How To Understand Data Privacy In Cloud Computing

Transcription

1 Data Protection ti & Privacy Data Privacy in Cloud environment Kjell Ohlsson 7 th March 2013

2 Who? Presenter: Kjell Ohlsson - AstraZeneca Audience: Swedish Association of Research Quality Assurance SARQA annual meeting. Timing: 45 minutes including Q&A 2 Kjell Ohlsson March 2013 R&D R&D Information

3 Objectives Give basic understanding of Data Protection & Privacy + Cloud Computing Raise awareness around Data Privacy risks in Cloud environments 3 Kjell Ohlsson March 2013 R&D R&D Information

4 Basic understanding of Data Protection & Privacy + Cloud Computing 4 Kjell Ohlsson March 2013 R&D R&D Information

5 Data Privacy Important Definitions Data subject (Den registrerade) Identifiable natural person. I.e. not a legal entity. 5 Kjell Ohlsson March 2013 R&D R&D Information

6 Data Privacy Important Definitions Data subject (Den registrerade) Personal Data (Personuppgift) Examples Name Identification numbers Gender Age Nationality Language(s) spoken Private/home address Telephone number address Sensitive Personal Data (Känslig personuppgift) Examples Health Labour relations Racial or ethnic origin Political opinions Religious beliefs Criminal history Sexual preferences Data that makes the Data Subject identifiable 6 Kjell Ohlsson March 2013 R&D R&D Information

7 Data Privacy Important Definitions Data subject (Den registrerade) Personal Data (Personuppgift) Sensitive Personal Data (Känslig personuppgift) Data Controller (Personuppgiftsansvarig) Typically a company 7 Kjell Ohlsson March 2013 R&D R&D Information

8 Data Privacy Important Definitions Data subject Personal Data Sensitive Personal Data (Den registrerade) (Personuppgift) (Känslig personuppgift) Data Controller (Personuppgiftsansvarig) Typically a company Proce essor(s) (Per rsonupp pgiftsbitr räde(n)) 8 Kjell Ohlsson March 2013 R&D R&D Information

9 Data Privacy Principles Ensuring Transparency and Notification about intended data use 9 Kjell Ohlsson March 2013 R&D R&D Information

10 Data Privacy Principles Using Personal Data for a known purpose only. Keep usage in order and no cheating!?? 10 Kjell Ohlsson March 2013 R&D R&D Information

11 Data Privacy Principles Ensuring Data Quality, meaning data is accurate and up-to-date?? 11 Kjell Ohlsson March 2013 R&D R&D Information

12 Data Privacy Principles Retention. Don t keep data longer than necessary?? 12 Kjell Ohlsson March 2013 R&D R&D Information

13 Data Privacy Principles Honouring individual s rights. Data subjects must have right to access their data and if necessary, correct it.?? 13 Kjell Ohlsson March 2013 R&D R&D Information

14 Data Privacy Principles Taking appropriate security measures to protect data from loss, damage and unauthorized disclosure?? 14 Kjell Ohlsson March 2013 R&D R&D Information

15 Data Privacy Principles 3 rd parties must adopt appropriate security measures 15 Kjell Ohlsson March 2013 R&D R&D Information

16 Data Privacy Principles Overseas Transfers must be controlled and data adequately protected?? 16 Kjell Ohlsson March 2013 R&D R&D Information

17 Data Privacy Principles Sensitive Personal Data must be especially protected and only used with consent (if no exception applies)?? 17 Kjell Ohlsson March 2013 R&D R&D Information

18 Global Data Privacy Laws as of October 2012 HIPAA + Safe Harbor Privacy Protection std Banisar, David, National Right to Information Laws, Regulations and Bills 2012 Map (October 8, 2012). Available at SSRN: or org/ Kjell Ohlsson March 2013 R&D R&D Information

19 Cloud Computing Introduction Cloud computing is a style of computing in which elastic ITenabled capabilities are delivered as a service to external customers using Internet technologies The name comes from the use of a cloud-shaped symbol as an abstraction for the complex infrastructure it contains in system diagrams. Cloud computing entrusts remote services with a user's data, software and/or computation. Source: Wikipedia Source: Wikipedia+Gartner Common examples of services include: Dropbox.com, icloud.com, skydrive.live.com (e.g. for info-sharing) gmail.com, outlook.com, me.com (mail services) Netflix (streaming video) 19 Kjell Ohlsson March 2013 R&D R&D Information

20 Cloud computing Value proposition (detailed in backup slides) 1. Elastic Capacity. 2. Quick and easy deployment. 3. No Capital expenditure, No initial investment. 4. Pay as you go, for what you use. 5. Focus on your business! 20 Kjell Ohlsson March 2013 R&D R&D Information

21 Cloud Computing Deployment Models Public Cloud Infrastructure available to anyone via Internet. This is typically what is denoted d The Cloud. Private Cloud Infrastructure dedicated to an individual organisation. Complicated. Doubtful financial and management savings. Hybrid Cloud Dedicated and publicly available infrastructure co-exist. This is most likely where most organizations will end up when going for the cloud. 21 Kjell Ohlsson March 2013 R&D R&D Information

