1 Data Privacy and Security for Market Research in the Cloud Peter Milla IIeX2015 NA
2 Agenda Page 2 1. Background 2. Why the Cloud? 3. Data Privacy and Data Security in the Cloud 4. How do We Deal with It?
3 The Cloud Page 3 Is exploding Can offer real advantages/benefits Can present real compliance challenges ATracUve to business, especially SMBs An area where MR companies are looking to outsourcing Gartner PredicUon: 50% of Global 1000 will have data stored in the cloud by the end of 2016
4 In the Simplest Terms Page 4 Cloud compuung means storing/accessing data and programs on/over the Internet instead of your computer's hard drive or local area network storage The cloud is just a metaphor for the Internet It goes back to the days of flowcharts that represented the large server- farm infrastructure of the Internet as puffy, white cumulonimbus cloud
5 In the Simplest Terms (conunued) Page 5
6 Page 6 What Really is Cloud CompuUng (to the Business)? Cloud compuung is a new compuung paradigm, involving data and/or computauonal outsourcing with: Infinite and elasuc resource scalability On demand just- in- Ume provisioning No upfront cost, pay- as- you- go (in general) That is, use as much or a litle as you need, use only when you want, and pay for what you use (in general)
7 The Cloud for Business Service Models Page 7
8 Major Cloud Deployment Models Page 8 Note: Another model is a Community Cloud where infrastructure is shared between several organizations
9 Public Cloud Type EvoluUon Page 9 Public Cloud: Credit card- based No/very limited transparency Enterprise Cloud (also Virtual Private Cloud): Deeper commercial relauonship Logical segregauon Different service model Transparency/SLAs on data locauon, process
10 Small Medium Businesses (SMBs) Page 10 EnthusiasUc adopuon Cloud providers provide beter security than SMBs. Amazon Web Services compliance programs include: ISO SOC 2 PCI DSS Level 1 HIPAA Considered oken as perhaps the only alternauve by many IT development shops (including backup)
11 Agenda Page Background 2. Why the Cloud? 3. Data Privacy and Data Security in the Cloud 4. How do We Deal with It?
12 Benefits for Cloud Customers Page Cost: Very atracuve, parucularly to SMBs 2. IntegraUon: IntegraUon to take place across infrastructure services, data, management, idenuty and development 3. Investment: OpEx vs. CapEx Can simplify IT asset management 4. Scalability: Services can be scaled quickly
13 Benefits for Cloud Customers (conunued) Page Speed to deployment: Can be hours vs. weeks 6. Flexibility: Can add new services easily 7. Security: BeTer than many organizauons can provide internally
14 Benefits for Cloud Providers Page Increased uulizauon of data center resources 2. More clients per square foot, per kilowat hour 3. More clients per staff person About selling X as a service: IaaS: Selling virtualized hardware PaaS: Selling access to a configurable planorm/api SaaS: Selling sokware that runs on top of the cloud
15 Top Five Tech Spending Increases in 2015 Page 15
16 Agenda Page Background 2. Why the Cloud? 3. Data Privacy and Data Security in the Cloud 4. How do We Deal with It?
17 Privacy is Key Page 17
18 But it is Not Just About Privacy Page 18 Integrity: How do I know that the cloud provider is doing the computauons correctly/not tampering with data? Availability: Will criucal systems go down if the provider is atacked? What happens if the provider goes out of business? Increased atack surface: External enuty now stores and computes data ATackers can now also target the communicauon link between the provider and the client Provider employees can be phished
19 But it is Not Just About Privacy (conunued) Page 19 Auditability and forensics: May be difficult to audit data outside the organizauon in a cloud Legal issues and transiuve trust issues: Responsibility for regulauons If cloud provider subcontracts to a third party, will data be secure?
20 Where is My Data? Page 20
21 Data Privacy and Data Security in the Cloud Page 21 ProtecUng personal data depends on safeguards supplied by the cloud purchaser and the cloud provider responsibiliues must be clear Privacy obligauons don t change if data is stored in the cloud As with all other outsourcing use cases, you can t outsource accountability and risk CerUficaUons like ISO can help companies enable data privacy/data security The Data Privacy and Data Security func>ons must be aligned
22 Reasons to be Concerned Page Who is looking at your data? 2. Cyber atacks 3. Insider threats 4. Government intrusion 5. Legal liability 6. Lack of standardizauon (cloud security) 7. Lack of support 8. There is always risk
23 Myths and ClarificaUons about Cloud Privacy Page 23 Concern PII in cloud against the law Data abroad is forbidden Must store in country Not oversees because of foreign surveillance Hurry, we re last Clarifica>on PII in cloud is not illegal Legal/IT conflict Cross- border can be illegal Oken client or requirement of law/regulauon Monitoring is everywhere Technical and legal controls are required Full- scale public clouds are rare This is moving quickly
24 Think Risk! Page 24 Need to think beyond technology, checklists and compliance For example, only a properly configured firewall can be used to configure a network A cloud soluuon can be used to achieve compliance only if acceptable to all stakeholders: Research provider Legislators/regulators Clients
25 Cloud Privacy Risks Page 25 Certain types of data may trigger specific obligauons under nauonal and local law Vendor issues: OrganizaUons may not be aware they are using cloud- based vendors Due diligence sull required Data security is sull the responsibility of the customer SLAs need to account for access, correcuon and privacy rights Data Transfer: Cloud model may trigger internauonal legal data transfer issues
26 Agenda Page Background 2. Why the Cloud? 3. Data Privacy and Data Security in the Cloud 4. How do We Deal with It?
27 How do We Deal with It? (Measures Include ) 1. Build privacy into technology ( Privacy by Design ) Page Implement privacy compliance (federal, state, local law and regulauon, EU Data ProtecUon framework, etc.), MR industry codes 3. Exercise due diligence, including Risk Assessments, Privacy Impact Assessments, etc. 4. Develop a breach management plan 5. Use privacy enhancing technology (including encryp>on) 6. Make sure business liability insurance covers data events 7. Create and enforce contractual clauses
28 Contractual Provisions to Consider Include Page Service provider must not use PII except as necessary in providing services 2. Provider must not improperly disclose of PII 3. Provider must employ safeguards to ensure PII is retained, transferred and disposed of securely 4. Provider must noufy the organizauon immediately of any order or other requirement to compel producuon of PII 5. Provider must noufy the organizauon immediately if PII is stolen, lost, accessed by unauthorized persons
29 Contractual Provisions to Consider Include.. (conunued) Page Implement an oversight and monitoring program, including audits of the provider s compliance with the terms of the agreement 7. No one on behalf of provider should have access to PII unless that person agrees to comply with restricuons in the agreement 8. Insurance requirements
30 Key Takeaways Page 30 Think Risk! You can outsource services, but not accountability Do risk assessments Build privacy in and align privacy and security funcuons Conduct proper due diligence on your cloud providers Ensure you have the appropriate security technology in place Ensure you have the appropriate contractual provisions in place
31 Page 31 Q&A
32 Data Privacy and Security for Market Research in the Cloud Peter Milla IIeX2015 NA