1 / 77

Cloud computing and data protection

Cloud computing and data protection. Simon Rice Principal Policy Adviser (Technology). #dpoc2012. Overview. Cloud computing: A definition The Data Protection Act 1998 vs. the cloud The risks? The solutions? 40 minutes -> 20 minutes questions WARNING: Contains audience participation.

alda
Download Presentation

Cloud computing and data protection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cloud computingand data protection Simon Rice Principal Policy Adviser (Technology) #dpoc2012

  2. Overview • Cloud computing: A definition • The Data Protection Act 1998 vs. the cloud • The risks? • The solutions? • 40 minutes -> 20 minutes questions • WARNING: Contains audience participation

  3. What is YOUR definition? What is it? Why do you want it?

  4. Cloud computing • Who has knowingly used a cloud computing resource? • What about: • Web-based email: Hotmail, Gmail • Online software: Microsoft 365 • Social media: Facebook, Twitter, Flickr • Mobile devices: iOS, Android • Backup/storage: AWS, Dropbox, BT Vault • Hosting: Rackspace, Google Sites

  5. Cloud computing: A definition • “Access to computational resources on demand via a network”

  6. Computational resources • “Access to computational resources on demand via a network” • Storage • Processor • Memory • Files • Software

  7. On demand • “Access to computationalresources on demand via a network” • “How much you want” • Often on a pay-per-use basis • Utility computing

  8. Via a network • “Access to computationalresources ondemand via a network” • Implies some data transit • Likely a transfer to a different network • May be outside of your direct control (i.e. public cloud)

  9. What does it look like?

  10. Why “cloud”? • A cloud has long been used as a graphical depiction of computer architectures

  11. What’s so great about it? • A computer is like a motorway - It slows down when too many people try to use it! • Think about what happens when too many people try to view a website at the same time? • Buying Glastonbury tickets • Registering for Olympic tickets • Reading BBC News on 9/11 • Watching Royal Wedding video on YouTube

  12. Using the cloud • A website will experience peaks and troughs • Traditionally a website would be built to withstand the “average maximum” • This therefore leads to in-efficiency as perhaps only 10% utilised • Increased purchase cost • Increased running cost • But if your website is on a cloud infrastructure you can buy in additional resource only when you need it

  13. So what do we have now?

  14. And how does the cloud differ?

  15. Not all clouds look the same!

  16. What it might look like Software as a service Platform as a Service Infrastructure as a Service

  17. Service models • SaaS – consumers use applications running on the cloud • PaaS – consumers can deploy applications to run on the cloud • IaaS – consumers can configure provisioning which is controlling their applications (e.g. Operating system, disc space, firewalls)

  18. Deployment models • Private cloud - operated solely for an single organisation • Community cloud – a private shared by several organisations • Public cloud - available to the general public • Hybrid cloud - composition of two or more clouds

  19. Distributed storage

  20. Pause… • Any cloud questions?

  21. Data Protection Act: Back to basics • Data Controller • A person who determines the purposes and the manner in which any personal data are, or are to be, processed • Data Processor • A person who processes the data on behalf of the data controller • Processor acts solely on the instructions of the controller • Liability lies with the controller • Who is the data controller and the data • processor in the cloud?

  22. Who determines the processing?

  23. What are the data protection issues? • What is personal data? • Who can see my personal data? • Where is my personal data? • Is there really anything new here? • Security • Outsourcing • Overseas transfer rules

  24. What are the data protection benefits? • Potential to be more user-centric • Data subject can be in control • Improved subject access • Data subject can keep things up-to-date • Greater transparency / Accountability • Potential for increased security from a dedicated provider

  25. What is personal data? • The personal data you place in the cloud • User profiles • User data • Customer data • Meta-data • Usage data you collect about users • Usage data your cloud provider collects about your users

  26. Who can see my data? • Security (Principle 7) • Physical security • Encryption • in transit (to and within the cloud provider) • at rest • Passwords & remote access • Provider access • Data disclosure • Access by my neighbours?

