1 / 23

On Cloud and Informational Privacy

Reaching the Cloud Era in the European Union Riga, 16.06.2015. On Cloud and Informational Privacy. Lilian Mitrou , Associate Professor University of the Aegean Center for Security Studies Greece L.mitrou@aegean.gr. What are we talking about ?.

angied
Download Presentation

On Cloud and Informational Privacy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Reaching the Cloud Era in the European Union Riga, 16.06.2015 On Cloud and Informational Privacy Lilian Mitrou, Associate Professor University of the Aegean Center for Security Studies Greece L.mitrou@aegean.gr

  2. What are we talking about ? We aim at providing an overview of the following issues • Privacy risks, concerns, issues • Challenges to using/providing cloud services • Applicable Law and Location • Cloud customer and cloud provider as data controller/ processor • Transparency, trust and accountability

  3. Cloud Computing • Quite possibly the hottest, most discussed in information technology (IT) today • Offers an impressive range of possibilities • Presents new risks and uncertainty • Many concerns, if not barriers to the adoption of cloud computing solutions relate to - informational privacy - compliance with data protection legal requirements

  4. Informational privacy • Underlying interests and interests: from autonomy, informational self-determination, balance of powers, over integrity, respect and dignity, to democracy and pluralism. • Informational Self Determination - Control over information. • Prerequisite of the capacity for autonomy- autonomous decision- and choice-making. • Data Protection Regimes : Protecting against unlawful and unjustified collection, storage, use and dissemination of their personal data and regulating use and processing to struck the balance with processing needs, rights and interests.

  5. Loss of control? • CC redefines how, where and by whom data is collected, transmitted and used • Aggregation of (personal) data more likely to harm individuals’ rights when cloud providers’ business model is based on commodifying personal information • data deployed on a wide scale or disassembled and reassembled across a highly distributed infrastructure • “loss of control” related to the difficulty for the cloud customer to know and effectively check the data handling practices and data processing carried out by the cloud provider

  6. Cloud Computing Privacy Issues • Location and qualification of roles ( controllers, processors - chain of (sub)providers and…affected individuals) • Location and transborder flows (requirements) • (Un) Certainty and (Mis) trust about the use of personal data (unlawful secondary use/ disclosure to LEAs ?) • Concerns about security (security measures/ data breaches) • Transparency

  7. Challenges to using/providing cloud services • Need to comply with regulatory framework • Maintain/ Regain control over data and its processing • Restore transparency and – respectively - trust • Deal with duties, accountability and liability (in case of unlawful processing and security breaches) Cloud Customers and Cloud Providers may be strictly interrelated and have to face these challenges in collaboration in partnership with each other when Cloud Customers use cc services to process third persons’ data

  8. Cloud specific concerns? • Complex and rapid changes confusing, distressing / perplexing for users (end-users, cloud customers) – and last but not least for the regulators • A (real) paradigm shift ? • Specific cloud computing characteristics that magnify privacy risks and/ or concerns: • flexibility in information processing on a global basis • Sharing of cloud resources to serve multiple cloud clients by the use of multiple data centers and a multitenant model

  9. CC and “traditional” outsourcing • Cloud computing as a modernization of the “time-sharing” model of computing in the 1960s or an evolved form of ICT outsourcing that makes use of grid technologies? • Long term relationships/ contracts in “traditional” outsourcing vs contractual flexibility • Negotiated contracts vs “take it or leave it”models (public clouds) • Customisation vs. standardised,shared infrastructure/environments • Dedicated infrastructure vs multitenancy

  10. Personal data and applicable law • The Data Protection Directive lays down rules for the processing of personal data while using cloud computing services • Applicability is subject to the characterization of data as personal, namely as information relating to an identified or identifiable natural person (“data subject”) • Identifiability is perceived in a multiple way, including both direct and indirect identifiability and relying on “all means likely reasonably to be used either by the controller or by any other person to identify the said person”. .

  11. Controller and Processor • Definition of purpose and means of processing that qualifies a person as a controller • Sometimes difficult to apply to cloud computing services: responsibilities and roles are distributed, shared and shifted as personal data are moved, reconstructed and re-used continuously • Blurring / adequate distinctions? • It suffices that the cloud customer decides – finally - on the allocation of the processing operations to cloud services to be qualified as data controller • The qualification of roles is not a theoretical exercise. It has to do with compliance, accountability and liability. • The DPD imposes the most obligations on the actors that process data in their capacity as a data controller- who has to ensure the delivery of data protection from the part of the processor.

  12. New RegulationNew Obligations ? • The Draft General Data Protection Regulation establishes directly processor-specific obligations • Processing of personal data based on a contract or another legal act binding the processor to the controller [26(2) ] – • Ensuring data security, by way of appropriate technical and organisational measures [30(1)] • Alerting the controller in case of a data breach [31(2)] • Imposing the same data protection obligations when sub-contracting a sub-processor [26 (2a)] / conditions for enlisting another processor, such as a requirement of specific prior permission of the controller .

