Techno-Legal Motivation

Similar documents
Cloud Inspector A Cooperative Tool to Increase Trust in Cloud Computing

Secure Cloud Computing for Critical Infrastructures

High Assurance in Multi-Layer Cloud Infrastructures

How can security requirements of critical Infrastructure IT shape Cloud Computing research?

Data protection policy

How To Write A Secure Cloud Computing For Critical Infrastructure

CLOUD COMPUTING FOR ehealth DATA PROTECTION ISSUES

Data controllers and data processors: what the difference is and what the governance implications are

Data Processing Agreement for Oracle Cloud Services

Council Policy. Records & Information Management

Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries

GUIDE TO THE ISLE OF MAN DATA PROTECTION ACT. CONTENTS PREFACE 1 1. Background 2 2. Data Protections Principles 3 3. Notification Requirements 4

ON MUTUAL COOPERATION AND THE EXCHANGE OF INFORMATION RELATED TO THE OVERSIGHT OF AUDITORS

Cloud Software Services for Schools

Data Protection Act Guidance on the use of cloud computing

NPSA GENERAL PROVISIONS

Third Party Litigation Funding

How To Understand The Data Protection Act

Products Liability: Putting a Product on the U.S. Market. Natalia R. Medley Crowell & Moring LLP 14 November 2012

Spoliation of Evidence. Prepared for:

Guidelines on Data Protection. Draft. Version 3.1. Published by

Clause 1. Definitions and Interpretation

FIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS

HIPAA BUSINESS ASSOCIATE AGREEMENT

DOCUMENT RETENTION STRATEGIES FOR HEALTHCARE ORGANIZATIONS

The potential legal consequences of a personal data breach

Exhibit 2. Business Associate Addendum

Cloud Software Services for Schools

ECSA EuroCloud Star Audit Data Privacy Audit Guide

HERTSMERE BOROUGH COUNCIL

Data Protection Policy

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

The Effect of Product Safety Regulatory Compliance

Scotland s Commissioner for Children and Young People Records Management Policy

Appendix 11 - Swiss Data Protection Act

Corporate ICT & Data Management. Data Protection Policy

How To Protect Your Data In European Law

Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy

INDEPENDENT CONTRACTOR AGREEMENT

Article 29 Working Party Issues Opinion on Cloud Computing

Practical Overview on responsibilities of Data Protection Officers. Security measures

Information Security Team

Personal Data Act (1998:204);

We use such personal information collected through this Site for the purposes of:

Using AWS in the context of Australian Privacy Considerations October 2015

Professional Solutions Insurance Company. Business Associate Agreement re HIPAA Rules

RAYSAFE S1 SECURITY WHITEPAPER VERSION B. RaySafe S1 SECURITY WHITEPAPER

Right to Financial Privacy Act

RULE 39 OFFER TO SETTLE

Cloud security architecture

Smart Open Services for European Patients Open ehealth initiative for a European large scale pilot of patient summary and electronic prescription

Electronic Document and Record Compliance for the Life Sciences

New HIPAA regulations require action. Are you in compliance?

Information Security Policies. Version 6.1

Align Technology. Data Protection Binding Corporate Rules Processor Policy Align Technology, Inc. All rights reserved.

Multi-Jurisdictional Study: Cloud Computing Legal Requirements. Julien Debussche Associate January 2015

White Paper Security. Data Protection and Security in School Management Systems

INFORMATION TECHNOLOGY SECURITY STANDARDS

MAQUET SAS GENERAL TERMS AND CONDITIONS OF PURCHASE

on the transfer of personal data from the European Union

Personal Injury Litigation

Sample Business Associate Agreement Provisions

Application Programming Interface (API) Application (app) - The API app is the connector between epages and the developers service.

Office of the Data Protection Commissioner of The Bahamas. Data Protection (Privacy of Personal Information) Act, A Guide for Data Controllers

BROKER/AGENT INFORMATION PAGE RETS IDX

Information Governance Policy

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

High Security Online Backup. A Cyphertite White Paper February, Cloud-Based Backup Storage Threat Models

STATE OF NEVADA DEPARTMENT OF HEALTH AND HUMAN SERVICES BUSINESS ASSOCIATE ADDENDUM

ACCESS TO MEDICAL RECORDS. By Felicia Jolaoye Blavo & Co Solicitors Ltd.

Best Practices for PCI DSS V3.0 Network Security Compliance

PCI Compliance for Cloud Applications

INDEPENDENT CONTRACTOR AGREEMENT

HIPSSA Project. Support for Harmonization of the ICT Policies in Sub-Sahara Africa, Second Mission -Namibia

CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES:

C-DAC Medical Informatics Software Development Kit End User License Agreement

Privileged Identity Management

BUSINESS ASSOCIATE AGREEMENT

PERSONAL INJURIES ASSESSMENT BOARD DATA PROTECTION CODE OF PRACTICE

INFORMATION GOVERNANCE POLICY

MMA SAMPLE FORM *REVIEW CAREFULLY & ADAPT TO YOUR PRACTICE*

HIPAA BUSINESS ASSOCIATE AGREEMENT

Cloud Computing and Privacy Laws! Prof. Dr. Thomas Fetzer, LL.M. Technische Universität Dresden Law School

READING SCHOOL DISTRICT

Bridget Rankin Principal Pharmacist, Medicines Information Guy s & St. Thomas NHS Foundation Trust April 2015

Transcription:

SEcure Cloud computing for CRitical Infrastructure IT Techno-Legal Motivation Ass. iur. Silvia Balaban 24/11/2015 AIT Austrian Institute of Technology ETRA Investigación y Desarrollo Fraunhofer Institute for Experimental Software Engineering IESE Karlsruhe Institute of Technology NEC Europe Lancaster University Mirasys Hellenic Telecommunications Organization OTE Ayuntamiento de Valencia Amaris

