cloud and security 6 jul2013 v2
DESCRIPTION
Cloud and Security: a Legislator's Perspective at "Up in the Cloud: Conference on Legal and Privacy Challenges in Cloud Computing" University of Hong KongTRANSCRIPT
CLOUD A
ND SECURIT
Y: A
LEGIS
LATO
R'S
PERSPE
CTIVE
6/ 7
/ 20
13
BIGGEST INHIBITOR TO THE ADOPTION OF CLOUD
COMPUTING
Data Security?
SENSITIVE DATA IN THE CLOUD
• More data, more storage, more risks• Identifiable personal information examples• Credit card information•Medical records• Tax records• Customer account records• Human resources information• Banking and insurance records• Browsing history, emails and other communication• “Metadata”
• Sensitive personal data?
CLOUD SECURITY - STAKEHOLDERS
Data collector/own
er• Outsourcing:
How to select a cloud vendor?
• How to maintain direct control to safeguard data integrity?
Cloud service providers
• How to satisfy data residency and privacy requirements
• How to remain flexible and provide cost-effective service?
Regulator
• Formulation of relevant standards and practices
• How to ensure adoption and compliance?
• Would sensitive data end up overseas?
Customers/end-users
• Are my data safe in the cloud?
• Would I know if there is security or privacy breach?
ISSUES ON CLOUD SECURITY
Security
Is the data protected from theft, leakage,
spying or attacks?
What is the level of control and protection?
Residency
Where is the data stored?
geographically disbursed?
What to do with data in transit
& outside territory?
Privacy
Who can see personally identifiable information
(PII)?
Storing, transferring, locating and protecting PII
Challenges of cloud and
security
Maintaining ownership
and control of data
Info on 3rd party service
and distributed
infrastructure Deliver resiliency, availability
and flexibility of cloud services
COMPLIANCE REQUIREMENTS• Some countries have laws restricting storage of data
outside their physical country borders: India, Switzerland, Germany, Australia, South Africa and Canada
• EU: Data Protection Directive; Safe Harbor Principles – no sending PII outside European Economic area unless protections guaranteed
• USA: US Patriot Act, 40+ states have breach notification laws (25 states have exemption for encrypted personal data)
• Canada: Freedom of Information and Protection of Privacy Act
HONG KONG• Section 33(2)(f) of Personal Data (Privacy)
Ordinance,
• Standard discussions through HK/Guangdong Expert Committee on Cloud Computing Services and Standards
• Guidelines and information via infocloud.gov.hk
Can we still trust the ‘cloud’?
What are the local laws that govern data being collected, transferred and stored?
State-sponsored attacks?
INTERCEPTION OF COMMUNICATIONS – GOVERNMENT BODIES/OFFICIALS• Article 30 of the Basic Law specifies that the freedom and privacy of
communication of Hong Kong residents shall be protected by law.
• Interception of Communications and Surveillance Ordinance (Cap 589) -- since 2006• Regulate law enforcement agencies’ lawful interception of
communications and covert surveillance operations for the prevention and detection of serious crimes and the protection of public security.• Not applicable to non-public officers, and cannot be used to apply to
non-governmental bodies and individuals. • LEAs are required by the ICSO to obtain an authorization from a panel
judge or a designated authorizing officer prior to any interception of communications and covert surveillance operations.
INTERCEPTION OF COMMUNICATIONS – NON-GOVT PERSONS/BODIES• s24 of Telecommunications Ordinance (Cap 106) does not allow a
telecommunications officer, or any person who, though not a telecommunications officer, has official duties in connection with a telecommunications service to wilfully intercept any message
• s27 of Telecommunications Ordinance (Cap 106) imposes prohibition on any person who damages, removes or interferes with a telecommunications installation with intent to intercept or discover the contents of a message
• s29 of the Post Office Ordinance (Cap 98) states that no person shall open any postal packet or take any of the contents out of any postal packet or have in his possession any postal packet or mail bag or any of the contents of any postal packet or mail bag or delay any postal packet or mail bag
• If such activities involve the collection of personal data, they are subject to the provisions of the Personal Data (Privacy) Ordinance.
• The hacking of the computer system is dealt with mainly by section 161 of the Crimes Ordinance (Cap 200) (obtains access to a computer with intent to commit an offence or with a dishonest intent) and section 27A of the Telecommunications Ordinance (Cap 106) (by telecommunications, obtains unauthorized access to any computer).