considerations in an outsourced / cloud world arma information management symposium bill wilson,...

Considerations in an Outsourced / Cloud WorldARMA Information Management SymposiumBill Wilson, Chief Privacy Technologist

ARMA Information Management Symposium - April 18th 2012

Privacy in the Outsourcing World



“The times, they are a-changin”

• 40 years ago – truck full of paper• 30 years ago – crates of floppy

disks• 10 years ago – hard drives• Today, same information can fit

on a single DVD or a thumb drive!



Cybercrime

Fraud-related offences are now thought to be as profitable as drug-

related offences, estimated at between $10 and $30 billion annually in Canada by the RCMP’s Commercial Crime Branch. The majority of these crimes aren’t committed by kids at

their computers, 80% or more of the work is conducted by criminal

organizations.



Identity Fraud

• Victims of identity theft or fraud can experience financial loss and difficulty obtaining credit or restoring their "good name".

• In 2009 the average data breach cost the affected business $6.75 million, up from $6.65 million in 2008, according to a Ponemon Institute study.



What your information could be used for:

• Criminals can use your stolen or reproduced personal or financial information to:

• access your bank accounts• open new bank accounts• transfer bank balances• apply for loans, credit cards and other goods

and services• make purchases• hide their criminal activities• obtain passports or receive government benefits



Threat Landscape - Trends

• Top threat events involved external hacking/malware on servers

• Increase in all forms of attacks by all actors

• Industrialization of attacks• Targeting weak points in the financial

system• Top three industries targeted –

Hospitality, Retail, Financial



Threat Landscape - Trends

• Market Segmentation– Organization size– Geographic location– Industry

• Low risk, automated attacks against vulnerable systems

• Sophisticated attacks targeted at intellectual property



Defences

Understand the threat landscape for your business

Assess the risks– Vulnerabilities– What are you seeing – Regulatory requirements– Industry requirements



Legislation

Personal Information Protection and Electronic Documents Act (PIPEDA)

Key elements to cloud computing:– Consent– Collection– Use– Disclosure– Retention– Safeguards



Personal Information

• Personal information includes any factual or subjective information, recorded or not, about an identifiable individual. This includes information in any form

• Personal information does not include the name, title, business address or telephone number of an employee of an organization



Cloud Computing Models

Infrastructure as a Service

(IaaS)

Platform as a Service (PaaS)

Software as a Service (SaaS)

Private

Public

Partner

Deployment Models Service Models

CostLiability

Assurance

Risks vary by

deployment and service

model



Considerations

• Ceding of control to the cloud/outsource provider and related impact on governance

• Cloud computing is new – standards are still being developed, supporting technologies being enhanced and little to no case law.



Considerations

• Amalgamation of existing technologies; risks in cloud/outsourced computing can be:– Existing risks inherent in the technologies

used – Magnification of existing risks– New risks

• Consumer-focused cloud services may present greater risks to data security and privacy due to click-through terms.



Jurisdiction

• Location of the cloud/outsource provider, their infrastructure and your data

• Some countries may be considered higher-risk

• Does the cloud/outsource provider outsource any of its services to other providers in other jurisdictions



Trans Border Data Flows

• PIPEDA does not prohibit the transfer of Personal Information (PI)– But does establish rules

• Sharing of information to service provider is considered a use– Additional consent is not required

• Accountability is not transferred– The buck stops with you



Trans Border Data Flows

• Data protection formalized in a contract– Contract cannot override laws

• Assess the risks– Don’t jeopardize the integrity, security and

confidentiality of customer personal information

• Transparency and notification– Advise customers



Lawful Access

• What laws apply to the data both in transit and at rest– Does the host country have lawful access

to your data? i.e. US Patriot Act– Un-lawful access?

• Shared storage - consider implications if a physical device is seized



Compliance

• Maintaining compliance with required regulations– PIPEDA, Sarbanes-Oxley, or industry-

requirements such as PCI-DSS• Maintaining compliance with

certifications– ISO 27001

• Breach reporting– Does the provider’s breach reporting policy

and procedure align with your requirements



Data Ownership

• Must be clearly defined – Explicitly state what data the provider

has access to and what they can do with the data

• What happens to the data on contract termination– By you– By them– Other reasons, i.e. failure of the vendor



Data Handling

• Data classification and labelling– Prerequisite– Drives requirements for data handling in

SLA– Encryption or additional controls for

sensitive data• Understand provider’s data handling

practices



Processing and creation of new data

• Understand what is happening to your data in the cloud/service provider– What is your service provider doing with

the data?• Data matching• Creation of new data



Data Permanence

• Proper disposal of data must be addressed– redundancy images– backups

• Proof of disposal– Certification of Disposal



Security

• Existing risks inherent to the technologies used– Virtualization, web

• New risks– Lack of isolation,

• Magnification of existing risks inherent to your processes



Security

• Implications of multi-tenant, shared resources

• Availability and segmentation of audit logs

• Authentication and identity management

• Access control• Management and monitoring of

privileged access• Security incident response capability



Security

• Provider’s provision for handling conflicting requirements between customers on shared infrastructure

• Clear division of security responsibilities and liabilities between the customer and the provider

• Cloud/outsourcing can provide benefits, mostly related to economies of scale– Small business may benefit



Summary

• Risk assessment• Transparency by the provider on

approach to privacy and security• Certifications• Contract review, including SLA and

any related/reference Terms of Service

• Contract monitoring

considerations in an outsourced / cloud world arma information management symposium bill wilson,...

Documents

outsourcing world slide

financial information

outsourcing world defences

financial slide

intellectual property

automated attacks

threat events

forms of attacks