22 Cloud Computing Services (subset of XaaS =Anything as a Svc) 22 Kjell Ohlsson March 2013 R&D R&D Information

23 Cloud Computing Services (subset of XaaS =Anything as a Svc) 23 Kjell Ohlsson March 2013 R&D R&D Information

24 Objectives Data Privacy risks in Cloud environments 24 Kjell Ohlsson March 2013 R&D R&D Information

25 Data Privacy and Cloud Computing Introduction 25 Kjell Ohlsson March 2013 R&D R&D Information

26 Data Privacy and Cloud Computing Introduction 26 Kjell Ohlsson March 2013 R&D R&D Information

27 Cloud Computing Privacy Risks Overview There are 3 main Privacy related risks associated with Cloud Services: Lack of control over the Personal Data Where is it? How is it? Can we get to it? Lack of information about the processing of the Personal Data What is being done with it? By whom? Lack of, or insufficient ability to, influence the contract with the cloud service provider Not trivial to do anything about the previous risks. 27 Kjell Ohlsson March 2013 R&D R&D Information

28 Cloud Computing Privacy Risks Lack of Control over Data A cloud provider may use its physical control over data from different clients to link Personal Data E.g. due to weak interoperability because of vendor relying on proprietary technology, or due to lack of appropriate backup / Disaster Recovery arrangements Lack of isolation Lack of availability A cloud provider may not provide the necessary measures and tools to assist in responding to access, deletion or correction requests Lack of data subject rights A C I Lack of integrity E.g. due to sharing of resources Personal Data emanating from a wide range of sources in terms of data subjects and organisations mean there could be conflicting interests/ different objectives Lack of intervenability Lack of confidentiality Due to the complexity and dynamics of an outsourcing chain Eg E.g. due to law enforcement requests made directly to a cloud provider from foreign governments. (E,g FISAAA in USA) 28 Kjell Ohlsson March 2013 R&D R&D Information

29 Cloud Computing Privacy Risks Lack of Information about processing Insufficient information about a cloud service provider s processing operations poses a risk to Data Controllers and Data Subjects. We may not be aware of potential threats and risks, and therefore can t take measures to mitigate them. Potential threats include: Chain processing is taking place involving multiple processors and subcontractors (sub-processors). Personal Data are processed in different geographic locations within the EEA (=EU + Iceland, Liechtenstein & Norway) this impacts on the law applicable to any data protection disputes which may arise between user and provider. Personal Data is transferred to 3 rd countries outside the EEA. 3 rd countries may not provide an adequate level of protection and transfers may not be safeguarded by appropriate measures (e.g. standard contractual clauses / binding corporate rules) and therefore may be illegal. 29 Kjell Ohlsson March 2013 R&D R&D Information

30 Cloud Computing Privacy Risks Lack of Influence over Contract Under privacy legislation in many countries, Company X will remain the data controller of the personal data and therefore will be liable for any privacy breaches caused by any 3 rd party processors. Company X Authorities Despite this, Company X may not have the ability to negotiate the contractual terms of the cloud service as standardised contracts are a feature of many cloud service providers (e.g. Google, Amazon and Apple). Big Cloud provider It is also difficult to ensure that any contracts between the cloud service provider and their sub-contractors have appropriate protection for Personal Data. 30 Kjell Ohlsson March 2013 R&D R&D Information

31 To summarize Basic concepts of Data Protection & Privacy + Cloud Computing Reasoning around Data Privacy in Cloud environments and the risks introduced 31 Kjell Ohlsson March 2013 R&D R&D Information

32 Questions? 32 Kjell Ohlsson March 2013 R&D R&D Information

33 Backup slides Privacy/Cloud Information from Swedish Data Inspection Board (Datainspektionen) Article about legislation l that t affects privacy Detailed Value proposition for Cloud computing 33 Kjell Ohlsson March 2013 R&D R&D Information

34 Attached documentation Data Inspection Board (Datainspektionen) information material faktablad-molntja nster.pdf faktablad-cloudse rvices.pdf Article about legislation that potentially affects privacy euobserver.com_j ustice_ Kjell Ohlsson March 2013 R&D R&D Information

35 1. Elastic capacity Scaling up and down in minutes No need to provision Optimize resources based on your needs Can easily manage unexpected peaks 35 Kjell Ohlsson March 2013 R&D R&D Information

36 2. Quick deployment IT infrastructure is no longer a barrier Easier to test different solution No need to wait for provisioning Shorter development cycles 36 Kjell Ohlsson March 2013 R&D R&D Information

37 3. No Capital expenditure No initial investment needed No commitments 37 Kjell Ohlsson March 2013 R&D R&D Information

38 4. Pay as you go Clear pricing models Pay for compute power by the hour Pay for storage by the gb Pay for transfer per gb Pay per end user.pay as you go Remember, this is all elastic. Easy to turn on/off resources 38 Kjell Ohlsson March 2013 R&D R&D Information

39 5. Focus on business No need to build from scratch, Services are out there to reuse Much is automated no waiting You can spend more time on value add activities 39 Kjell Ohlsson March 2013 R&D R&D Information

40 Confidentiality Notice This file is private and may contain confidential and proprietary information. If you have received this file in error, please notify us and remove it from your system and note that you must not copy, distribute or take any action in reliance on it. Any unauthorized use or disclosure of the contents of this file is not permitted and may be unlawful. AstraZeneca PLC, 2 Kingdom Street, London, W2 6BD, UK, T: +44(0) , F: +44 (0) , 40 Kjell Ohlsson March 2013 R&D R&D Information