Cloud Computing Making legal aspects less cloudy Erik Luysterborg Partner Cyber Security & Privacy Belgium EMEA Data Protection & Privacy Leader 30 September 2014 1
Contents A. Introduction: a short walk in the cloud B. Samples of Cloud Solutions C. Conclusions Annex: Possible remediation and (Cloud) best practices 2
A. Introduction: a short walk in the cloud 3
A. Introduction Cloud Computing Definition Cloud computing is a collection of services delivered through the Net Cloud computing is about Business Agility and Time to Market 4
A. Introduction Key Drivers of Cloud Computing Data Access Globalization Cost Pressure Cloud Drivers Green IT Availability Global Talent Shortage 5
A. Introduction Cloud vs traditional IT On premise computing Traditional Outsourcing Cloud computing Single tenant No third parties dependency No contract Internal execution of controls Physical and logical protection Single tenant Dependence on outsourcing provider Long term annual contract Shared execution of controls Physical and logical protection Multi tenant Dependence on cloud provider, which might depend on other providers Short term standard contract Potentially unclear execution of controls Physical becomes logical 6
A. Introduction Types of cloud services Cloud computing technology is deployed in three general types, based on the level of internal or external ownership and technical architectures Vendor cloud (External) Cloud computing services from vendors that can be accessed across the Internet or a private network, using systems in one or more data centers, shared among multiple customers, with varying degrees of data privacy control. Sometimes called public cloud computing. Private cloud (Internal) Computing architectures modeled after vendor clouds, yet built, managed, and used internally by an enterprise; uses a shared services model with variable usage of a common pool of virtualized computing resources. Data is controlled within the enterprise. Hybrid cloud A mix of vendor cloud services, internal cloud computing architectures, and classic IT infrastructure, forming a hybrid model that uses the best-of-breed technologies to meet specific needs. 7
A. Introduction Key Risk Domains Governance and Business-IT alignment Cloud user organizations Cloud service providers Security SaaS IT organization readiness PaaS Vendor maturity and viability IaaS Control and compliance Availability and performance 8
A. Introduction Key Legal Risk Domains Confidentiality Cloud user organizations Liability Cloud service providers Privacy & Security SaaS PaaS IaaS Service Level Agreement Intellectual Property Rights Applicable Law Termination or Suspension of Service 9
A. Introduction Sample challenges to protect against Data Breaches Data Losses Account Hijacking Insecure APIs Denial of Service Attacks Malicious Insiders Shared Technology Flaws in one client s application could lead to breaches in other client s data as well. Permanent data losses can happen as a result of an attack on a cloud provider but also due to physical catastrophes at the data storage site. Malicious access to a cloud account can lead to attackers eavesdropping on all activities and transactions, manipulating data and/or redirecting clients to illegitimate sites. Insecure APIs expose organizations to various security issues related to confidentiality, integrity, availability and accountability. DoS attacks on cloud providers can lead to all accounts disabled and/or client services becoming too expensive to run that they are forced to take them down themselves. Malicious insiders are an increased risk for systems depending solely on cloud service providers. Flaws in an integral piece of shared technology exposes the entire community using it to compromise and breaches risk. 10
A. Introduction Preliminary Conclusion The Cloud allows for IT resources optimization, greater virtual scalability and important flexibility, at a contained cost. However, due to it open nature, Cloud computing raises new challenges and concerns in areas such as security, governance, compliance,... Especially in current changing regulatory environment (e.g. Draft EU Data Protection regulation, Draft EU Cyber Directive), need to obtain clarity regarding Accountability and to obtain Transparency It is possible even already today to have a Cloud environment in which (privacy) risks are contained but it requires : Well thought true pre-contract due diligence Adaption of internal policies and procedures to the Cloud environment A step by step approach in implementation and starting preferably small Attention should be paid to ensuring that (privacy) risk assessment is part of the initial consideration together with the strategic, economic and technical analysis (and not as an after-thought ) Knowing where the data will be hosted, who has access to it and how and where it goes after the contracts ends (how long does it stay in the cloud and (how) can it be removed) Require regular testing (and how), not only at beginning of contract (and actually do it ) Specific focus on contractual clauses such as (e.g. termination, transition, auditing, liability, incident response times and procedures,, sub contractors responsibilities and location) 11
B. Sample of cloud solutions 12
B. Sample of Cloud Solutions Approach DISCLAIMER: ONLY PUBLIC INFORMATION IS INCLUDED. Nothing in this presentation constitutes any legal opinion or legal advice. 13
