how privacy in the cloud affects organizations
TRANSCRIPT
How Privacy in the Cloud Affects Organizations
Thilina PiyasundaraSystems EngineerWSO2 Cloud Team
Agenda
Why Organizations Moving to Cloud?
Risks/Challenges in Cloud
Top Privacy Challenges in Cloud
Legal Obligations
How to Protect Privacy in Cloud?
Cloud Services for Organizations
Image source: https://blog.cloudsecurityalliance.org/wp-content/uploads/2014/07/top-20-enterprise-blog.jpeg
Why Organizations Moving to Cloud?
● Maintaining Focus on the Business
● Business Agility
● Reduced Capital Expenditures
● Scale
● Access from Anywhere
● Staffing Efficiency
● Security and Disaster Recovery
● API Driven Architectures and Collaboration Between Organizations
Statistics
Risks/Challenges in Cloud
Data Breaches
*Not directly related to cloud
Top Privacy Challenges in Cloud
Data Breaches
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
Legal Obligations
A business that stores information in the cloud must be able to control access to and use of the information as well as protect the legal rights of the
individuals whose information has been sent to the cloud.
Laws prohibit some data from being used for secondary reasons other than the purpose for which it was originally collected.
How to Protect Privacy in Cloud?
Privacy Principles
● Storage and security of personal information● Access to personal information● Correctness of personal information● Limits on use of personal information● Limits on disclosure of personal information
Shared Responsibility Model in Cloud
Data Protection
Securing data in creation
● How you collect or generate information?○ Open forms○ Insecure websites○ Publically available data○ Trust factors
● Solutions○ Secure web applications
with authorization like Google Forms
Securing data in rest
● How you protect data in rest (storage)?○ Who can access data?○ How you store data (raw files/binary/databases)?○ What encryption algorithms use to encrypt data?
● Solutions○ Manage user access to storages○ Support multiple data centers in different geographical locations○ Support full disk encryption and database encryption○ Highly available data volumes for instances and object storages for
files/objects
Securing data while processing
● Where you process data?○ Is the data processes in a shared environment?
● Solutions
Securing data while transmission
● How you move data from one location to another?○ Can someone intercept and get your data?○ Can someone alter your data streams?
● Solutions○ Use IPSec VPNs○ Use TLS for web traffic○ Use DNSSec for DNS
Securing data archives
● How you keep backups?○ Backup frequency○ Data retention ○ Backup storage security○ Access to backup data○ Validate integrity
● Solutions○ Encrypt before storing○ Manage user access to archives and encryption keys○ Replication over geographical locations
Destroy data securely
● How you delete data?○ Data retention○ Can we make public?○ Can we forget about backups?○ What about data storage hardware?
● Solutions○ Write arbitrary data to data blocks○ Cloud provides use standard ways to destruct data
Policies and Compliance
● Policies○ Have a proper security policy○ Manage proper data classification○ Properly manage access to data in all stages○ Align processes with international standards
● Compliance○ EU data protection act○ Health Insurance Portability and Accountability Act (HIPAA) ○ Children Online Privacy Protection Act (COPPA)○ Electronic Communications Privacy Act (ECPA)○ Fair Credit Reporting Act (FCRA)○ Fair and Accurate Credit Transaction Act (FACTA)○ Gramm Leach Bliley Act and the related privacy rules
The Debate on Personal Privacy and National Security
Thank You!