The problem of cloud data governance



Similar documents
Accountability Model for Cloud Governance

Cloud Computing: Legal Risks and Best Practices

Article 29 Working Party Issues Opinion on Cloud Computing

Contracting with a Cloud Service Provider DATA PROTECTION WORKSHOP NJERI OLWENY, MICROSOFT

Data Protection and Cloud Computing: an Overview of the Legal Issues

Accountability in Cloud Computing An Introduction to the Issues, Approaches, and Tools

Israeli Law Information and Technology Authority. Privacy and Data Security in the Cloud - The Israeli Perspective

14 December 2006 GUIDELINES ON OUTSOURCING

How Microsoft is taking Privacy by Design to Work. Alan Chan National Technology Officer Microsoft Hong Kong 7 May 2015

CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES:

Strategic Compliance & Securing the Cloud. Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security

Recommendations for companies planning to use Cloud computing services

HIPAA in the Cloud. How to Effectively Collaborate with Cloud Providers

(a) the kind of data and the harm that could result if any of those things should occur;

The Use of Cloud Computing for the Storing and Accessing of Client Information: Some Practical and Ethical Considerations

EuroCloud Star Audit. A strong partnership that provides you with a competitive advantage

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy IT Risk Strategy V0.1 April 21, 2014

The Legal Pitfalls of Failing to Develop Secure Cloud Services

Big Data, Big Risk, Big Rewards. Hussein Syed

Question: 1 Which of the following should be the FIRST step in developing an information security plan?

Personal data and cloud computing, the cloud now has a standard. by Luca Bolognini

CPNI VIEWPOINT 01/2010 CLOUD COMPUTING

Cloud Computing Security Considerations

AN INSIDE VIEW FROM THE EU EXPERT GROUP ON CLOUD COMPUTING

YORK REGION DISTRICT SCHOOL BOARD. Policy and Procedure #160.0 Records and Information Management

Ethical Trading Initiative Management Benchmarks

CLOUD SERVICE LEVEL AGREEMENTS Meeting Customer and Provider needs

Information Technology: This Year s Hot Issue - Cloud Computing

The HR Skinny: Effectively managing international employee data flows

Outsourcing Risk Guidance Note for Banks

Cloud Computing: Contracting and Compliance Issues for In-House Counsel

SECURITY & DATA PROTECTION ON THE CLOUD. Evènement parallèle organisé par l ANSI 16 novembre 2015 Hammamet, Tunisie

CCBE RESPONSE REGARDING THE EUROPEAN COMMISSION PUBLIC CONSULTATION ON CLOUD COMPUTING

Procurement Capability Standards

Security in the Cloud

Annex 1. Contract Checklist for Cloud-Based Genomic Research Version 1.0, 21 July 2015

Council Policy. Records & Information Management

TECHNICAL SPECIFICATION: LEGISLATION EXECUTING CLOUD SERVICES

Daniel Field, Atos Spain. Towards the European Open Science Cloud, Heidelberg, 20/01/2016

Acquia Comments on EU Recommendations for Data Processing in the Cloud

Role of contracts in Cloud Computing an Overview. Kevin McGillivray Doctoral Candidate (NRCCL)

European Code for Export Compliance

Privacy and Data Protection

National Cyber Security Policy -2013

Breaking Down the Silos: A 21st Century Approach to Information Governance. May 2015

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

Big Data for Mutuals. Marc Dautlich 25 November 2013

A Flexible and Comprehensive Approach to a Cloud Compliance Program

The Data Lifecycle: Managing Data through Business. Ewan Willars Friday 27 February

PIPEDA and Online Backup White Paper

ENISA What s On? ENISA as facilitator for enhanced Network and Information Security in Europe. CENTR General Assembly, Brussels October 4, 2012

D:C-3.1 Requirements for cloud interoperability

AIRBUS GROUP BINDING CORPORATE RULES

Briefly summarised, SURFmarket has submitted the following questions to the Dutch DPA:

LEGAL ISSUES IN CLOUD COMPUTING

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Cloud Service Contracts: An Issue of Trust

White Paper on Financial Institution Vendor Management

Align Technology. Data Protection Binding Corporate Rules Processor Policy Align Technology, Inc. All rights reserved.

Blending Corporate Governance with. Information Security

Protecting Official Records as Evidence in the Cloud Environment. Anne Thurston

DIGITALEUROPE and European Services Forum (ESF) response to the Draft Supervision Rules on Insurance Institutions Adopting Digitalised Operations

Logging In: Auditing Cybersecurity in an Unsecure World

This form may not be modified without prior approval from the Department of Justice.

