
● Solutions
○ Write arbitrary data to data blocks
○ Cloud provides use standard ways to destruct data
22. Policies and Compliance
● Policies
○ Have a proper security policy
○ Manage proper data classification
○ Properly manage access to data in all stages
○ Align processes with international standards
● Compliance
○ EU data protection act
○ Health Insurance Portability and Accountability Act (HIPAA)
○ Children Online Privacy Protection Act (COPPA)
○ Electronic Communications Privacy Act (ECPA)
○ Fair Credit Reporting Act (FCRA)
○ Fair and Accurate Credit Transaction Act (FACTA)
○ Gramm Leach Bliley Act and the related privacy rules
23.
24. The Debate on Personal Privacy and National
Security