Welcome & Introductions

Transcription

1 Addressing Data Privacy and Security Compliance in Cloud Computing Benjamin Hayes, Director of Legal Services, Data Privacy Compliance North America Accenture Copyright 2011 Accenture All Rights Reserved. Accenture, its logo, and High Performance Delivered are trademarks of Accenture. Welcome & Introductions Benjamin Hayes, CIPP, CIPP/C, CIPP/G, CIPP/IT, CIPP/E Director of Legal Services, Data Privacy Compliance North America Accenture, LLP Copyright 2011 Accenture All Rights Reserved. 2 What does Accenture do? $31B company 250,000+ employees in 64 countries 3 lines of business: Management Consulting Business Process Outsourcing Technology / System Integration Copyright 2011 Accenture All Rights Reserved. 3 1

2 Agenda Introductions Data Privacy Legal Regulatory Update The Data Privacy legal landscape Recently enacted data privacy laws Cloud Computing Data Protection Compliance Considerations Overview: The Current Landscape Compliance Challenges Allocation of Responsibility Practical Considerations in working with Cloud Suppliers Discussion Copyright 2011 Accenture All Rights Reserved. 4 Data Privacy Legal Landscape Copyright 2011 Accenture All Rights Reserved. 5 Scope and substance of data privacy laws The privacy legal landscape Data Privacy laws address: the way in which companies and government bodies may collect, use, store, disclose, share, transfer and otherwise process personal data about individuals. Personal Data = any information about an identified or identifiable individual Duties of Companies when holding, using and sharing personal data of any individual, whether as a data owner or a service provider Rights of individuals in relation to their personal data e.g., right to access. Powers of supervisory government body to oversee and enforce the law, conduct investigations, impose sanctions for violations. Copyright 2011 Accenture All Rights Reserved. 6 2

3 3 Models for Privacy Laws General laws apply to all collection, use and disclosure of personal data (the omnibus model ) - Customers - Employees - Business contacts Sectoral laws apply only to specific business sectors like health care, financial services - Most broadly adopted in US and Asia No regulation - Privacy laws began in US/Europe and have spread to other parts of the world, but not universal Copyright 2011 Accenture All Rights Reserved. 7 Privacy Laws Around the World The privacy legal landscape 8 Copyright 2011 Accenture All Rights Reserved. 8 Major Data Privacy Legal Changes New laws: India (IT security regulations) Malaysia Mexico Peru China Philippines Changes / enhancements to existing laws: EU (E-Privacy Directive implementation) Taiwan South Korea Proposed additional changes: EU (changes to EU DP framework) Copyright 2011 Accenture All Rights Reserved. 9 3

4 Recently Enacted Data Privacy Laws APAC Taiwan, South Korea, China, India Comprehensive data privacy laws being adopted by countries which previously had none. Taiwan (effective November, 2011) - Aligns to EU standards, with variations on consent requirement. South Korea (effective September 30, 2011) - Similar to EU, but more restrictions on data exports (addl. guidance expected); restrictions on the use of CCTV. China - Jiangsu province (effective January 1, 2012) - EU-style law only in the province of Jiangsu the first comprehensive DP law at any level in China. Copyright 2011 Accenture All Rights Reserved. 10 Recently Enacted Data Privacy Laws: India Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 Effective as of May, 2011 Issued under the authority of 2001 IT Act, as amended Applies only to sensitive personal information name (and any other data) in conjunction with: Financial account data Health information Passwords / biometric data Sexual orientation Initially thought to apply to data brought to India for processing, outsourcing was excluded from the regulations scope by Government clarification (Aug 2011). Copyright 2011 Accenture All Rights Reserved. 11 Recently Enacted Data Privacy Laws South America Mexico, Peru Mexico - Similar to Canada, the law basically aligns with EU standards, but does not include data export restrictions. - Data security regulations released Dec., 2011 Peru - The law basically aligns to EU standards, including restrictions on trans-border data flows. - No data breach notification requirements. Copyright 2011 Accenture All Rights Reserved. 12 4

5 Significant changes to EU Data Protection (Privacy) Directive planned January, the European Commission has issued a DRAFT Data Protection Regulation which would replace the existing EU Data Protection Directive Most of the current substance of the DP Directive will remain in force, but with several added requirements: Data security breach notification required to clients or to individuals within 24 hours Service Providers ( data processors ) would be directly regulated with regard to security and certain other provisions. Opt-in consent required (particularly for marketing) in many cases where it is not required currently Companies larger than 250 employees required to have data privacy officer with certain responsibilities. Copyright 2011 Accenture All Rights Reserved. 13 Trends in the new laws General trend is to embrace EU-style fair information practices (FIPs), but move away from EU-style data export restrictions (with some exceptions). Sometimes called the Canadian Model More attention to data security, but less technically prescriptive laws. More focus on independent standards regimes like ISO and PCI Data Security Standard. Growing acceptance of the Accountability Model which would articulate general principles of privacy laws, but would leave it to companies and third-party standards-setting bodies to create detailed program standards. Greater focus on Privacy by Design responsibility to build data privacy functionality into software and other technology. Copyright 2011 Accenture All Rights Reserved. 14 Cloud Computing Overview of the Current Landscape & Compliance Challenges Copyright 2011 Accenture All Rights Reserved. 15 5

