cloud object storage - adrian ross grc consultant it ......• provides visibility, control and...

TM

© IT Governance Ltd 2016

Copyright IT Governance Ltd 2016 – v1.0

Privacy and the GDPR: How Cloud computing could be your failing

Adrian Ross

GRC Consultant

IT Governance Ltd

Nigel Hawthorn

EMEA Marketing Director

Skyhigh Networks

TM



Introduction

• Adrian Ross

– GRC consultant

– Intellectual property

– Data protection and information security

• Nigel Hawthorn

– Author of GDPR: An Action Guide for IT

– Speaker on data protection, privacy and security

– Chief European spokesperson for Skyhigh Networks

2

TM



IT Governance Ltd: GRC one-stop shop

All verticals, all sectors, all organisational sizes

TM



About Skyhigh

• Provides visibility, control and security of Cloud computing

• For shadow Cloud and approved Cloud services

• Enables faster assessment of Cloud services (50+ attributes)

• Adds full logging for data loss investigation

• Alerts on anomalies when accessing Cloud services

• Helps set policies for Cloud access

• For SaaS, IaaS and PaaS

• Adds DLP, threat protection, access control and encryption

• Enabling Cloud security for enterprises

TM



Agenda

• An overview of the General Data Protection Regulation (GDPR).

• Breach notification requirements under the GDPR and a showcase of recent data breaches and their costs.

• Organisations’ responsibilities when storing data in the Cloud, and the roles of controller and processor.

• The outcome of subcontracting on Cloud service providers and notifications on activities in the Cloud.

• The role and responsibilities of the Cloud adoption team.

• ISO 27018 and implementing security controls for PII in the Cloud.

5

TM



An overview of the General Data Protection Regulation

(GDPR)

A defining moment for digital rights in Europe and beyond

º Point of reference is Article 8 of the Charter of Fundamental Rights.

º The result of negotiations between the European Parliament,

Council and Commission.

º A harmonising regulation.

º Intended to be one of the longest laws on the Union’s statute book.

º Applies to organisations inside or outside the EU that process

personal data.

º Introduces legal obligations on controllers and processors.

º Fines of up to 2% or 4% of total annual worldwide turnover.

º Immediately applicable in each Member State.

º Applies from 25 May 2018.

TM



The GDPR: Top ten aspects of the Regulation

• Increased fines -

• Opt-in consent -

• Breach notification -

• Territorial scope -

• Joint liability -

• Right to removal -

• Removes ambiguity -

• Data transfer -

• Common enforcement -

• Collective redress -

4% of global turnover or €20,000,000.

Clear, no opt-out, use data only as agreed.

72 hours to regulators, users “without delay”.

All organisations with data on EU individuals.

Data controllers and processors.

The users are in charge.

28 laws become one.

Data keeps privacy rights as it moves globally.

Authorities will be strict.

Class action lawsuits from individuals.

TM



Data breach notification

• How do you know you have had a breach?

– Traffic anomalies, search for lost credentials on dark web, user input?

• How will you check the scope of the incident?

• Can you stop a breach in progress?

• You have 72 hours to tell the regulator after becoming aware of the breach.

• You must inform the data subjects “without undue delay”.

• This is when speculation can run riot – be precise.

• Define various communication plans, depending on circumstances.

• You do not need to tell the data subjects if the traffic has been encrypted.

Expect a data breach – define the organisation’s plan

TM



Data loss receipt - TalkTalk

TM



Assume the worst

• First tweet – 11:13pm Saturday night – 5th November 2016

TM



Trust boundaries in the Cloud

• Scope extends to the trust boundary– On both sides!

– Adapted from Cloud Computing www.itgovernance.co.uk/shop/p-465-cloud-computing-assessing-the-risks.aspx – Figure 2

• What happens beyond the trust boundary?

http://www.itgovernance.co.uk/shop/p-465-cloud-computing-assessing-the-risks.aspx

TM



The responsibility of the controller when storing data in the Cloud

• Implement appropriate technical and organisational measures;

• Implement appropriate data protection policies;

• Adhere to approved codes of conduct or certification mechanisms;

• Controller still needs legitimising reason for transfer;

• Data protection principles still apply;

• Use of model clause meets the above criteria;

• Legal obligation is on the controller to ensure compliance with law;

• Legal obligation is on the controller to inform data subject of transfer.

