Embed Size (px)
Citation preview
Dino Tsibouris(614) 360-3133
Updates on Cloud, Contracting, Privacy, Security, and International
Privacy Issues
Mehmet Munur(614) 859-6962
Outline
1. Cloud Contracting2. Cloud Security3. Government Access to Data in the
Cloud4. EU Safe Harbor and Transfers of
Personal Data from Europe
Contracting
Contracting
Contracting
• Liability –Unlimited –Capped
Contracting
Contracting
• Indemnification– Intellectual property–Violation of laws–Violation of agreement–Gross negligence
Contracting
• Service Levels–Availability, scheduled maintenance,
emergency maintenance–Performance, response time, latency
• Security–Certification– Encryption in transit, at rest, in backups
Contracting
• Vulnerabilities– Treat vulnerabilities like security breaches–Demand:• Notification• Action plan• Remediation•Mitigation
Security in Practice
• Major cloud providers implement reasonable or appropriate measure.
• You are responsible for your configuration. • You get Service Levels, but no other
warranties. • Liability is limited, typically to 12-month’s fees.
Security in Practice
• Major cloud providers implement reasonable or appropriate measure.
• You are responsible for your configuration. • You get Service Levels, but no other
warranties. • Liability is limited, typically to 12-month’s fees.
Security in Practice - AWS
• 3.1 AWS Security. Without limiting Section 10 or your obligations under Section 4.2, we will implement reasonable and appropriate measures designed to help you secure Your Content against accidental or unlawful loss, access or disclosure.
Security in Practice - AWS
• 4.2 Other Security and Backup. You are responsible for properly configuring and using the Service Offerings and taking your own steps to maintain appropriate security, protection and backup of Your Content, which may include the use of encryption technology to protect Your Content from unauthorized access and routine archiving Your Content.
Security in Practice - AWSTHE SERVICE OFFERINGS ARE PROVIDED “AS IS.” WE AND OUR AFFILIATES AND LICENSORS MAKE NO REPRESENTATIONS OR WARRANTIES OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE REGARDING THE SERVICE OFFERINGS OR THE THIRD PARTY CONTENT, INCLUDING ANY WARRANTY THAT THE SERVICE OFFERINGS OR THIRD PARTY CONTENT WILL BE UNINTERRUPTED, ERROR FREE OR FREE OF HARMFUL COMPONENTS, OR THAT ANY CONTENT, INCLUDING YOUR CONTENT OR THE THIRD PARTY CONTENT, WILL BE SECURE OR NOT OTHERWISE LOST OR DAMAGED. EXCEPT TO THE EXTENT PROHIBITED BY LAW, WE AND OUR AFFILIATES AND LICENSORS DISCLAIM ALL WARRANTIES, INCLUDING ANY IMPLIED WARRANTIES OF MERCHANTABILITY, SATISFACTORY QUALITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, OR QUIET ENJOYMENT, AND ANY WARRANTIES ARISING OUT OF ANY COURSE OF DEALING OR USAGE OF TRADE.
Security in Practice - AzureWe maintain appropriate technical and organizational measures, internal controls, and data security routines intended to protect Customer Data against accidental loss or change, unauthorized disclosure or access, or unlawful destruction. Current information about our security practices can be found within the Trust Center. You are wholly responsible for configuring your Customer Solution to ensure adequate security, protection, and backup of Customer Data.
Security in Practice - AzureWe will comply with all laws applicable to our provision of the Services, including applicable security breach notification laws, but not including any laws applicable to you or your industry that are not generally applicable to information technology services providers. You will comply with all laws applicable to your Customer Solution, Customer Data, and your use of the Services, including any laws applicable to you or your industry.
Security in Practice - Azure
Limited warranty. We warrant that the Services will meet the terms of the SLAs during the Term. Your only remedies for breach of this warranty are those in the SLAs.
Security in Practice - Azure
DISCLAIMER. Other than this warranty, we provide no warranties, whether express, implied, statutory, or otherwise, including warranties of merchantability or fitness for a particular purpose. These disclaimers will apply except to the extent applicable law does not permit them.
Privacy in the Cloud - AWS
You may specify the AWS regions in which Your Content will be stored and accessible by End Users. We will not move Your Content from your selected AWS regions without notifying you, unless required to comply with the law or requests of governmental entities. You consent to our collection, use and disclosure of information associated with the Service Offerings in accordance with our Privacy Policy...
Government Access to Data
Government Access to Data
• Cybersecurity Information Sharing Act• Allows sharing of cybersecurity threat data
with the DHS• Passed in Senate and House, in reaction to
Sony, Anthem, and OPM breaches• Broad sharing of personal information with
the government with few privacy protection in place
International Privacy Issues
Possible Alternatives
• Standard Contractual Clauses (Model Clauses)• Binding Corporate Rules• Derogations in Law–Necessary for performance of contract–Unambiguous, informed, freely given,
specific consent• January 31, 2016 deadline by European
privacy regulators
General Data Protection Regulation
• EU member states in final stages of negotiations
• Expected in the next year or so• Includes data breach notification obligation• Fines as high as 2% of annual turnover
Dino Tsibouris(614) 360-3133
Mehmet Munur(614) 859-6962
Questions & Answers
