Cloud & Privacy - Lecture at University Paris Sud - March 18th, 2013

Master Droit Innovation Communication Culture - Franck Franchin - © 2013
1

}  Quick Wording Overview
}  Quick Technology Overview
}  Privacy Stakes
}  Legal & Regulations Concerns
}  Q&A
2

3
“Asking Google to educate consumers about privacy
is like asking the fox to teach the chickens how to
ensure the security of their coop”
Consumer Watchdog, March 2013

}  Cloud
}  CSP – Cloud Service Provider
}  SOA (Service Oriented Architecture), WOA (Web Oriented Architecture)
}  Web Services, XML
}  SLA – Service Level Agreement
}  BYOD (« Bring Your Own Device »)
}  Virtualization, Virtual Machines
}  Scalability, Resource Sharing, Metering
}  Security / Safety/ Availability / Resilience / Privacy
}  CIA (Confidentiality Integrity and Availability)
}  Encryption, PKI
}  Auditability
}  Compliance (PCI-DSS, HIPAA, ISO/IEC 27001)
4

5
Mainframe
Client-Server
Web
SOA
Cloud
1980

1990

2000

2010

1970

}  Many Services : CPUs, Storage, Middleware,
Backup, Translation, Payroll…
}  On demand service: just a few minutes needed
so that resources may be rent and available
}  Wide access: no bandwidth limits (basically…)
}  Metering service: pay as you consume, cost-
effectiveness, no resources waste
}  Effective scalability: Quick, cost-effective and
efficient down- or up-sizing
}  Resource-sharing: Cost reduction
6
Source:
NIST

Examples
}  Microsoft Office 365
}  Salesforce.com
}  Google Apps
}  Microsoft Azure
}  Amazon EC2, S3
}  Google App Engine
}  Microsoft Azure
}  Amazon EC2
}  Oracle IaaS
7

8
Legacy
Infrastructure
(as a Service)
Platform
(as a Service)
Storage
Servers
Network
OS
Middleware
Virtualization
Data
Applications
Runtime
Storage
Servers
Network
OS
Middleware
Virtualization
Data
Applications
Runtime
CoudProvider-managed
Customer-managed
Customer-managed
Storage
Servers
Network
OS
Middleware
Virtualization
Applications
Runtime
Data
Software
(as a Service)
Storage
Servers
Network
OS
Middleware
Virtualization
Applications
Runtime
Data
Customer-managed

}  Private Cloud:
◦  Infrastructure Owned or Rented by Customer
◦  Internal or External to Customer Premises
}  Community Cloud:
◦  Shared Infrastructure by a specific business or academics
community or by a State
◦  Internal or External to community members Premises
}  Public Cloud:
◦  Infrastructure owned by the Cloud Service Provider
◦  Rented by Customer to the Provider
}  Hybrid Cloud:
◦  Mixed Cloud Services with data exchange and applications
portability
9

0.0%$
10.0%$
20.0%$
30.0%$
40.0%$
50.0%$
60.0%$
70.0%$
80.0%$
Security$
Perform
ance$Availability$
Hard$to$Integrate$
Hard$to$Custom
ize$
CostFEﬀecIve?$
Back$inFhouse?$
Regulatory$Com
pliance$
Source:(IDC(2008(Summer(
10

}  More than 60% of cloud users think the above
types of information are too risky to be
implemented into the cloud:
◦  Intellectual Properties
◦  Financial Information
◦  Health Information
◦  Employee Records
}  As amazing as it may sound, only 39% are
skeptic about storing ‘credit card
information’ (data collected before Sony Network hack)
11

}  Security is not a competitive advantage
}  It’s customer’s responsability to secure the cloud
}  Applications have to be evaluated for security
threats prior to deployment in the cloud
}  Less than 10% of Opex & Capex is dedicated to
security
}  Customers are interested by the cloud because of
lower cost and faster deployment not security nor
regulation compliance like privacy
12

Most often used Less often used
}  Firewalls
}  Anti-virus and anti-
malware
}  Encryption for data in
motion
}  Patch management
}  Log management
}  Single sign-on
}  Data loss prevention
}  Correlation or event
management
}  Access governance
systems
}  Encryption for wireless
communication
13

14

}  80% of survey respondents access cloud
applications for business purposes via their
smartphones
}  71% do so via a tablet
}  and 81% use a non-company computer
}  71% admitted to accessing cloud applications,
such as Dropbox or Google Drive, that have
not been sanctioned by their IT department.
 
