HOW SAFE IS YOUR DATA? Are you at risk of making the headlines for all the wrong reasons?

Transcription

1 HOW SAFE IS YOUR DATA? Are you at risk of making the headlines for all the wrong reasons?

2 What do you need to consider when choosing a cloud service? G-Cloud gives central and local government departments and organisations much more freedom of choice about the IT platforms they use, and the suppliers they work with, to deliver digital services. Policies like Cloud First encourage you to consider cloud before any other option. Because cloud is quicker and less expensive to procure and deploy than other platforms, it helps you reduce development lead times and deliver innovative services more efficiently and cost effectively. It s faster and cheaper But when you re choosing a new cloud service provider or cloud platform, there s more to think about than just how fast or how cheaply you can deliver a new service. Before you sign on the dotted line, you also need to think about the security, privacy and location of the sensitive data that s entrusted to you. You may be happy storing your holiday photos in Dropbox or using Gmail for personal s but would you make similar choices for citizen or government data? It s your responsibility to make sure that the data in your care will be protected at all times. Once you ve got the facts, assess the risks and choose your cloud provider wisely. You don t want to be the next headline in the Daily Mail. 2

3 What s the worst thing that could happen? Security breaches can happen to any IT service whether it s running on traditional infrastructure or the cloud. Statistically, fewer breaches happen on cloud platforms but, when they do, they make the news like the ones that affected icloud, Sony and Moonpig. The consequences go far beyond the high fines. The negative publicity and the loss of trust can be much harder to deal with. It s bad enough for commercial firms, but for government departments and organisations entrusted with sensitive citizen data, the fallout can be much worse. So when you re choosing a cloud platform or provider, you re naturally concerned about how well the citizen data in your care will be protected against viruses, malware and other cyber threats. But there s also another important consideration: assuring the privacy of that data, and knowing where it will be stored and processed. 3

4 Data privacy what PRISM can tell us Edward Snowden s revelations about PRISM a data-collection program authorised by the US Foreign Intelligence Surveillance Act (FISA) raised significant concerns about the reach of foreign surveillance programmes, and their effect on the privacy of data held and processed by US internet and cloud service providers (ISPs and CSPs). PRISM collected foreign intelligence passing through American servers as a counter-terrorism measure without the consent of the data owners or controllers. Many US-based ISPs and CSPs including Microsoft, Yahoo, Google and AOL were implicated. The global nature of many cloud services throws data privacy issues into stark relief. That s because, if a cloud service stores and processes data across geographical borders, it s possible for more than one legal jurisdiction to have an impact on the privacy of that data. What does that mean when you re choosing a cloud provider? If you choose a cloud platform operated by a US-based or other overseas provider, the citizen data you re responsible for could be subject to foreign surveillance without your knowledge compromising its privacy. 4

5 I don t know where my is, I don t know what country it s in, I don t know what laws are regulating it, I don t even know if the vendor knows where my is! That s going to change. You can t just be searching on the internet, using consumer services, doing various things and you don t know what s going on. You re going to have to have complete and total disclosure. Mark Benioff, CEO, salesforce.com, speaking at the 2015 World Economic Forum in Davos during a debate on government s ability to access personal data and the impact on consumer trust 5

6 Five things you need to know The five points that follow will help you understand the data security and privacy issues you need to think about, and how to mitigate them Breaching the UK Data Protection Act can lead to big fines and reputational damage. Make sure you know where your data will be processed and stored, and by whom. You re responsible for validating suppliers statements about security and understanding data jurisdiction. Take that responsibility seriously interrogate your suppliers. Safe Harbor isn t really safe, and doesn t exempt US companies from US law. Ask yourself who you re contracting with, and whether UK or US law prevails. Data disclosure is a global issue. If you contract with an overseas supplier, your data could be subject to foreign surveillance. There s a growing trend towards keeping data sovereign. Most parliamentarians we surveyed believe UK public sector data should be processed in the UK. 6

7 1 Breaching the UK Data Protection Act can lead to big fines and reputational damage Data protection law, such as the UK Data Protection Act, applies whenever a data controller processes personal data. A data controller determines the purposes for which, and the manner in which, personal data is processed. A data processor processes or stores the data. The UK Data Protection Act 1998 (DPA) is based on these principles: 1. Data should be processed fairly and lawfully and may not be processed unless the data controller can satisfy one of the conditions for processing set out in the DPA 2. Data should be obtained only for specified and lawful purposes 3. Data should be adequate, relevant and not excessive 4. Data should be accurate and, where necessary, kept up to date 5. Data should not be kept longer than is necessary for the purposes for which it is processed 6. Data should be processed in accordance with the rights of the data subject under the DPA 7. Appropriate technical and organisational measures should be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data 8. Data should not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data Principle 8 isn t just a technical requirement: it s a legal requirement. You need to be confident that your supplier is providing adequate legal protection for the sensitive personal data about citizens that s under your control. 7