B. Sample of cloud solutions Samples discussed Storage Desktop Apps Enterprise Software Media 14
B. Sample of Cloud Solutions Storage A few alternatives 15
B. Sample of Cloud Solutions Storage Offers 2 versions: Dropbox and Dropbox for Business Only offers its services only through internet: => click wrap agreements Available documentation: https://www.dropbox.com/privacy Terms of Service Privacy Policy Dropbox for Business Agreement DMCA Policy Acceptable Use Policy Here, we do not look at the Dropbox for Business Agreement! => next slides only apply to general Dropbox services Note: Dropbox uses Amazon for data storage. 16
B. Sample of Cloud Solutions Storage Topic SLA Liability Applicable Law Comments The services and software are provided as is, at your own risk, without express or implied warranty or condition of any kind. we also disclaim any warranties of merchantability, fitness for a particular purpose or noninfringement. In no event will Dropbox be liable for ( ) aggregate liability for all claims relating to the services more than the greater of $20 or the amounts paid by you to Dropbox for the past three months of the services in question California 17
B. Sample of Cloud Solutions Storage Topic Comments Privacy & Security Terms:? Privacy policy: We have a team dedicated to keeping your information secure and testing for vulnerabilities. We also continue to work on features to keep your information safe in addition to things like two-factor authentication, encryption of files at rest, and alerts when new devices and apps are linked to your account. SafeHarbor Certified. 18
B. Sample of Cloud Solutions Storage Topic Termination or suspension of service Confidentiality Intellectual Property Rights Comments We also reserve the right to suspend or end the Services at any time at our discretion and without notice. Except for Paid Accounts, we reserve the right to terminate and delete your account if you haven't accessed our Services for 12 consecutive months. We'll of course provide you with notice via the email address associated with your account before we do so. Your Stuff is yours. These Terms don't give us any rights to Your Stuff except for the limited rights that enable us to offer the Services. Dropbox respects others intellectual property and asks that you do too. 19
B. Sample of Cloud Solutions Desktop Apps A few alternatives 20
B. Sample of Cloud Solutions Desktop Apps Offers several subscription plans for different needs. Offers its services through internet: => click wrap agreements Here, we look ONLY at the Microsoft Online Subscription Agreement for Office 365 for Small Business Premium 21
B. Sample of Cloud Solutions Desktop Apps Topic Comments SLA Detailed SLA (seperate 8 pages document) available Liability For software: the amount you were required to pay for the Product giving rise to that liability For online service: amount you were required to pay for the Online Service giving rise to that liability during the prior 12 months For free products: $5.000 Applicable Law Ireland 22
B. Sample of Cloud Solutions Desktop Apps Topic Termination or suspension of service Comments Termination by you at any time, but for subscription of 1 year, you re to pay up to 25% of the remaining fees. Suspension of service if ( ) fees are not paid, acceptable use policy is not respected; with 30 days notice. After 60 days without remedy, Microsoft can terminate. Buy-out option for software. 23
B. Sample of Cloud Solutions Desktop Apps Topic Comments Privacy & Security Annex Data Processing agreement included by default Security incident notification included. Certified for ISO 27001 Safe Harbor certified Offers EU Model Clauses for personal data transfers Much information publicly available (Transparency) Confidentiality Obligations on you in main agreement. Confidentiality clause included in Annex Data processing agreement Intellectual Property Rights Extensive software licensing clauses included. 24
B. Sample of Cloud Solutions Enterprise Software A few alternatives 25
B. Sample of Cloud Solutions Enterprise Software Offers several types of professional cloud services, such as Does not offer its services only through internet: Online subscription of free trial versions => click-wrap agreements Negotiations with Salesforce.com product experts => Contractual negotiations are similar to outsourcing. Implementation through partners => Salesforce.com often acts as subcontractor. Here, we look ONLY at Salesforce Master Subscription Agreement see: https://www.salesforce.com/assets/pdf/misc/salesforce_msa.pdf This is NEGOTIABLE! For all legal documents (e.g. 25 different customer agreements & user terms): see http://www.salesforce.com/eu/company/legal/agreements.jsp 26
B. Sample of Cloud Solutions Enterprise Software Topic Comments SLA Basic support: no additional charge; upgraded support if purchased. Commercially reasonable efforts for 24/7 availability (except planned downtime or force majeur) Liability Neither parties liability will exceed the amount paid by Customer hereunder in the 12 months preceding the incident Applicable law For EU: UK Confidentiality Bilateral confidentiality clause included. 27
