THE IM

PACT

OF CLO

UD :

CLOUD C

OMPUTI

NG

SECURITY

& PRIV

ACY

12

/ 9/ 2

01

3

“Technological advances, combined with the ubiquity of the Internet, have spawned a near-infinite range of potentially grave security threats to governments, commercial entities and individuals.”

Paul Rosenzweig

Can we still trust the ‘cloud’?

What are the local laws that govern data being collected, transferred and stored?

BIGGEST INHIBITOR TO THE ADOPTION OF CLOUD

COMPUTING

Data Security

SENSITIVE DATA IN THE CLOUD

More data, more storage

Personally identifiable information examples

• Credit card information

• Medical records

• Tax records

• Customer account records

• Human resources information

• Banking and insurance records

• Browsing history, emails and other communication

CLOUD SECURITY - STAKEHOLDERS

Data collector/own

er• Outsourcing:

How to select a cloud vendor?

• How to maintain direct control to safeguard data integrity?

Cloud service providers

• How to satisfy data residency and privacy requirements

• How to remain flexible and provide cost-effective service?

Regulator

• Formulation of relevant standards and practices

• How to ensure adoption and compliance?

• Would sensitive data end up overseas?

Customers/end-users

• Are my data safe in the cloud?

• Would I know if there is security or privacy breach?

ISSUES ON CLOUD SECURITY

Security

Is the data protected from theft, leakage, spying or attacks?

What is the level of control

and protection?

Residency

Where is the data stored?

geographically disbursed?

What to do with data in

transit & outside

territory?

Privacy

Who can see personally identifiable information

(PII)?

Storing, transferring, locating and protecting PII

Challenges of cloud and

security

Maintaining ownership and control

of data

Info on 3rd party service

and distributed

infrastructure Deliver

resiliency, availability

and flexibility of cloud services

COMPLIANCE REQUIREMENTS• Some countries have laws restricting storage of data

outside their physical country borders: India, Switzerland, Germany, Australia, South Africa and Canada

• EU: Data Protection Directive; Safe Harbor Principles – no sending PII outside European Economic area unless protections guaranteed

• USA: US Patriot Act, 40+ states have breach notification laws (25 states have exemption for encrypted personal data)

• Canada: Freedom of Information and Protection of Privacy Act

HONG KONG• Section 33(2)(f) of Personal Data (Privacy)

Ordinance,

• Forming standards through HK/Guangdong Expert Committee on Cloud Computing Services and Standards

• Guidelines and information via infocloud.gov.hk

INTERCEPTION OF COMMUNICATIONS: REGULATIONS IN HK

• Article 30 of the Basic Law: freedom and privacy of communication of Hong Kong residents shall be protected by law

• Law enforcement agencies: Interception of Communications and Surveillance Ordinance (Cap 589)

• Non-public officers and non-governmental bodies: Telecommunications Ordinance (s24, s27, s29), Personal Data (Privacy) Ordinance, s161 of Crimes Ordinance

TWO ISSUES TO THINK ABOUT

- Data residency: Transfer of personal information or moving data storage device outside of local jurisdiction

- Data encryption: Data should be encrypted before being sent to the cloud, and that data owner retains the encryption keys

KEY QUESTIONS TO ASK

• What do we need? What is our goal?

• Where are the risks?

• What are the systems, processes, policies and practices we need to mitigate risks?

• How to protect our data assets and keep cloud platform secure?

• How to ensure transparency and compliance?

• How to evaluate potential cloud service providers?

CRITICAL AREAS

Governance Operation

Governance and Enterprise Risk Management

Traditional Security, Business Continuity and Disaster Recovery

Legal and Electronic Discovery Data Center Operations

Compliance and Audit Incident Response, Notification and Remediation

Information Lifecycle Management

Application Security

Portability and Interoperability Encryption and Key Management

Identity and Access Management

Virtualization

PLANNING AHEAD: STRATEGIC APPROACH• Service models: SaaS, PaaS, IaaS?

• Multiple layers:Physical security (facilities)Network security (infrastructure)System security (IT systems)Application and data security

IDENTIFY, LOCATE AND DEFINE THE RISKS

Identification and valuation of assets

Identification and analysis of threats and vulnerabilities

Risk and incident scenarios

Analysis of the likelihoods of scenarios, risk acceptance levels and criteria

risk treatment plans with multiple options (control, avoid, transfer, accept)

CONSISTENCY BETWEEN YOU AND YOUR PROVIDER

• Alignment of impact analysis criteria and definition of likelihood

• Specify assessment and risk management requirement e.g. vulnerability assessment, audit logs, activity monitoring

• Detailed in Service Level Agreements, contract requirements, and provider documentation

OPERATION: KEY AREAS

• Disaster Recovery and Business Continuity

• Breach notification and data residency

• Data management at rest

• Data protection in motion

• Encryption key management

• Identification and Access controls

• Long-term resiliency of the encryption system

THANK YO

U!

Charles MokLegislative Councillor (Information Technology)

charles@charlesmok.hkwww.charlesmok.hkFacebook: Charles Mok BTwitter: @charlesmok