8 Data controllers must put written contracts in place with their data processors which set out what the data processor may or may not do with the personal data, including what security measures should be taken to safeguard the data. In particular, your G-Cloud suppliers must not pass the data you control to third parties, including sub-contractors, without your written consent. Your G-Cloud suppliers must also put in place technical and organisational measures to protect your data. Failure to do so would breach both the DPA and the terms of the G-Cloud framework and its call-off contracts. What could happen if you breach the DPA? Apart from causing significant reputational damage, breaching the DPA can lead to fines of up to 500,000 from the Information Commissioner. Make sure you know where your data will be processed and stored, and by whom. 8

9 2 You re responsible for validating suppliers statements about security and understanding data jurisdiction The introduction of the Government Security Classifications Policy (GSCP) means you can no longer rely on the assurance previously provided by CESG Pan Government Accreditation (PGA) to understand whether a supplier s systems will protect your data appropriately. Over to you Now it s up to you to determine whether suppliers comply with the government s 14 Cloud Security Principles. You must validate their statements of compliance ranging from their own assertions to formal assurance by an independent third party and decide whether you re satisfied with the security and integrity of their services. You also have to be sure you know where in which country a supplier will process and store your data, in order to understand: The legal implications of data jurisdiction and the circumstances in which your data could be accessed without your consent How a supplier s data-handling controls relate to the UK DPA What you should look for in a supplier To avoid any nasty surprises, you ll want to look for suppliers who: Have independent third-party accreditation of their compliance with the 14 Cloud Security Principles Use security-cleared personnel for data processing activities Are UK-registered companies that keep data in the UK only Process data in accordance with the DPA and the lawful instructions of the data controller (your organisation) 9

10 3 Safe Harbor isn t really safe, and doesn t exempt US companies from US law The EU US Safe Harbor agreement is a voluntary arrangement by which US companies comply with EU data processing regulations. It s long been regarded as a way of de-risking exposure to the US Patriot Act, a counter-terrorism measure which can force US companies to disclose information to the US government. Why can Safe Harbor no longer be considered safe? In 2014 the Center for Digital Democracy, a US consumer protection and privacy organisation, lodged a complaint against 30 US companies which weren t complying with Safe Harbor In 2014, in the wake of Edward Snowden s PRISM revelations, the European Parliament called for the suspension of Safe Harbor In 2015 German data protection authorities filed proceedings against US companies that allegedly don t comply with Safe Harbor, sending US companies the message that they need to pull their data protection socks up or find themselves designated an unsafe harbor 10

11 FISA effectively makes Safe Harbor irrelevant, as it allows the US government to oblige any US company to hand over data on request, without informing the people affected. So Microsoft, a US company, is having to fight the US federal government in the courts to prevent the handover of customer s which reside on Microsoft servers in Dublin, Ireland. Caspar Bowden, Microsoft s former Chief Privacy Advisor, went on record with the statement: If you are not American, you cannot trust U.S. software services. He went on to say that non-compliance with the US government could lead to an espionage charge and up to 20 years in prison. Plainly, Safe Harbor doesn t exempt US companies from US law. If you are not American, you cannot trust U.S. software services. Caspar Bowden, Microsoft s former Chief Privacy Advisor 11

12 Ask yourself who you re contracting with To protect citizen and other sensitive data from programmes like PRISM and overseas legislation like FISA, you ll want to work with suppliers who can prove they: Are registered in the UK Are not subsidiaries of overseas companies Have their physical premises in the UK Keep data in the UK only The UK government clearly recognises the potential risks of working with overseas cloud providers, as any central government department wishing to offshore data, or make use of a cloud service with data storage, processing or management offshore, needs agreement from the Cabinet Office OGSIRO (Office of the Government Senior Information Risk Officer). 12

13 Whether you re an enterprise vendor or a consumer vendor we need to all open up a lot more to be able to say exactly where is the data, what s going on with the data, who has the data and if there s a problem with the data whether it s a security problem or some other issue there is immediate disclosure and complete and total transparency. Mark Benioff, CEO of salesforce.com, speaking at the World Economic Forum, Davos 2015 Edward Snowden did more to create a future with many clouds in many locations than any tech company has done. Steve Herrod, former CTO of VMware 13