B. Sample of Cloud Solutions Enterprise Software Topic Termination or suspension of service Comments When user subscriptions granted in accordance with this Agreement have expired or been terminated. Automatic renewal unless notice of non-renewal at least 30 days before the end. Bilateral termination for cause with 30 days notice & remediation period. SFC breach: Prepaid fees to be repaid by SFC. Your breach: to be pay fees for the remainder of the subscription. Data will be downloadable within 30 days after termination and deleted afterwards. Suspension of service if fees are not paid (7 days notice) 28
B. Sample of Cloud Solutions Enterprise Software Topic Comments Privacy & Security General security clause in MSA Specific requirements such as audit rights and breach notification are negotiable. No privacy clauses included, though this is negotiable. SafeHarbor Certified. TRUSTe certified Several global audit compliance, incl. ISO27001 Highlights listed on website Intellectual Property Rights Clear restrictions on client to SFC IP. No acquisition of client s IP. Client only authorizes SFC to host, copy, transmit, display and adapt applications and program code, solely as necessary to provide the services 29
B. Sample of Cloud Solutions Media A few alternatives 30
B. Sample of Cloud Solutions Media Only offered through internet Legal documents: YouTube Terms of Service (Google) Privacy Policy YouTube Community Guidelines These slides only cover the basic YouTube service (uploading videos), not advertising. 31
B. Sample of Cloud Solutions Media Topic Comments SLA The Service is provided "as is YouTube does not represent or warrant to you that: your use of the Service will meet your requirements, your use of the Service will be uninterrupted, timely, secure or free from error, any information obtained by you as a result of your use of the Service will be accurate or reliable, and that defects in the operation or functionality of any software provided to you as part of the Service will be corrected 32
B. Sample of Cloud Solutions Media Topic Comments Liability YouTube shall not be liable to you for any changes which YouTube may make to the Service, or for any permanent or temporary cessation in the provision of the Service (or any features within the Service); the deletion of, corruption of, or failure to store, any Content and other communications data maintained or transmitted by or through your use of the Service your failure to provide YouTube with accurate account information your failure to keep your password or YouTube account details secure and confidential. 33
B. Sample of Cloud Solutions Media Topic Comments Applicable Law UK Privacy & Security The Google privacy policy is part of the YouTube Terms of Service General security clause included. Safe Harbor Certified Confidentiality You understand that whether or not Content is published, YouTube does not guarantee any confidentiality with respect to Content. 34
B. Sample of Cloud Solutions Media Topic Intellectual Property Rights Comments You retain all of your ownership rights You grant to YouTube, a worldwide, non-exclusive, royalty-free, transferable license (with right to sublicense) to use, reproduce, distribute, prepare derivative works of, display, and perform that Content in connection with the provision of the Service and otherwise in connection with the provision of the Service and YouTube's business, including without limitation for promoting and redistributing part or all of the Service (and derivative works thereof) in any media formats and through any media channels; The license ends when you remove your content. 35
C. Conclusions 36
C. Conclusions What to take with you Cloud legal risks are comparable to outsourcing legal risks. Cloud legal risks will differ per type of cloud service. If the service is free, it will likely be reflected in the T&C. Review your contractual framework carefully (external but also internal) and involve not only legal department but also Business and IT groups. Contact the cloud provider to negotiate in order to establish a contractual (control) framework adapted to your business/risk needs. Legal risks are only one part of cloud computing. Also take into account: Fit for business IT alignment IT department transformation 37
Erik Luysterborg Partner, CIPP EMEA Data Protection & Privacy Leader eluysterborg@deloitte.com Deloitte Enterprise Risk Services Direct: + 32 2 800 23 36 Mobile: + 32 497 51 53 95 David Lenaerts Manager, CIPP/E, CIPM dlenaerts@deloitte.com Deloitte Enterprise Risk Services Direct: + 32 2 800 25 03 Mobile: + 32 479 20 07 91 Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee ( DTTL ), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as Deloitte Global ) does not provide services to clients. Please see www.deloitte.com/about for a more detailed description of DTTL and its member firms. Deloitte provides audit, tax, consulting, and financial advisory services to public and private clients spanning multiple industries. With a globally connected network of member firms in more than 150 countries and territories, Deloitte brings world-class capabilities and high-quality service to clients, delivering the insights they need to address their most complex business challenges. Deloitte s more than 200,000 professionals are committed to becoming the standard of excellence. This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively, the Deloitte Network ) is, by means of this communication, rendering professional advice or services. No entity in the Deloitte network shall be responsible for any loss whatsoever sustained by any person who relies on this communication. 2014. For information, contact Deloitte Belgium