TM



The responsibility of the processor when storing data in the Cloud

A legal contract must ensure that the processor:

• processes the personal data only on documented instructions from the controller;

• ensures that persons authorised to process the personal data observe

confidentiality;

• takes appropriate security measures;

• respects the conditions for engaging another processor;

• assists the controller by applying appropriate technical and organisational

measures;

• assists the controller in ensuring compliance with the obligations to security of

processing;

• deletes or returns all the personal data to the controller after the end of the

provision of services;

• makes available to the controller all information necessary to demonstrate

compliance with the Regulation.

TM



This will lead to

• Clearer delineation of lines of responsibility for data.

• A focus on how the Cloud infrastructure is protected.

• An increased focus on how customer data is protected.

• A bigger focus by Cloud providers on what data is stored on

infrastructure.

• Increased costs of compliance for Cloud providers.

• How does a Cloud provider comply with ‘the right to be forgotten’?

• Increased use of metadata about individuals to identify what data is

stored where.

• The EU GDPR can now be viewed as global data protection law.

• ISO 27001 and ISO 27018 now brought more into focus.

TM



Dealing with the complexity of Cloud and subcontracting

How Many Unsanctioned Apps & Cloud Services Are We Using?

TM



• Per company, unique services

TM



Security controls vary by provider

TM



Authentication and logging

TM



Cloud adoption team: Responsibilities

• Review current data sets and services

– Don’t forget employee data

• Set minimum standards for Clouds and app services

• Implement contracts with approved services

• Define approved Cloud services

– Migrate users to approved services

• Implement policies to block/allow/warn users of risks

• Implement monitoring, DLP, anomaly checking

• Integrate with LDAP, AD, SSO services

• Publish approved Cloud services list

• Review requests for new Cloud services

TM



First two steps: Gain visibility and identify solutions

• Gain visibility into today’s use

– Declare amnesty – ask for input

– Review data traffic

• Identify the high-need services

– Evaluate the business benefits from different solutions

– Define minimum security attributes

– Declare the standard app/service

– Encourage use and enforce controls

– Provide time to migrate

– Block/redirect to approved services

• Build a cross-functional team

TM



Cloud adoption goal

• Start publishing a list of acceptable services/apps

– Explain why these were chosen

• Clearly communicate data categorisation if you have it

– Use a real-life example to explain why

• Review AUP; see if it can be more flexible

– “if no confidential information…”

• Go from the department of ‘no’ to the department of ‘know’

• Add controls to secure Cloud as you would on premises

– SSO, encryption, logging, anomaly investigation, sharing policies, etc.

TM



IT Governance: GDPR self-help

• One-day accredited Foundation course (classroom,

online, distance learning

– www.itgovernance.co.uk/shop/product/certified-eu-general-data-

protection-regulation-foundation-gdpr-training-course

• Four-day accredited Practitioner course (classroom,

online, distance learning)

– www.itgovernance.co.uk/shop/product/certified-eu-general-data-

protection-regulation-practitioner-gdpr-training-course

• Pocket guide www.itgovernance.co.uk/shop/Product/eu-gdpr-a-

pocket-guide

• Implementation manual http://www.itgovernance.co.uk/shop/Product/eu-general-data-

protection-regulation-gdpr-an-implementation-and-compliance-guide

• Documentation toolkit www.itgovernance.co.uk/shop/product/eu-general-data-protection-

regulation-gdpr-documentation-toolkit

http://www.itgovernance.co.uk/shop/product/certified-eu-general-data-protection-regulation-foundation-gdpr-training-course?utm_source=presentation&utm_medium=Webinar&utm_campaign=GDPRWebinars

http://www.itgovernance.co.uk/shop/product/certified-eu-general-data-protection-regulation-practitioner-gdpr-training-course?utm_source=presentation&utm_medium=Webinar&utm_campaign=GDPRWebinars

http://www.itgovernance.co.uk/shop/Product/eu-gdpr-a-pocket-guide?utm_source=presentation&utm_medium=Webinar&utm_campaign=GDPRWebinars

http://www.itgovernance.co.uk/shop/Product/eu-general-data-protection-regulation-gdpr-an-implementation-and-compliance-guide

http://www.itgovernance.co.uk/shop/product/eu-general-data-protection-regulation-gdpr-documentation-toolkit?utm_source=presentation&utm_medium=Webinar&utm_campaign=GDPRWebinars

TM



Other useful sources of information

Clou

dAcce

ptable

UsePo

licy

Below is

a tem

plate

our c

ustom

ers m

ay use

for t

heir use

rs to

request

access

to cl

oud serv

ices.

If you h

ave any suggest

ions o

n how to

impro

ve the d

ocum

ent, ple

ase se

nd them

to (i

s there

a

CS team

email

alias?