6 A Working Definition of Cloud Computing Cloud computing is a model for enabling convenient, ondemand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. The cloud model allows for flexibility and scalability. There are three service models and four deployment models. Copyright 2011 Accenture All Rights Reserved Cloud Service Models Cloud Software as a Service (SaaS) Cloud provider hosts software so it doesn t need to be installed or managed and hardware doesn t need to be purchased for it Cloud Platform as a Service (PaaS) Black-box services with which developers can build applications on top of the computing infrastructure Cloud Infrastructure as a Service (IaaS) Processing, storage, network capacity, and other fundamental computing resources are rented Copyright 2011 Accenture All Rights Reserved Cloud Deployment Models Public cloud sold to the public; mega-scale infrastructure Private cloud enterprise owned or leased (e.g., co-location services) Hybrid cloud composition of two or more clouds Community cloud shared infrastructure for a specific community Copyright 2011 Accenture All Rights Reserved. 18 6

7 Compliance Challenges Data Security, Availability Compliance with strict technology standards (e.g., HIPAA, PCI, Spain, Italy, Romania) Data ownership Allocation of responsibility for security Exposure of data to government subpoenas (Patriot Act, India) Data retention and destruction issues Quality of service guarantees Attraction to hackers-especially for public clouds Possibility for massive outages vs. data availability requirements Copyright 2011 Accenture All Rights Reserved. 19 Compliance Challenges Who is subject to the law? Most privacy laws apply to classes of entities, instead of classes of data. The effect is that service providers are typically not governed directly by privacy laws, but by service contracts with data owners (clients). Cloud particularly public cloud service contracts are not designed to be highly negotiated. Indeed, for most customers they are not intended nor will they be negotiated at all. Where does this leave the data owner who must satisfy privacy and security requirements under X law, to which the cloud supplier is not subject? Copyright 2011 Accenture All Rights Reserved. 20 Compliance Challenges (cont.) How the EU Views Cloud Computing Mere hosting, even without logical access to data, is still considered processing under EU privacy laws. Insistence on standard EU Model Clauses or Safe Harbor to create a lawful basis for non-eu data storage. Concern and suspicion about access by foreign (e.g. U.S., India, China) governments to data stored in non-eu cloud. Some EU regulators taking the view that EU businesses should use EU-only clouds. Required already under certain public sector rules. Under new proposed EU rules, non-eu cloud providers might be subject to extraterritorial EU laws when hosting EU data. Copyright 2011 Accenture All Rights Reserved. 21 7

8 Cloud Computing Allocation of Responsibility Copyright 2011 Accenture All Rights Reserved. 22 How is Cloud different than traditional hosting? In traditional hosting, an entire application and its data reside on known physical machines. - In cloud computing, application and data are on known virtual servers, but physical location is dynamic and always changing. In traditional hosting, host plays an active role in configuration and/or maintenance of the application and its data responsible for backups, network security, etc. - (IaaS / PaaS) Cloud is more self-service for application owners many optional functions and components, but nothing works until configured and activated by the application owner. Example: backup no backup will occur unless the data controller chooses and provisions a backup mechanism; then provider is responsible for executing it Copyright 2011 Accenture All Rights Reserved. 23 The effect of virtualization on the roles of the parties Virtualization means that applications and data are split up across many physical servers. s and data can only be reassembled by the virtualization layer, without access to the VL the data is viewable only as unreadable 1s and 0s. In IaaS and PaaS cloud models, system administrators may not have access to client-controlled virtualization layers the effect is no access to data. Important to understand exactly what access and where it occurs cloud provider has. The implication is that Cloud providers (other than SaaS) have no ability to control application-level security (e.g. access rights, authentication, encryption, logging, data quality, etc.) these functions must be established and maintained by the manager of the application. SaaS is different in this model the cloud provider is also responsible for application-layer security. Copyright 2011 Accenture All Rights Reserved. 24 8

