Data Privacy and Security for Market Research in the Cloud Peter Milla IIeX2015 NA
Agenda Page 2 1. Background 2. Why the Cloud? 3. Data Privacy and Data Security in the Cloud 4. How do We Deal with It?
The Cloud Page 3 Is exploding Can offer real advantages/benefits Can present real compliance challenges ATracUve to business, especially SMBs An area where MR companies are looking to outsourcing Gartner PredicUon: 50% of Global 1000 will have data stored in the cloud by the end of 2016
In the Simplest Terms Page 4 Cloud compuung means storing/accessing data and programs on/over the Internet instead of your computer's hard drive or local area network storage The cloud is just a metaphor for the Internet It goes back to the days of flowcharts that represented the large server- farm infrastructure of the Internet as puffy, white cumulonimbus cloud
In the Simplest Terms (conunued) Page 5
Page 6 What Really is Cloud CompuUng (to the Business)? Cloud compuung is a new compuung paradigm, involving data and/or computauonal outsourcing with: Infinite and elasuc resource scalability On demand just- in- Ume provisioning No upfront cost, pay- as- you- go (in general) That is, use as much or a litle as you need, use only when you want, and pay for what you use (in general)
The Cloud for Business Service Models Page 7
Major Cloud Deployment Models Page 8 Note: Another model is a Community Cloud where infrastructure is shared between several organizations
Public Cloud Type EvoluUon Page 9 Public Cloud: Credit card- based No/very limited transparency Enterprise Cloud (also Virtual Private Cloud): Deeper commercial relauonship Logical segregauon Different service model Transparency/SLAs on data locauon, process
Small Medium Businesses (SMBs) Page 10 EnthusiasUc adopuon Cloud providers provide beter security than SMBs. Amazon Web Services compliance programs include: ISO 27001 SOC 2 PCI DSS Level 1 HIPAA Considered oken as perhaps the only alternauve by many IT development shops (including backup)
Agenda Page 11 1. Background 2. Why the Cloud? 3. Data Privacy and Data Security in the Cloud 4. How do We Deal with It?
Benefits for Cloud Customers Page 12 1. Cost: Very atracuve, parucularly to SMBs 2. IntegraUon: IntegraUon to take place across infrastructure services, data, management, idenuty and development 3. Investment: OpEx vs. CapEx Can simplify IT asset management 4. Scalability: Services can be scaled quickly
Benefits for Cloud Customers (conunued) Page 13 5. Speed to deployment: Can be hours vs. weeks 6. Flexibility: Can add new services easily 7. Security: BeTer than many organizauons can provide internally
Benefits for Cloud Providers Page 14 1. Increased uulizauon of data center resources 2. More clients per square foot, per kilowat hour 3. More clients per staff person About selling X as a service: IaaS: Selling virtualized hardware PaaS: Selling access to a configurable planorm/api SaaS: Selling sokware that runs on top of the cloud
Top Five Tech Spending Increases in 2015 Page 15
Agenda Page 16 1. Background 2. Why the Cloud? 3. Data Privacy and Data Security in the Cloud 4. How do We Deal with It?
Privacy is Key Page 17
But it is Not Just About Privacy Page 18 Integrity: How do I know that the cloud provider is doing the computauons correctly/not tampering with data? Availability: Will criucal systems go down if the provider is atacked? What happens if the provider goes out of business? Increased atack surface: External enuty now stores and computes data ATackers can now also target the communicauon link between the provider and the client Provider employees can be phished
But it is Not Just About Privacy (conunued) Page 19 Auditability and forensics: May be difficult to audit data outside the organizauon in a cloud Legal issues and transiuve trust issues: Responsibility for regulauons If cloud provider subcontracts to a third party, will data be secure?
Where is My Data? Page 20
Data Privacy and Data Security in the Cloud Page 21 ProtecUng personal data depends on safeguards supplied by the cloud purchaser and the cloud provider responsibiliues must be clear Privacy obligauons don t change if data is stored in the cloud As with all other outsourcing use cases, you can t outsource accountability and risk CerUficaUons like ISO 27001 can help companies enable data privacy/data security The Data Privacy and Data Security func>ons must be aligned
Reasons to be Concerned Page 22 1. Who is looking at your data? 2. Cyber atacks 3. Insider threats 4. Government intrusion 5. Legal liability 6. Lack of standardizauon (cloud security) 7. Lack of support 8. There is always risk
Myths and ClarificaUons about Cloud Privacy Page 23 Concern PII in cloud against the law Data abroad is forbidden Must store in country Not oversees because of foreign surveillance Hurry, we re last Clarifica>on PII in cloud is not illegal Legal/IT conflict Cross- border can be illegal Oken client or requirement of law/regulauon Monitoring is everywhere Technical and legal controls are required Full- scale public clouds are rare This is moving quickly
Think Risk! Page 24 Need to think beyond technology, checklists and compliance For example, only a properly configured firewall can be used to configure a network A cloud soluuon can be used to achieve compliance only if acceptable to all stakeholders: Research provider Legislators/regulators Clients
Cloud Privacy Risks Page 25 Certain types of data may trigger specific obligauons under nauonal and local law Vendor issues: OrganizaUons may not be aware they are using cloud- based vendors Due diligence sull required Data security is sull the responsibility of the customer SLAs need to account for access, correcuon and privacy rights Data Transfer: Cloud model may trigger internauonal legal data transfer issues
Agenda Page 26 1. Background 2. Why the Cloud? 3. Data Privacy and Data Security in the Cloud 4. How do We Deal with It?
How do We Deal with It? (Measures Include ) 1. Build privacy into technology ( Privacy by Design ) Page 27 2. Implement privacy compliance (federal, state, local law and regulauon, EU Data ProtecUon framework, etc.), MR industry codes 3. Exercise due diligence, including Risk Assessments, Privacy Impact Assessments, etc. 4. Develop a breach management plan 5. Use privacy enhancing technology (including encryp>on) 6. Make sure business liability insurance covers data events 7. Create and enforce contractual clauses
Contractual Provisions to Consider Include Page 28 1. Service provider must not use PII except as necessary in providing services 2. Provider must not improperly disclose of PII 3. Provider must employ safeguards to ensure PII is retained, transferred and disposed of securely 4. Provider must noufy the organizauon immediately of any order or other requirement to compel producuon of PII 5. Provider must noufy the organizauon immediately if PII is stolen, lost, accessed by unauthorized persons
Contractual Provisions to Consider Include.. (conunued) Page 29 6. Implement an oversight and monitoring program, including audits of the provider s compliance with the terms of the agreement 7. No one on behalf of provider should have access to PII unless that person agrees to comply with restricuons in the agreement 8. Insurance requirements
Key Takeaways Page 30 Think Risk! You can outsource services, but not accountability Do risk assessments Build privacy in and align privacy and security funcuons Conduct proper due diligence on your cloud providers Ensure you have the appropriate security technology in place Ensure you have the appropriate contractual provisions in place
Page 31 Q&A
Data Privacy and Security for Market Research in the Cloud Peter Milla IIeX2015 NA