1 / 32

Considerations in an Outsourced / Cloud World ARMA Information Management Symposium

Considerations in an Outsourced / Cloud World ARMA Information Management Symposium. Bill Wilson, Chief Privacy Technologist. “The times, they are a-changin”. 40 years ago – truck full of paper 30 years ago – crates of floppy disks 10 years ago – hard drives

yael
Download Presentation

Considerations in an Outsourced / Cloud World ARMA Information Management Symposium

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Considerations in an Outsourced / Cloud WorldARMA Information Management Symposium Bill Wilson, Chief Privacy Technologist

  2. “The times, they are a-changin” • 40 years ago – truck full of paper • 30 years ago – crates of floppy disks • 10 years ago – hard drives • Today, same information can fit on a single DVD or a thumb drive!

  3. Cybercrime Fraud-related offences are now thought to be as profitable as drug-related offences, estimated at between $10 and $30 billion annually in Canada by the RCMP’s Commercial Crime Branch. The majority of these crimes aren’t committed by kids at their computers, 80% or more of the work is conducted by criminal organizations.

  4. Identity Fraud • Victims of identity theft or fraud can experience financial loss and difficulty obtaining credit or restoring their "good name". • In 2009 the average data breach cost the affected business $6.75 million, up from $6.65 million in 2008, according to a Ponemon Institute study.

  5. What your information could be used for: • Criminals can use your stolen or reproduced personal or financial information to: • access your bank accounts • open new bank accounts • transfer bank balances • apply for loans, credit cards and other goods and services • make purchases • hide their criminal activities • obtain passports or receive government benefits

  6. Threat Landscape - Trends • Top threat events involved external hacking/malware on servers • Increase in all forms of attacks by all actors • Industrialization of attacks • Targeting weak points in the financial system • Top three industries targeted – Hospitality, Retail, Financial

  7. Threat Landscape - Trends • Market Segmentation • Organization size • Geographic location • Industry • Low risk, automated attacks against vulnerable systems • Sophisticated attacks targeted at intellectual property

  8. Defences • Understand the threat landscape for your business • Assess the risks • Vulnerabilities • What are you seeing • Regulatory requirements • Industry requirements

  9. Legislation Personal Information Protection and Electronic Documents Act (PIPEDA) Key elements to cloud computing: • Consent • Collection • Use • Disclosure • Retention • Safeguards

  10. Personal Information • Personal information includes any factual or subjective information, recorded or not, about an identifiable individual. This includes information in any form • Personal information does not include the name, title, business address or telephone number of an employee of an organization

  11. Cloud Computing Models Private Infrastructure as a Service (IaaS) Risks vary by deployment and service model Cost Liability Assurance Partner Platform as a Service (PaaS) Software as a Service (SaaS) Public Deployment Models Service Models

  12. Considerations • Ceding of control to the cloud/outsource provider and related impact on governance • Cloud computing is new – standards are still being developed, supporting technologies being enhanced and little to no case law.

  13. Considerations • Amalgamation of existing technologies; risks in cloud/outsourced computing can be: • Existing risks inherent in the technologies used • Magnification of existing risks • New risks • Consumer-focused cloud services may present greater risks to data security and privacy due to click-through terms.

  14. Jurisdiction • Location of the cloud/outsource provider, their infrastructure and your data • Some countries may be considered higher-risk • Does the cloud/outsource provider outsource any of its services to other providers in other jurisdictions

  15. Trans Border Data Flows • PIPEDA does not prohibit the transfer of Personal Information (PI) • But does establish rules • Sharing of information to service provider is considered a use • Additional consent is not required • Accountability is not transferred • The buck stops with you

  16. Trans Border Data Flows • Data protection formalized in a contract • Contract cannot override laws • Assess the risks • Don’t jeopardize the integrity, security and confidentiality of customer personal information • Transparency and notification • Advise customers

  17. Lawful Access • What laws apply to the data both in transit and at rest • Does the host country have lawful access to your data? i.e. US Patriot Act • Un-lawful access? • Shared storage - consider implications if a physical device is seized

  18. Compliance • Maintaining compliance with required regulations • PIPEDA, Sarbanes-Oxley, or industry-requirements such as PCI-DSS • Maintaining compliance with certifications • ISO 27001 • Breach reporting • Does the provider’s breach reporting policy and procedure align with your requirements

  19. Data Ownership • Must be clearly defined • Explicitly state what data the provider has access to and what they can do with the data • What happens to the data on contract termination • By you • By them • Other reasons, i.e. failure of the vendor

  20. Data Handling • Data classification and labelling • Prerequisite • Drives requirements for data handling in SLA • Encryption or additional controls for sensitive data • Understand provider’s data handling practices

  21. Processing and creation of new data • Understand what is happening to your data in the cloud/service provider • What is your service provider doing with the data? • Data matching • Creation of new data

  22. Data Permanence • Proper disposal of data must be addressed • redundancy images • backups • Proof of disposal • Certification of Disposal

  23. Security • Existing risks inherent to the technologies used • Virtualization, web • New risks • Lack of isolation, • Magnification of existing risks inherent to your processes

  24. Security • Implications of multi-tenant, shared resources • Availability and segmentation of audit logs • Authentication and identity management • Access control • Management and monitoring of privileged access • Security incident response capability

  25. Security • Provider’s provision for handling conflicting requirements between customers on shared infrastructure • Clear division of security responsibilities and liabilities between the customer and the provider • Cloud/outsourcing can provide benefits, mostly related to economies of scale • Small business may benefit

  26. Summary • Risk assessment • Transparency by the provider on approach to privacy and security • Certifications • Contract review, including SLA and any related/reference Terms of Service • Contract monitoring

More Related