Download - Privacy and Security policies in the cloud
1
Analysing the Current Data Protection Legal Framework: challenges and ways forwardPrivacy policies for the cloud Prof David Wallom
2
Overview
• Worried? should you be?• Its all about trust• Bolster trust or make it so we don’t need it…
3
Why all this worry?
4
Why all this worry?
– Cloud computing is pervasive in modern society
5
Cats, Kids and fun…
6
Its not just all about cats and kids…
7
8
Why all this worry?
– Cloud computing is pervasive in modern society– Limited market penetration from EU cloud provider -> vast majority of cloud providers based outside EU
9
Who are the cloud providers?
10
Why all this worry?
– Cloud computing is pervasive in modern society– Limited market penetration from EU cloud provider -> vast majority of cloud providers based outside EU– Pace of service development and nefarious capability outstrips that of the regulatory environment
11
What should you think about when…
Who are you entering into a contract with?What protections does your contract give you?Who can make changes to the T&C?Where is the data?On whom is the liability?
12
7 Cloud Computing security risks
13
Trust at the Last Mile
• Problem for high value instantly usable data and services– Critical data or keys are still exposed inside the cloud at the final steps– Still require customers unconditional trust of their CSP
14
“What is really going on inside the cloud?”
15
Building trust through brands
16
New Industries Around Security and Trust
17
Building trust through regulation
18
United Kingdom: G-Cloud
Approach: Government procurement framework
Highlights:• Based on ISO 27001• Most data is “official”• Reusable certification
Australia:InfoSecurity Manual
United States:FedRAMP
European Union:ENISA CCSL and CCSMApproach: Procurement guidance
Highlights:• Maps certification
regimes relevant to cloud customers
Notable strength:• Flexible
Notable strength:• Standards-based
Notable strength:• Transparent
Notable strength:• Risk-based
Public sector approaches to cloud security
Approach: Government procurement framework
Highlights:• Based on NIST 800-
53v4• Moderate and High
baseline controls
Approach: Government procurement guidance
Highlights:• Risk-based approach
encouraged• 5 control levels
Trustworthy Cloud Principles
19
Over-regulation can stifle innovation
20
Conclusions from a recent workshop on Cloud Security and certification
• Trust and security are key to the successful adoption of cloud computing and its ability to drive European economic expansion,
• Urgently gain clarity in the implementation of newly introduced regulatory regimes• Promote the use of existing certification schemes and standards • Raise awareness of cloud security and ensure understanding of what cloud security means• Support the Free Flow of Data
21
To end…
• Recommendations for Future Policy Action– What does cloud mean? – automation– What would destroy cloud – over regulation and interruptions in automated interactions– Flexibility to allow innovative services to develop– Where possible use open standards and approaches more generally to allow transparency
• Technology solutions including the unification of trusted and cloud computing may break the need to trust you provider
– May end up with no-one able to see inside though…