1 / 17

The effect on security of clouds distributed outside the U.S.

The effect on security of clouds distributed outside the U.S. U.S. Data protection and privacy laws. Specific and narrowly applicable legislation focus mainly on government restrictions Subject-specific legislation such as: Privacy Act 1974 Centerpiece of U.S. privacy law

phong
Download Presentation

The effect on security of clouds distributed outside the U.S.

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The effect on security of clouds distributed outside the U.S.

  2. U.S. Data protection and privacy laws • Specific and narrowly applicable legislation focus mainly on government restrictions • Subject-specific legislation such as: • Privacy Act 1974 • Centerpiece of U.S. privacy law • Specifically address problems posed by electronic technologies • Freedom of Information Act • Protect personal information in federal databases • Computer Matching and Privacy Act • Computer Security Act 1987 (Personal information in federal systems) • National Education Statistics Act of 1994 • U.S. law prohibits the voluntary disclosure of any type of cloud customer data to the government without formal legal request, unless by exception • U.S. Policies are more focused on regulation of data collected by the federal government • Personal information has very limited protection outside of NESA, HIPAA, etc

  3. Foreign Data protection and privacy laws • Government and private business oriented, protective of employee and consumer personal data • Important for multinational headquarter companies • Many of theses laws restrict data transmissions abroad to regulate noncompliance • European “data subjects” have a private right of action for data law violations • Every European country has a dedicated agency to enforce such data laws

  4. European Union Data privacy directive • From 1995 to 1998, 27 union member states required to adopt their own local law following the directive • Protect the individual with regard to the processing of personal data and the free movement of such data • Covers • Processing (including collection and storage) data about personally identifiable individuals • Electronic data, written, internet, and oral communication • Prohibition of personal data transmittal to any country without a level of adequate data protection

  5. European Union Data privacy directiveRules • No collecting or processing of personal data unless done “fairly and lawfully”. Therefore, must: • Be fair • Have a specific purpose • Be restricted to the purpose for collection • Be accurate, kept up-to-date • Be destroyed when no longer necessary • Be protected against destruction, loss, alteration, unauthorized disclosure/access • Decisions cannot be made from automated processing

  6. European Union Data privacy directiveViolation examples • Magazine company sells it’s subscription list to direct-mailers (fairness) • Bank combs its customer files for marketing purposes (specific purpose) • High-level job application asks for applicant’s education and military experience (restricted to purpose) • Automated job application keyword screening (automated) • Not reacting to a customer claim of error to credit bureau. (Accuracy) • Transfer of personal data • All processing must have subject consent, or be “necessary”: • Comply with a law • Protect the subject’s vital interests • Perform a contract to which the subject is a party • Based on official authority • Must be disclosed to subject

  7. US-EUSafe harbor • To EU, U.S. is not in the “third country” group with an adequate level of data protection • Greatly hindered business for US-based multinational companies • Forums, email, telephone calls, website data, financial transactions, etc. • Safe Harbor allows data transfer to U.S., but not beyond, only if the data is lawfully treated as though the data is physically in Europe and subject to the Directive.

  8. Spain’s Data protection agency • Self-funded from the fines collected • Can impose fines up to €600k • Has imposed a number of €300k fines for illegal data transfers.

  9. Other EU Data protection agencies • France • First offense cap is €150k + 5 years in prison • Germany • Up to €250k fines • UK • Unlimited fines • (2007) 2 years in prison for unauthorized data disclosure • Other countries that with data protection agencies: • Canada, Argentina, Hong Kong, Australia

  10. Privacy and data protection heat map

  11. data protection AgenciesA lot of missing information

  12. Data Privacy • U.S. • Freedom of speech revered more expectation of privacy • Companies sell your personal information everyday • EU • Protects personal information as it would intellectual property • Companies are restricted from processing or sharing your personal information in an “unfair” or “unlawful” way • Can not sell personal subscription information to other companies

  13. Regionalized Cloud ServicesAmazon Web Services (AWS) • Allows region selection at time of purchase • US Standard • GovCloud (US) • US West (Oregon) • US West (California) • US East (Virginia) • Tokyo, Singapore, Ireland, Sao Paulo • Feature “enables you to address specific legal and regulatory requirements” • No proof – just trust • trace routes are blocked.

  14. Amazon Products/services by region

  15. Regionalized Cloud ServicesGoogle Cloud Storage • Choice of bucket locations limited to: • United States (Default) • European Union • Data will be replicated to multiple, geographically diverse Google data centers within your region • Data center locations are not disclosed.

  16. Conclusion and Concerns • It is incorrect to assume that the United States government’s access to data in the Cloud is greater than that of other advanced economies

  17. Questions And Comments

More Related