Cloud computing and personal data protection. Gwendal LE GRAND Director of technology and innovation CNIL

Security Controls What Works. Southside Virginia Community College: Security Awareness

Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) BUSINESS ASSOCIATE AGREEMENT

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist,

Securing the Microsoft Cloud

BANKING UNIT BANKING RULES OUTSOURCING BY CREDIT INSTITUTIONS AUTHORISED UNDER THE BANKING ACT 1994

Data Processing Agreement for Oracle Cloud Services

IAPP Global Privacy Summit Protecting Privacy Under the Cybersecurity Microscope

ISO/IEC Safeguarding Personal Information in the Cloud. Whitepaper

Third Party Security Requirements Policy

Information Security Policy. Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services

The potential legal consequences of a personal data breach

SECURITY INFRASTRUCTURE Standards and implementation practices for protecting the privacy and security of shared genomic and clinical data

Transcription:

The problem of cloud data governance Vasilis Tountopoulos, Athens Technology Center S.A. (ATC) CSP EU Forum 2014 - Thursday, 22 nd May, 2014

Focus on data protection in the cloud Why data governance in the cloud raises barriers? Challenges and Implications Drivers for accountability Cloud complexity and vulnerabilities Business driven risks Legal complexity and constraints Presentation Outline

Based on cloud data processing Incentives Scale of cloud services Role in the future business and personal life Complexity of the supply chain Advanced data mining to manage big data Challenges in data governance but, difficulty in building Chains of Accountability in the cloud Complexity of the cloud service provision chain Ramifications of failure within the chain Involved business risks size of the organisations involved Complexity in implementing right liability measures Potential weakness in the transparency and verifiability of the supply chains

Cloud Complexity Lack of customer trust and regulatory complexity HP Security Lifecycle Management framework

Ramifications of Cloud Failures Difficult to plan for the potential business risks

Support multi-disciplinary data driven business cases Based on cloud specific features How personal and corporate data are handled in the cloud? Multi-tenancy of cloud applications Co-tenants can gain inappropriate access to data of another application instance. Complex, dynamically changing environment Ensuring appropriate data protection, overlapping responsibilities in data management, unauthorised secondary usage, vendor demise, lack of transparency. Data duplication and proliferation Business Risks of Using Cloud Loss of control and transparency in data lifecycle management, especially in crossborder interactions Simplified access from multiple locations, but different legislative regimes.

Security and privacy concerns Cloud end users being responsible for cloud security NIST SP 800-144 study Governance over data use and processing Personal and confidential data management is subject to the purpose of use. Compliance to laws, regulations, standards and specifications Privacy preservation and data protection in data location places. Non interoperable regulatory frameworks for cross-boundary communications. Trust and risk assessment Monitoring and controlling cloud service execution with respect to policies and service level agreements. Incidence response Detection and remediation mechanisms should be in place through cross actor exchangeable interfaces.

Detection and Remediation How tools should support runtime governance Lack of transparency and verifiability by cloud service providers Implications in terms of policy violations along the cloud service provision chain. Should force auditing from trusted actors. Complexity of Liability in Service Provision Ecosystems Attributed obligations not clear with overlapping responsibilities. Obligations vary depending on to whom they refer to.

Constraints Regulatory and legal issues to consider Subcontracting and negotiation of contracts Customers providing consent to the use of subcontractors needs appropriate contract management. Need for enabling cloud customers enforce obligations, according to policies Growing Usage of Integrators Data transfers and guaranteed security levels Change of data location Unaware of the desired security levels Use of free vs paid cloud services in the provision chain

Drivers for an accountability-based approach Improve level of data stewardship Provide trustworthy mechanisms for data protection in the cloud Decrease regulatory complexity Provide more effective mechanisms for complex and dynamic business environments Accountability-based approaches for trust and security

Conceptual Definition: Defining Accountability - Accountability consists of defining governance to comply in a responsible manner with internal and external criteria, ensuring implementation of appropriate actions, explaining and justifying those actions and remedying any failure to act properly. Accountability for an organization consists of accepting responsibility for the stewardship of personal and/or confidential data with which it is entrusted in a cloud environment, for processing, storing, sharing, deleting and otherwise using the data according to contractual and legal requirements from the time it is collected until when the data are destroyed (including onward transfer to and from third parties). It involves committing to legal and ethical obligations, policies, procedures and mechanisms, explaining and demonstrating ethical implementation to internal and external stakeholders and remedying any failure to act properly.

Thank You.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information