)

This polic

y is th

e cloud co

mputin

g accepta

ble u

se p

olicy, p

rovid

ed as part

of the te

rms o

f

emplo

yment a

nd in addit i

on to th

e Inte

rnet A

ccepta

ble U

se Pol ic

y.

La

test

versio

n of t

his polic

y can b

e found o

nline at:

ht tps:/

/ intra

net.com

pany.com

/ clo

ud-pol ic

y.htm

l

Appro

ved cloud se

rvice

s are

l ist

ed onlin

e at:

ht tps:/

/ intra

net.com

pany.com

/appro

ved-clo

ud.htm

l

The cl

oud managem

ent team

can b

e conta

cted o

n cloudte

am@

com

pany.com

Clo

ud com

puting o

f fers

a num

ber of a

dvantages i

ncludin

g low co

sts,

high p

erform

ance and

ef f icie

nt deliv

ery o

f serv

ices.

However, with

out adequate

contro

ls, it

also expose

s indiv

iduals

to o

nline th

reats

such

as data

loss

or t

heft, u

nauthoriz

ed access

to co

rpora

te n

etwork

s, lo

ss o

f

name/p

assword

credent ia

ls and viru

ses a

nd oth

er malw

are.

The co

mpany al lo

ws em

ployee to

access

safe

, secu

re cl

oud serv

ices w

ith appro

val fro

m th

e

cloud m

anagement t

eam in

certa

in ci

rcum

stance

s.

This

cloud co

mputin

g polic

y is d

esigned to

safe

guard th

e emplo

yee and the co

mpany’s

info

rmatio

n. It is

impera

tive th

at em

ployees N

OT open cl

oud serv

ices a

ccounts

or e

nter i

nto

cloud se

rvice

contra

cts f

or the st

orage, m

anipula

tion o

r exch

ange of c

ompany-re

late

d

com

munica

tions o

r com

pany-owned d

ata w

ithout a

pproval o

f the cl

oud managem

ent team

.

This is

necess

ary to

pro

tect

the in

tegrit

y and conf id

ential it

y of c

ompany d

ata and th

e secu

rity

of the co

rpora

te n

etwork

.

The fo

llowin

g guidelin

es are

inte

nded to est

ablish a p

roce

ss w

hereby em

ployees c

an use

cloud se

rvice

s with

out jeopard

izing co

mpany d

ata and co

mputin

g reso

urces.

Sco

pe

This

policy applie

s to all

emplo

yees in all

departments

with

no exce

pt ions.

This polic

y perta

ins t

o al l exte

rnal c

loud se

rvice

s, e.g. c

loud-b

ased em

ail, docu

ment s

tora

ge,

Software

-as-

a-Serv

ice (S

aaS), Infra

stru

cture

-as-

a-Serv

ice (I

aaS), Pla

tform

-as-

a-Serv

ice (P

aaS),

etc. P

ersonal a

ccounts

are exclu

ded.

If

you are n

ot sure

wheth

er a se

rvice

is cl

oud-base

d or n

ot, ple

ase co

ntact

the cl

oud

managem

ent team

.

Clou

dCom

putingM

anagem

entTeam

Organiza

tions s

hould b

e able to

em

brace

cloud se

rvice

s with

out risk

, to co

mply

with

regula

tory

polic

ies a

nd loca

l data

pro

tect

ion la

ws, id

entify co

mpro

mise

d accounts

and device

s

and insid

er thre

ats.

The d

ecisio

n-makin

g on acc

eptable

cloud se

rvice

s is m

ulti-fa

cete

d and so it

is re

com

mended

that c

ustom

ers cr

eate a C

loud C

omputin

g Managem

ent Team

with

the fo

l lowin

g

resp

onsibil i

t ies:

