1 / 21

Privacy in Cloud Computing

ITU Workshop on “Cloud Computing” (Tunis, Tunisia, 18-19 June 2012). Privacy in Cloud Computing. Vijay Mauree, Programme Coordinator, TSB, ITU vijay.mauree@itu.int. Agenda. Cloud Computing Challenges What is privacy? What is the data lifecycle? Key privacy concerns

taylorp
Download Presentation

Privacy in Cloud Computing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ITU Workshop on “Cloud Computing”(Tunis, Tunisia, 18-19 June 2012) Privacy in Cloud Computing Vijay Mauree, Programme Coordinator, TSB, ITU vijay.mauree@itu.int

  2. Agenda Cloud Computing Challenges What is privacy? What is the data lifecycle? Key privacy concerns Privacy by design and PETs Conclusions

  3. Privacy in Cloud Computing • ITU Technology Watch Report – March 2012 • Jointly with Stéphane Guilloteau, France Telecom Orange • The report • Surveys privacy issues in cloud computing and best practices to meet legal and regulatory obligations. • Standardization activities ongoing at international level

  4. Cloud Computing Challenges The cloud is like a big black box, nothing inside the cloud is visible to the clients Data in the cloud are easier to manipulate There could be malicious system admins who can violate confidentiality and integrity Clouds are still subject to traditional data confidentiality, integrity, availability, and privacy issues, plus some additional attacks

  5. Cloud Computing Challenges Can cloud providers be trusted? Are cloud servers reliable? What happens if data get lost? What about privacy? Is it easy to switch to another cloud provider?

  6. Impact of cloud computing on the governance structure of IT organizations

  7. What is Privacy? • The concept of privacy varies widely among (and sometimes within) countries, cultures, and jurisdictions. • It is shaped by public expectations and legal interpretations; as such, a concise definition is elusive if not impossible. • No universally binding legislation covering all countries • Europe and United States • Privacy • Right to self determination, i.e right of individuals to ‘know what is known about them’ • Be aware what information is stored about them, control how information is communicated and prevent its abuse. • It is more than just confidentiality of information

  8. What is Privacy? • Privacy rights or obligations are related to the collection, use, disclosure, storage, and destruction of personal data (or Personally Identifiable Information—PII). • At the end of the day, privacy is about the accountability of organizations to data subjects, as well as the transparency to an organization’s practice around personal information.

  9. What is the data life cycle? • Personal information should be managed as part of the data used by the organization • Protection of personal information should consider the impact of the cloud on each phase

  10. What Are the Key Privacy Concerns? • Typically mix security and privacy • Some considerations to be aware of: • Storage • Retention • Destruction • Auditing, monitoring and risk management • Privacy Breaches • Who is responsible for protecting privacy?

  11. What Are the Key Privacy Concerns? • Data integrity and availability are essential elements in the provision of cloud computing services. • Article 17 EU Data Protection Directive The controller and its processors must implement technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access; having regard to the state of the art and the cost of their implementation, such measures must ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected

  12. Example • Odense Municipality Case • use Google Apps within the school system • Danish Data Protection Agency rejected the municipality plan to use Google Apps • The municipality does not know where the data are physically located. • It is unclear how the following requirements of the Danish Data Protection Act will be met: • Deletion of data so that it cannot be recreated. • Transmission and login: the municipality has not made clear whether encryption will be used when transferring data between the various data centres. • No information has been provided about what data are logged or how long the log is stored.

  13. What Are the Key Privacy Concerns? • Cloud Deployment Models • Service as a Service (SaaS) • Platform as a Service (PaaS) • Infrastructure as a Service (IaaS) • SaaS • Customer has no influence over input data is processed • Customer can decide if personal data will be input • Customer can secure personal data before it is sent to the SaaS. • PaaS • Provides tools supported by a cloud provider for developers to deploy applications • Responsibility lies with the developer to use best practices and privacy friendly tools • Developer relies on the trustworthiness of the PaaS

  14. What Are the Key Privacy Concerns? • IaaS • Provides customer with computing resources to run applications • IaaS provider will secure data centres, network and also ensure employees and procedures comply with applicable laws and procedures • IaaS provider will not provide data-level compliance e.g geographic restriction of data transfers. • Responsibility lies with the cloud user to maintain compliance controls • E.g if the IaaS is based on virtualization, it should be possible for the user to express that IaaS provider should migrate the virtual machines from EU based data centres to US based data centres.

  15. The Madrid Resolution • Madrid Resolution (2009) approved by data protection authorities of 50 countries • Framework for international standards on privacy and data protection • Defines a set of principles and rights • for protecting privacy with regards to processing of personal data and • Facilitate international flow of personal data • Encourages countries to implement proactive measures to promote better compliance with data protection laws and adapt information systems for processing of personal data

  16. Privacy By Design • EU review of Data Protection Directive in 2011 • Principle of privacy by design • Implement privacy enhancing technologies (PETs) • Privacy by default settings • EU rules must apply if personal data is handled abroad by companies active in EU market • Privacy by design binding for • Data controllers • Developers • Business partners • Need for standardized privacy protection measures

  17. Privacy By Design • 7 principles • Data minimization • Controllability • Transparency • User friendly systems • Data confidentiality • Data quality • Use limitation

  18. Privacy By Design • Data Flow Table • Type of data • Persons entitled to process personal data • Operating platform • Processing application • Purpose of data processing • Protection mode • Storage lifetime and disposal measure • Data recipients • Indicate destination country if data is transferred outside the country.

  19. PETs • No common definition for PETs. • Main characteristics • Reduce the risk of breaching privacy principles • Minimize amount of data held about people • Allow individuals to retain control of information about themselves • Includes • Opacity tools e.g encryption, anonymization • Transparency enhancing tools which provides users with information about privacy policies or granting them online access to their personal data.

  20. PETs

  21. Conclusions • Privacy concerns are increasingly important • Privacy issues are different depending on cloud deployment model used • Madrid Resolution provides an international framework for privacy standards • A security risk assessment is essential before switching to cloud based environment. • Embedding privacy by design and PETs for cloud services is strongly supported by Data Protection Authorities. • Privacy by design and PETs will play an important role in cloud services

More Related