Privacy and Security policies in the cloud
Download as PPTX, PDF1 like207 views
The document discusses challenges and necessary advancements in the data protection legal framework concerning cloud computing, emphasizing the importance of trust amid concerns about security and regulation. It highlights the dominance of non-EU cloud providers, the rapid pace of service development, and the need for clear regulations and existing certification schemes. Recommendations include promoting flexible regulations, raising awareness of cloud security, and supporting innovative solutions to enhance trust in cloud services.
Privacy and Security policies in the cloud
- 1. 1 Analysing the Current Data Protection Legal Framework: challenges and ways forward Privacy policies for the cloud Prof David Wallom
- 2. Overview • Worried? should you be? • Its all about trust • Bolster trust or make it so we don’t need it…
- 3. Why all this worry?
- 4. Why all this worry? – Cloud computing is pervasive in modern society
- 5. Cats, Kids and fun…
- 6. Its not just all about cats and kids…
- 8. Why all this worry? – Cloud computing is pervasive in modern society – Limited market penetration from EU cloud provider -> vast majority of cloud providers based outside EU
- 9. Who are the cloud providers?
- 10. Why all this worry? – Cloud computing is pervasive in modern society – Limited market penetration from EU cloud provider -> vast majority of cloud providers based outside EU – Pace of service development and nefarious capability outstrips that of the regulatory environment
- 11. What should you think about when… Who are you entering into a contract with? What protections does your contract give you? Who can make changes to the T&C? Where is the data? On whom is the liability?
- 12. 7 Cloud Computing security risks
- 13. Trust at the Last Mile • Problem for high value instantly usable data and services – Critical data or keys are still exposed inside the cloud at the final steps – Still require customers unconditional trust of their CSP
- 14. “What is really going on inside the cloud?”
- 15. Building trust through brands
- 16. New Industries Around Security and Trust
- 17. Building trust through regulation
- 18. Approach: Government procurement framework Highlights: • Based on ISO 27001 • Most data is “official” • Reusable certification European Union: ENISA CCSL and CCSM Approach: Procurement guidance Highlights: • Maps certification regimes relevant to cloud customers Notable strength: • Flexible Notable strength: • Standards-based Notable strength: • Transparent Notable strength: • Risk-based Public sector approaches to cloud security Approach: Government procurement framework Highlights: • Based on NIST 800- 53v4 • Moderate and High baseline controls Approach: Government procurement guidance Highlights: • Risk-based approach encouraged • 5 control levels
- 19. Over-regulation can stifle innovation
- 20. Conclusions from a recent workshop on Cloud Security and certification • Trust and security are key to the successful adoption of cloud computing and its ability to drive European economic expansion, • Urgently gain clarity in the implementation of newly introduced regulatory regimes • Promote the use of existing certification schemes and standards • Raise awareness of cloud security and ensure understanding of what cloud security means • Support the Free Flow of Data
- 21. To end… • Recommendations for Future Policy Action – What does cloud mean? – automation – What would destroy cloud – over regulation and interruptions in automated interactions – Flexibility to allow innovative services to develop – Where possible use open standards and approaches more generally to allow transparency • Technology solutions including the unification of trusted and cloud computing may break the need to trust you provider – May end up with no-one able to see inside though…
Editor's Notes
- #15: How to effectively verify “what is really going on inside the cloud”. Whether the acquired Cloud services are enforced; Whether only the acquired Cloud services are accessing customers’ data.
- #19: In addition to developing cloud strategies, various countries and regions are taking the next step of developing cloud security requirements for government services or even as national policies. Each of their approaches have varying strengths from which countries can learn as they develop requirements and iterate going forward. With its Cloud Strategy, NIS Directive, and the Digital Single Market strategy, the EU is pushing the importance of innovation, security, and resilience. While it is still unclear what the final form of the NIS Directive will be, it is likely that the Directive will encourage regulation that affects cloud service providers. In addition to being innovative, it is important that such regulation ultimately considers the other principles mentioned here today, including flexible, data-aware, risk-based, global standards-based, and transparent. Using these principles will ensure that countries are able to implement the regulations in the way that makes the most sense for them and that workable requirements ultimately result. A good first step is the EU’S Cloud Certifications Schemes List and Cloud Certification Schemes Metaframework, which are flexible tools that cloud customers can use to guide their procurement of secure and resilient cloud services. The UK’s G-Cloud program, in addition to demonstrating data awareness, is global standards-based, utilizing ISO 27001 as its basis and adding only a thin layer of unique requirements. In addition, G-Cloud takes the standards-based principle a step further in creating a reusable certification, which results in efficiencies similar to those achieved by utilizing global standards. It is also flexible, with multiple levels of certification possible, allowing government agencies to choose which level meets their needs. In the US, FedRAMP has been developed and improved through consultation with cloud service providers, enabling important transparency. FedRAMP is also fairly flexible, as Moderate and High baselines are being developed, and government agencies will be able to choose which certification levels make sense for their varying data and services. However, as FedRAMP layers many controls and control parameters on top of NIST 800-53 rev. 4, it could be improved by being more risk-based and global standards-based. In Australia, the Department of Defence has developed a new Information Security Manual, encouraging Australian government agencies to use its manual by taking a risk-based approach in evaluating which of the controls it outlines are important for their cybersecurity and cloud security. It also demonstrates data awareness, mapping the controls to five levels of data sensitivity (from a baseline level to top secret). In conjunction with the new cloud policy allowing agencies to determine for themselves whether to host data offshore, this policy enables flexibility.