· Decid

e on appro

ved, acc

eptable

and denie

d serv

ices f

or the o

rganisa

tion

· Com

munica

te th

at list

for e

mplo

yees to ch

eck b

efore

askin

g for a

pproval f

or new

serv

ices

· Def in

e the cl

oud com

puting acc

eptable

use

polic

y for t

he com

pany

· Revie

w cloud co

mputin

g access

, to ch

eck th

at em

ployees a

re u

sing cl

oud com

puting in

line w

ith th

e polic

ies

· Contin

uous monito

ring o

f clo

ud com

puting fo

r changes i

n circ

umst

ances o

f clo

ud

provid

ers

· Contin

uous monito

ring o

f clo

ud traf f i

c to ch

eck fo

r appro

priate

use

, act

ivity

that m

ay

indica

te lo

ss o

f cre

dentials,

pote

nt ial i

nsider t

hreats

& e

mplo

yee f lig

ht risk

s, in

fect

ed

mach

ines,

over-sharin

g of c

onf identia

l data

, unsu

pported d

evice d

ownloads,

&

uploads t

o unusu

al or p

revio

usly u

nknown d

estin

ations

· M

ake sure

that t

he com

pany is ach

ievin

g optim

al pric

ing and th

at the co

mpany is

not

engaging w

ith m

any overla

pping se

rvice

s

· Ensu

ring th

at oth

er asp

ects o

f com

puting in

tegra

te w

ith th

e cloud co

mputin

g serv

ices,

such

as sin

gle-s

ign-o

n serv

ices

· The cl

oud com

puting se

rvice

must

be fu

lly in

tegra

ted w

ith o

ther I

T funct

ions s

uch as

network

ing (d

el iverin

g pol ic

ies t

o egre

ss d

evices),

Act

ive D

irect

ory, d

ata le

ak

prevent io

n, loggin

g and activ

e report i

ng.

· Check

and approve co

ntract

s with

cloud p

rovid

ers

· Educa

te e

mplo

yees on appro

priate

and inappro

priate

cloud u

se

· Regula

r report i

ng on cl

oud use

to se

nior m

anagement.

The C

loud C

omputin

g Managem

ent Team

should

be m

ulti-d

iscip

l ined and co

ntain

repre

senta

tives w

ith th

ese are

as of k

nowledge.

· IT

Secu

rity

· Fi

nance

· Risk

& C

omplia

nce

· Le

gal

· A re

prese

ntativ

e of t

he em

ployees

· A re

prese

ntativ

e from

senio

r managem

ent

Decis

ion-m

aking o

n cloud co

mputin

g should

be b

ased o

n mult i

ple se

ts o

f crit

eria, in

cludin

g

Clou

dRequestForm

Below

is a te

mpla

te o

ur cust

omers

may u

se fo

r their

users

to re

quest acc

ess to

cloud se

rvice

s.

If you h

ave any suggest

ions o

n how

to im

prove th

e docu

ment,

please

send th

em to

(is t

here a

CS team

em

ail alia

s?)

Emplo

yees are

al low

ed to acc

ess cl

oud serv

ices t

o impro

ve their

product

ivity

.

Sadly

, many cl

oud serv

ices c

an be d

angerous t

o use

as they m

ay be co

nduits fo

r data

loss

due

to la

ck o

f secu

rity m

easure

s, poorly

conf ig

ured o

r even d

esigned sp

ecifica

lly to

steal

conf id

ential d

ata. T

hey can also

be a so

urce o

f viru

ses a

nd oth

er malic

ious c

ode, host

ed in

countri

es with

no p

rivacy

regula

t ions,

break o

ur com

pany polic

ies,

regula

t ions o

r data

prote

ctio

n law

s and th

erefo

re e

mplo

yees must

request

access

befo

re u

sing cl

oud serv

ices.

The cl

oud managem

ent team

wil l

resp

ond with

in 4

8 hours

to g

ive in

it ial a

pproval, d

enial o

r

suggest

oth

er clo

ud serv

ices t

hat may b

e equiv

alent.

The co

mpany

’s fu

l l clo

ud accepta

ble u

se p

ol icy is

available

onlin

e at:

ht tps:/

/ intra

net.com

pany.com

/ clo

ud-pol ic

y.htm

l

Once

f il le

d out,

please

send th

e form

to:

mailt

o:cloudte

am@

com

pany.com

?subje

ct=Clo

ud Request

Requester

Department

Email

Address

Phone num

ber

Manager’s

nam

e

Cloud S

ervice

Request

ed

url if

known

Purpose

for a

ccess

Number o

f em

ployees r

equiring acc

ess

Cost, if

any

End date

(if t

empora

ry)

Business

Partn

er Acc

essin

g Data

(if a

ny)

Skyhigh European Cloud Adoption & Risk Report:

http://info.skyhighnetworks.com/WPCARRQ12016EU_Download_White.html

Cloud Security Alliance 2016 Survey:

http://info.skyhighnetworks.com/WPCSASurvey2016_Download_Green.html

Skyhigh GDPR: An Action Guide for IT:

http://bit.ly/GDPR-Action-Guide

http://info.skyhighnetworks.com/WPCARRQ12016EU_Download_White.html

http://info.skyhighnetworks.com/WPCSASurvey2016_Download_Green.html

http://bit.ly/GDPR-Action-Guide

TM



[email protected]

0845 070 1750

www.itgovernance.co.uk

mailto:[email protected]

http://www.itgovernance.co.uk/

cloud object storage - adrian ross grc consultant it ......• provides visibility, control and...

Documents