Introduction - Objective What are the legal requirements in cloud computing cases? How can the technical properties of cloud computing comply with the legal requirements? Why?: techno-legal assessment from the very beginning in order to foster the conformance of the system with regulatory constraints ( Compliance by Design ) 25.11.2015 SECCRIT Consortium 2

Introduction Law Fields Evidence Law Data Protection Law Disclose facts in order to win a lawsuit P Protection of the informational selfdetermination, which can be infringed by handling personal data P Disclose for Proofs optimisation Data Minimization 25.11.2015 SECCRIT Consortium 3

What are the legal requirements in cloud computing cases? 25.11.2015 SECCRIT Consortium 4

Evidence Law 25.11.2015 SECCRIT Consortium 5

Current Situation Evidence Law o First Case: A cloud user (A) has a contract with a cloud provider (B), that one commits a breach of duty and the cloud user has a damage. The cloud user wants to get his damage compensated, so he sues the cloud provider. Cloud User Cloud Provider o Second Case: The cloud user has a contract with a client and requires for the fulfillment of the contract a cloud-based solution. He has for this a contract with the cloud provider. That one commits a breach of duty and it is the client of the cloud user who has a damage. Client sues the cloud user. Client Cloud User Cloud Provider 25.11.2015 SECCRIT Consortium 6

Evaluating the first Case Contract Fault Default Damage Cloud USER Document Legal inspection/expert evidence/witness/ document Legal inspection/expert evidence/witness/ document Cloud PROVIDER Document/ Witness/Exp ert Evidence 25.11.2015 SECCRIT Consortium 7

Current Situation Evidence Law Plaintiff Defendant Contract, fault, damage, causal link between damage and fault default

Evaluating the first Case Cloud User: Contradict non-default of provider? o Legal inspection Own perception difficult as past incident o Witness Only in sphere of the provider, employee of the provider o Document All documents in sphere of the provider, no insight view o Expert evidence Difficult to retrace what caused the fault Only assess documents of provider NOT NEUTRAL Cloud user loses lawsuit lack of useable proofs 25.11.2015 SECCRIT Consortium 9

Evaluating the Second Case Client: o documents, legal inspection, witness proof Cloud user: o o prove that he did not act negligent prove that provider did not act negligent What caused the damage? Cloud user, made passwords accessible? o o Proving situation of first case wasn t provider, still cloud user needs to disprove own possible negligent behavior Prove of existence of damage proves fault 25.11.2015 SECCRIT Consortium 10

Evaluating the Second Use Case For proving that it was not the cloud user: o Witness: needs to testify about negative facts o Document cannot prove all possible non acting/acting situations o Expert evidence: difficult to retrace negligent behavior Cloud user s own default remains unclear: cloud user loses lawsuit Provider s fault: Cloud user loses lawsuit o Third party notice for second lawsuit in order to gain a title against provider 25.11.2015 SECCRIT Consortium 11

Evidence Law Challenges Usual evidence in court presumably not suitable in cloud scenarios because of multiplicity of acting parties and technical complexity Cloud user has no inside view can hardly prove default Cloud user has no access to required evidence Cloud user s legal position is weak! 25.11.2015 SECCRIT Consortium 12

Data Protection Law 25.11.2015 SECCRIT Consortium 13

Current situation - Data Protection Law Protection of the informational self-determination, which can be infringed by handling personal Data Subject personal data: information relating to an identified or identifiable natural person (data subject) Controller determines the purposes and means of the processing of personal data Processor processes personal data on behalf of the controller Processing: collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction 25.11.2015 SECCRIT Consortium 14

Current Situation Data Protection Law Data subject has access rights, information rights etc. Only against cloud user (processing on behalf of the controller) Cloud provider and cloud user are counting as one unit, provider is only processor 25.11.2015 SECCRIT Consortium 15

Current Situation Data Protection Law Data subject has rights which user needs to fulfill Cloud user has to control cloud provider merely done by certification Is based on trusting the cloud provider How to solve fulfillment of data subjects right by user if no inside view is given Lack of transparency, lack of control 25.11.2015 SECCRIT Consortium 16

How can the technical properties of cloud computing comply with the legal requirements? 25.11.2015 SECCRIT Consortium 17

Cloud-specific Givens leading to legal problems: Black Box Nature: Data processing is not visible! Evidence Law Data Protection Law 25.11.2015 SECCRIT Consortium 18

Fulfilling the legal requirements Anomaly Detection Techniques and Tools Policy Decision and Enforcement Tools Establish best practices for secure cloud service implementations Model Driven Cloud Security Guidelines Policy Specification Methodology and Tool Risk Assessment and Management Methodology Understand cloud behavior in the face of challenges Cloud Resilience Management Framework Legal Guidance on Data Protection and Evidence Understand and manage risk associated with cloud environments Tools for Audit Trails and Root Cause Analysis Demo 1: Storage and Processing of Sensitive Data Demonstration of output in real-world application scenarios Demo 2: Hosting Critical Urban Mobility Services Cloud Assurance Profile and Evaluation Method 25.11.2015 SECCRIT Consortium 19

SECCRIT Outputs 25.11.2015 SECCRIT Consortium 20

Summary 25.11.2015 SECCRIT Consortium 21

SEcure Cloud computing for CRitical Infrastructure IT Contact Ass. iur. Silvia Balaban KIT, Center for Applied Legal Studies (silvia.balaban@kit.edu) AIT Austrian Institute of Technology ETRA Investigación y Desarrollo Fraunhofer Institute for Experimental Software Engineering IESE Karlsruhe Institute of Technology NEC Europe Lancaster University Mirasys Hellenic Telecommunications Organization OTE Ayuntamiento de Valencia Amaris

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information