14 4 Data disclosure is a global issue It would be unfair to claim that issues around data disclosure law relate only to the US, or only to US ISPs and CSPs. Many countries, including the UK, have similar legislation. Between January and June 2014: Microsoft Received more than 34,000 law enforcement requests They came from 68 countries They related to over 58,000 accounts Microsoft released at least some data in response to over 75% of the requests Google Received over 31,000 law enforcement requests They came from 68 countries They related to over 48,000 accounts Google released at least some data for 65% of the requests 14

15 Can a foreign government request your data? To understand the legal circumstances in which the citizen data entrusted to you could be accessed without your consent, you need to know the geographical location in which a supplier will store and process it. Here s an example: a US government body could instruct Microsoft to release data to it that belongs to a UK organisation. Microsoft wouldn t have to ask a UK court or the UK government for permission to do so, nor even make them aware it was releasing the data. What would the UK public think if they thought data about them could be released to other countries without their knowledge? How can you minimise the risk? If your supplier is a UK company which keeps data in the UK only, your data won t be exposed to data disclosure requests from other countries, unless a UK court explicitly instructs the supplier to release it. 15

16 5 There s a growing trend towards keeping data sovereign When Skyscape Cloud Services asked the House of Commons and the House of Lords about their attitudes to data location and jurisdiction, a clear majority said that UK public sector data should be securely processed in the UK, by security-cleared personnel. The European General Data Protection Regulation (GDPR), which becomes law in 2017 and will replace the UK DPA, aims to harmonise European data protection regulation and make Europe as a whole a much safer place to store and process data. It will put more emphasis on individual rights and increase transparency. It will also increase the penalties for breaching the regulation to up to 5% of an organisation s global turnover or 100 million, whichever is the greater. A voluntary Data Protection Code of Conduct for European CSPs is being developed and embedded in the draft regulation. Skyscape and other CSPs are working hard to make sure the code strikes the right balance between keeping data safe and facilitating digital growth in Europe. 16

17 How can you assess the risks? To make an informed risk assessment about which cloud services will provide appropriate protection for your data, you need to: Be sure you know where in which country your data will be processed and stored Clearly understand the legal implications Over 80% of the MPs and almost 100% of the peers we surveyed agreed that the UK provides adequate protection for processing public sector data. 17

18 Keep out of the headlines by making the right decisions about cloud Data privacy concerns and the global nature of many cloud services create legal and regulatory ambiguities for public sector cloud buyers. These are compounded by the introduction of the GSCP, which means public sector cloud buyers can no longer rely on the assurance provided by PGA. Instead, it s up to the buying organisation to: Validate the statements made by G-Cloud suppliers about the security and integrity of their services Identify the geographical location where their data will be processed and stored Understand how data-handling controls will be managed in relation to prevailing UK legislation As the SIRO or civil servant responsible for the security and privacy of the citizen data entrusted to your organisation, you have to decide whether the risk of exposing your data to non- UK authorities is acceptable. Keeping data securely in the UK, with a UK-sovereign data processor, is the best mitigation you can have. Skyscape is a UK company, with UK data centres run by UK-based, security-cleared staff. By hosting your services on our assured UK-sovereign cloud platform, you can realise the benefits of cloud and deliver better public services safe in the knowledge that your data will be securely stored and processed exclusively in the UK. 18

19 About Skyscape Skyscape s assured cloud solutions are designed to meet the exclusive needs of the UK public sector. We deliver UK-sovereign services that are easy to adopt, easy to use and easy to leave, and offer genuine pay-by-the-hour consumption models. A UK SME, we ve won high-profile contracts via the G-Cloud framework and by working with our many channel partners who embed the Skyscape cloud platform in their solutions. All our services are Pan Government Accredited (PGA) up to IL3, so suitable for all data at OFFICIAL (including OFFICIAL-SENSITIVE). The Skyscape cloud platform is connected to government networks including the Public Services Network (PSN) and the N3 health network. We offer IaaS, PaaS and SaaS services: IaaS compute and storage on demand SaaS services providing messaging and document management capability PaaS based on Cloud Foundry and Hadoop All our services are hosted in one or both of our highly resilient Tier 3 UK data centres in Farnborough and Corsham. We deliver them using leading technologies from our Cloud Alliance partners: QinetiQ, VMware, Cisco, EMC and Ark Continuity. The Cloud Alliance provides a collaborative resource which drives innovation and technical product development, helping to continually improve our offering to meet the needs of the UK public sector. Skyscape provides cloud services in an agile, secure and costeffective manner. We strive to deliver solutions that harness technology as a way to facilitate the changes needed to streamline processes and reduce costs to support the UK public sector and, ultimately, UK citizens and taxpayers. 19

20 Skyscape Cloud Services Limited A8 Cody Technology Park Ively Road Farnborough Hampshire GU14 0LX +44 (0) SC-GEN /2015 Skyscape Cloud Services Limited All Rights Reserved.