Annex: Possible remediation and (Cloud) best practices 39
Possible remediation and (Cloud) best practices Have a look under the hood of your cloud provider See to it that its service engagements (policies) meet (and /or exceed ) your own security requirements (policies) (e.g. what are the logs that are generated to show that information in the cloud has been accessed, copied, modified or otherwise used?) Consider (availability of) independent security audit report and use of security standards such as e.g. ISO27001 or ISO 27018:2014 (ensure it is certified by recognized third party accredited body) or SSAE16 (need to see actual report, need to examine controls in place as described in report). Look carefully at Cloud provider s (exception, risk & performance) indicators & monitoring as well as any incident management procedures Obtain overview/listing of all third party subcontractors of Cloud provider Do not rely solely on contracts but check Cloud provider s real procedures and processes and do ensure that contract clauses are both flexible, dynamic and precise (e.g. liability, intellectual property, back up and recovery processes, exit and change management) 40
Possible remediation and (Cloud) best practices Have a look under the hood of your cloud provider Develop appropriate contractual terms to ensure protection, especially as it relates to: Records retention and lawful access Data sharing risks/commingling Applicable law risks Timing of incident management procedures Requirements relating to audit/monitoring/evidence of compliance of subcontractors Have a close look at Cloud provider s actual security measures and policies: Physical security: policy on access restrictions Network security: firewalling technology etc. Server security: how servers have been protected against attack, policies for continued improvement Data segregation policies: Multi tenancy implies no segregation but how is logical segregation achieved User (client) authentication policies etc. Encryption: what algorithms and what strength? 41
Possible remediation and (Cloud) best practices Avoid the Paper Tiger Syndrome Avoid paper tiger syndrome and have a risk based approach to privacy compliance in the Cloud: Understand & identify Cloud provider s (personal) data handling practices, especially re. cross border data transfer/storage (legal) framework, (secondary) usage of data, data breach notification/remediation process, request for information procedures, etc. Consider differentiating (Cloud) treatment of personal data (e.g. sensitive personal data versus nonsensitive, anonymisation of data) Take appropriate measures to ensure adequate application security, development processes and penetration / vulnerability testing. Require regular (independent/third party) testing at the start of the vendor relationship. Consider strategies based on encryption/data obfuscation. Assess privacy obligations of your clients, yourself and Cloud provider, identify any discrepancies/conflicts and accept/deal with them (both contractually as well as operationally) Implement a risk based and scalable privacy program taking into account cost, risk-appetite and effectiveness (and based on people, process & technology) as well as the specific Cloud environment Your policies and procedures must explicitly address cloud privacy risks. But bear in mind that is very dangerous to have nice policies and contractual language if you do not have staff to do it/follow it through. 42
Possible remediation and (Cloud) best practices Avoid the Paper Tiger Syndrome Avoid paper tiger syndrome and have a risk based approach to privacy compliance in the Cloud (continued): Train employees and staff accordingly to mitigate security/privacy risks in cloud computing (multidepartmental approach) Be clear as to ownership of the Cloud transformation within your organization. Document ownership of risks/mitigation. Identify types of personal information in flow, as well as what systems, entities and jurisdictions that data flow through. Information governance must be put in place and must provide tools and procedures for classifying information and assessing risks. Specific policies must be established for cloud based processing based upon risk and value of asset/data. 43
Possible remediation and (Cloud) best practices Consider Main Menu vs à la Carte Choose carefully between security main menu and à la carte solutions: Consider both the Cloud provider s as your own security environment and risk management practices and detect dependencies/interconnectivity and conflicts Ensure that Cloud provider s role is clearly outlined and that contractual obligations are in line with reality. Does Cloud provider act merely as custodian, instead of a controller of data? (e.g. through use of advanced encryption) Focus specifically on existence of strong authentication, encryption requirements and key management, user access and delegation as well as data storage & sanitization procedures. Provider should have comprehensive disaster recovery, incident response (e.g. logging tools) and compartmentalization practices (e.g. systems, networks, provisioning, staff etc.) 44