  13. Location as privacy issue • Cloud model is strongly based on the concept of “location independence”: • Data is stored on multiple dynamic virtual servers across the Cloud • Data is automatically fragmented, before being distributed to multiple servers • Customer has no control or knowledge over the exact location of the provided resources • Location relates to • applicable law and compliance with specific requirements • Regulation (and restriction) of data transfers • Cloud forensic issues (access by or disclosure to “foreign LEAs

  14. Location and the Law • EU law applies to data controllers who have one or more establishments within the European Economic Area (EEA) and also to data controllers who are established outside of the EEA that use equipment (such as servers) located within the EEA • Abandoning the ‘‘chase for the server” the Draft General Data Protection Regulation will apply a) to processing in the context of the activities of an establishment of controller or a processor in the Union, b) to processing activities that are related to the offering of goods and services to data subjects in the Union even if the controller is not established in this area, c) to processing related to monitoring of data subjects’ s behaviour in the Union [3 (2)].  

  15. Transparency as crucial issue • No visibility of location, level of security (measures), processes and procedures used by cloud (sub)providers that may participate in a cloud supply chain • Information of the cloud customer about all relevant issues/measures that may foster or undermine the lawfulness of the processing: security measures, security incidents notification, implications by processing etc. • Information about the results of auditing of the cloud services • Information about the chain of subcontractors. Due to the decentralized and dynamic nature of cloud services is actually difficult to comply with transparency requirements with regard to location

  16. Trust is good… • Trust is an “affected asset” : Lack of trust has proven to be one of the significant barriers limiting the wide adoption of cloud computing • With regard to the cloud provider trustworthiness means primarily considering security and privacy aspects when offering cloud services. • A “chain of confidence-building steps to create trust in cloud solutions”: Most ubiquitous requirements for trust building are Information security andcompliance with data protection rules and principles by providing clarity and legal certainty regarding applicable law, allocation of roles and responsibilities, security measures and the regime of transborder data transfers

  17. Control is better? • Use of SLAs and business activities monitoring is suggested as a method to guarantee the quality of cloud services • a trust building mechanism for cloud computing adoption, which consists of authentication, system security, service quality and non-repudiation [Bogataj and Pucihar] . • a trustmark to help consumers of cloud computing to build trustworthiness. [Lynn et al.] • A CIAMAU model to demonstrate mutual trustworthiness? Confidentiality, Integrity, Availability with the addition of the “Mutual Auditability” parameter - Mutual auditability can also significantly assist with incident response and recovery • BYOE (bring your own encryption) : cloud computing security model that allows cloud service customers to use their own encryption software and manage their own encryption keys

  18. Accountability as a critical aspect of data protection • Accountability principle: In general, the parties involved have to demonstrate that they took and take appropriate steps to ensure that data protection principles have been implemented • “accountability for data stewardship by Cloud Services” : accepting responsibility for the stewardship of personal and/or confidential data with which the cloud service provider is entrusted in a cloud environment, for processing, storing, sharing, deleting and otherwise using the data according to contractual and legal requirements from the time it is collected until when the data is destroyed (including onward transfer to and from third parties)

  19. Accountability and compliance frameworks • Governance and compliance frameworks such as ISO/IEC 27001/02 contain many of the elements of accountability defined above: the information security management system of an organization is meant to generate assurance, transparency and responsibility in support of control and trust • ISO/IEC 27018 : Information technology — Securitytechniques — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors developed by the International Organization for Standardization (ISO) to establish a uniform, international approach to protecting privacy for personal data stored in the cloud

  20. Risk and Data ProtectionImpact Assessment • According to the Draft GDPR [22 (2b)] adherence to approved codes of conduct or an approved certification mechanism may be used as an element to demonstrate compliance with the obligations of the controller • Risk assessment: central part of the process used to determine and demonstrate that the policies signed up to and implemented by the organization are appropriate to the context. • A Data Protection Impact Assessment as a decision support tool for a cloud environment : surface privacy issues at an early stage, and tackle those issues at the architectural level.

  21. Some final thoughts • When considering privacy risks in the cloud, as considered already within the introduction, context is very important as privacy risks, concerns and challenges differ according to the type of cloud scenario • Allocation of responsibilities should be left to the parties or rather it should be specified in the law or recommended contractual clause. • Cloud specific provisions or technological neutrality ? • The fundamental concepts of such frameworks are in the main technology neutral, and their validity would still apply to cloud computing • But the word “cloud” is not included in the Draft General Data Protection Regulation!

  22. An ongoing process • Legal frameworks need to be constantly reviewed, updated and adjusted with current and future technologies, current and future threats and concerns in mind ! • Dialogue between regulators, organisations and stakeholders to ensure that the regulatory framework does adapt to new frameworks and business models without eroding consumers’ trust and interest and last but not least fundamental rights like individual privacy

  23. Thank you For Your Attention

More Related