  27. Where is my personal data? • Multiple copies in multiple locations • Where are the data centres? • Redundant copies • Back-ups • Sharding • Shared resources • Deletion • Retention • Layered services • Is your SaaS provider using a different IaaS provider? Overseas Transfers (Principle 8)

  28. Other risks • Loss of governance (who has access?) • Lock-in (can you transfer to somewhere else?) • Isolation failure (eggs in one basket?) • Data segregation (who’s data is next to yours?) • Regulatory compliance (are you allowed to do it?) • Data location (where is your data?) • Data recovery (can you get it back?) • Staff training (do they know what to do?)

  29. More risks… • Written contract • Monitor performance • Access control • Connectivity • Reliability and resilience • Scalability (restricted by contract?)

  30. Thinking about a move to the cloud? • Conduct a risk assessment before contracting with an online services company • What security do they offer? • What are the T&C’s / SLAs? • Can I get my data out? • Look at your data: • How will is be accessed? • Where will is be accessed?

  31. Guidance • Ask your cloud provider difficult questions…

  32. Can the issues be designed out? • Privacy by Design • Privacy Impact Assessments • Do you really need the personal data? • How long do you really need it for? • Can you protect some or all of the (personal) data?

  33. PbD: Cloud SaaS • Privacy by default • Private profiles • Transparency • Third party domains / cookies • Delete inactive / dormant accounts • Security • Forced HTTPS • Force strong passwords or allow 2FA • Restrict logon by IP address

  34. PbD: Mobile devices • The very nature of the cloud enables remote and/or mobile access • Need to make devices “safe to loose” • Secure storage when not in use • Remote wipe • Enforce strong passwords • Password expiration • Block failed password attempts • Trusted devices Time out locks • External, internal or DMZ?

  35. Summary • Cloud means different things to different people • Different implementations have different data protection issues • Data controller must assess the risks and remain in control • Data security and data location key DP issues • Many issues can be resolved early in the system design lifecycle

  36. Questions?

  37. Keep in touch Subscribe to our e-newsletter atwww.ico.gov.uk or find us on… • www.twitter.com/iconews

  38. A Cloud computingThe Buckingham Suite Data SharingThe Grand Room B C Subject access requests and information held in complaints filesPalace 7 Do all members of your organisation understand the importance of data management?Palace 6 D E2 Principle 8: Binding Corporate RulesPalace 1 Reporting breachesThe Oak Room F G Using personal data for medical researchPalace 4 Section 40 Tribunal decisionsPalace 5 H

  39. Cloud computingand data protection Simon Rice Principal Policy Adviser (Technology) #dpoc2012

  40. Overview • Cloud computing: A definition • The Data Protection Act 1998 vs. the cloud • The risks? • The solutions? • 40 minutes -> 20 minutes questions • WARNING: Contains audience participation

  41. What is YOUR definition? What is it? Why do you want it?

  42. Cloud computing • Who has knowingly used a cloud computing resource? • What about: • Web-based email: Hotmail, Gmail • Online software: Microsoft 365 • Social media: Facebook, Twitter, Flickr • Mobile devices: iOS, Android • Backup/storage: AWS, Dropbox, BT Vault • Hosting: Rackspace, Google Sites

  43. Cloud computing: A definition • “Access to computational resources on demand via a network”

  44. Computational resources • “Access to computational resources on demand via a network” • Storage • Processor • Memory • Files • Software

  45. On demand • “Access to computationalresources on demand via a network” • “How much you want” • Often on a pay-per-use basis • Utility computing

  46. Via a network • “Access to computationalresources ondemand via a network” • Implies some data transit • Likely a transfer to a different network • May be outside of your direct control (i.e. public cloud)

  47. What does it look like?

  48. Why “cloud”? • A cloud has long been used as a graphical depiction of computer architectures

  49. What’s so great about it? • A computer is like a motorway - It slows down when too many people try to use it! • Think about what happens when too many people try to view a website at the same time? • Buying Glastonbury tickets • Registering for Olympic tickets • Reading BBC News on 9/11 • Watching Royal Wedding video on YouTube

More Related