9 Cloud requires a reallocation of responsibilities: Substantive Data Privacy requirements (Fair Information Practices) must be met entirely by data controllers in IaaS / PaaS models. Shared responsibility in SaaS but who is responsible for software design? Any security requirement that can be executed at the application or database level (e.g., authentication, access logs, encryption, password complexity, etc.) are responsibility of application manager. Justice is blind the law requires that things be done, but is not particular as to who does them IaaS / PaaS providers are left with a residuary of physical, facilities, network and hardware responsibilities, as well as logging and access controls for helpdesk and admin super-users. Copyright 2011 Accenture All Rights Reserved. 25 System Component Responsibility and Control by Cloud Type On Premise Infrastructure as a Service Platform as a Service Software as a Service User Managed Architecture System Software Database Operating System Physical security User Managed Architecture System Software Database Operating System Physical security User Managed Architecture System Software Database Operating System Physical security Cloud Architecture System Software Database Operating System Physical security Cloud Servers Servers Servers Servers Storage Storage Cloud Storage Storage Network Network Network Network Encryption Encryption Encryption Encryption Copyright 2011 Accenture All Rights Reserved. 26 Common Fallacies Encrypting data absolves the cloud supplier of any responsibility for security If the application is stored on the cloud, data typically cannot be encrypted during use by the application Cloud host admin personnel or help desk often have some type of access (more common in PaaS than IaaS, very common in SaaS) All compliance can occur at the application level HIPAA, Spain, Italy, others have physical, hardware and other security requirements that can only be met by a data host. Copyright 2011 Accenture All Rights Reserved. 27 9

10 Perspective from a Cloud System Integrator Copyright 2011 Accenture All Rights Reserved. 28 Accenture s position as a reseller of third-party cloud services Cloud Terms of Service Client requirements Copyright 2011 Accenture All Rights Reserved. 29 What is the problem? Public Cloud 1.0 business model (c. 2009) did not address clients legal compliance needs. Standard terms for cloud services are typically insufficient to meet clients regulatory requirements for regulated data, and are presented as non-negotiable -Result: regulated data could not be placed into the cloud. Situation began to change in 2011 This is now changing as some cloud suppliers see privacy and security compliance as a competitive differentiator More willingness to accept EU Model Clauses, to certify to independent security standards, to Copyright 2011 Accenture All Rights Reserved

11 Accenture s Solution the Mother of All Security Schedules (MOASS) For use only with IaaS and PaaS providers Based on 33 privacy and security laws in 29 countries Derived from the superset of security requirements Does not address PCI Data Security Standard (payment card data) Does not include requirements that can be executed as part of application management these are the responsibility of the application manager (either the client or the system integrator) Includes EU Model Clauses, a HIPAA Business Associate Agreement, and terms drawn from laws in most major economies. Suppliers who agree to terms can be said to comply with their portion of responsibilities under most privacy laws. Copyright 2011 Accenture All Rights Reserved. 31 A pragmatic approach to compliance in the cloud Copyright 2011 Accenture All Rights Reserved. 32 Practical considerations Understand the landscape Going into the cloud with eyes open means: Understand that the cloud is a more self-service service model than traditional hosting or ASP services. Chances are excellent that your company will retain most of the responsibility for application-related compliance requirements. Do not expect to devolve a significant number of compliance responsibilities or a significant amount of liability for data breaches to the cloud. Do not expect a high degree of visibility into the technical operations of your cloud. Bottom line: cloud is low-cost, commoditized computing power that can create powerful business cases for its use, but you re largely on your own when it comes to compliance. Copyright 2011 Accenture All Rights Reserved

12 Practical considerations Understand the data Identify: -- what data will be moved to the cloud? -- what law(s) is it subject to? -- which requirements can be performed at the application level, or using a la carte PaaS services? Whatever cannot be managed directly by the data controller / application manager must be flowed down to the cloud host by contract: -- Physical security -- Hardware requirements -- Access, authentication, logging, and workstation controls for cloud admin / helpdesk personnel with access to data Copyright 2011 Accenture All Rights Reserved. 34 Practical Consideration - Understand the proposed cloud Where are the data centers? -- You don t need a street address just what countries? What supplier personnel can obtain access to production data and under what circumstances? -- Where (what countries) are these people based? What do standard terms and conditions include? -- EU Model Clauses or Safe Harbor? -- Attestations concerning specific security measures to be followed? -- Audit rights? If standard terms do not address all compliance requirements, will supplier agree to alter standard terms? -- If not, STOP. If you have unmet compliance responsibilities and the supplier won t accommodate them in the contract, change suppliers or explore hybrid cloud options. Does the supplier have credible audit reports it is willing to share, or will it allow you to perform a security review? What SLAs will the cloud commit to regarding uptime, availability of data, portability, etc? Copyright 2011 Accenture All Rights Reserved. 35 Practical Consideration - Manage expectations about flow-downs Recognize that cloud suppliers will not negotiate terms like other subcontractors: Willingness to negotiate terms at all may be tied to minimum monthly spend commitments Full rights of audit for data security are not likely to be agreed Unlimited liability for data breaches is basically impossible Important to understand what terms supplier has accepted with other clients and whether there is any opportunity to negotiate if terms do not appear to support your compliance requirements. Copyright 2011 Accenture All Rights Reserved

13 Resources Discussion Copyright 2011 Accenture All Rights Reserved. 37 Contact Information Contact: Ben Hayes Director of Legal Services, Data Privacy Compliance North America Copyright 2011 Accenture All Rights Reserved