OneLogin – 2013 Survey
15

}  Provisioning, Directory Synchronization & Identity
Management Issues at large scale
}  Certificate and Key Revocation
}  Single Point of Failure : Connection between The Cloud
Provider and the Customer
}  Full-Private Encryption (aka data non ‘readable’ by Cloud
Provider) is VERY difficult (homomorphic encryption…)
}  Cloud Usage by Hackers and Cybercrime (Amazon Case) !
◦  Password Cracking by brute force
◦  DDoS Attacks
◦  Captcha Cracking
◦  IP Blacklisting
16

}  Lifecycle of Cloud Technologies
}  Lifecycle of Cloud Provider
}  Contract lock-in, destroying or sanitizing information at the
end of the service relationship
}  Encryption (who owns/manages the keys ?)
}  Compliance Management
}  Legal Issues (foreign court orders or subpoenas, foreign
agencies warrants)
}  Data Retention
}  Multiple-Countries Location 
(Sub-contracting to low-cost countries)
}  Data and Goodwill Ownership
}  Sweet Target for Hackers and Cybercrime
}  Massive Crash due to cyber-attacks or one major failure
17

}  An average cloud customer typically cannot visit a
cloud data centre and perform an audit on all of
their infrastructure components across multiple
data centres
}  The audit itself could also violate the privacy of
other cloud customers, and thus the EDPD, by
exposing and identifying private data, as the
auditors would have to access the entire cloud
infrastructure
}  Virtualization (cross-hardware, cross-data centre,
cross-countries) makes audit and privacy
regulations compliance a nightmare
18

}  Search – Yahoo or Google keep your data for 18
months !
}  Webmail – Google goes through every word of every
Gmail that’s sent or received to sell targeted ads.
}  Google Docs
}  Street View (Wifi traffic and pwd scans… hum ?)
}  Conference Management Systems - very used in
academic research community with document
sharing (papers, reviews, patent drafts)
FREE SERVICE DOES NOT EXIST !
19

}  The data controller (CIL) differs upon cloud model:
◦  Private cloud: If the organisation is using a private cloud there
can only be one data controller as they have control over how
the data is processed in the cloud.
◦  Community cloud: The likelihood of more than one data
controller accessing the cloud service is high. The cloud
provider is the data processor and there are many cloud
customers/organisations sharing data through the cloud. In
this circumstance the roles and shared responsibilities of each
data controller need to be clear.
◦  Public cloud: The role of the data controller/organisation
becomes more complicated as the organisation will have very
little control over the operations of the cloud provider. 
BUT the organisation is still responsible for the data they
choose to process in this way and remain the data controller.
20

}  Data Assessment and Categorization (minimum on
a yearly base) 
Not all data needs to be in the cloud
}  Privacy Assessment (customers, business partners
and employees data)
}  Cloud users awareness about data in the Cloud
}  Monitoring and Auditing (minimum on a yearly
base) 
Confidence and Compliance are built on Control
}  WRITTEN CONTRACT (prohibit online license
agreements which dynamic evolve and change for
‘enhancing customer experience’…)
21

}  The Foreign Intelligence Surveillance Act of 1978 prescribes
procedures for requesting judicial authorization for electronic
surveillance and physical search of persons engaged in
espionage or international terrorism against the United States
on behalf of a foreign power.
}  The Stored Communications Act of 1986 is a law that
addresses voluntary and compelled disclosure of "stored wire
and electronic communications and transactional records"
held by third-party internet service providers (ISPs)
}  Patriot Act - Signed by President George W. Bush on October
26, 200, renew by President Bush on March 9, 2006
}  The Foreign Intelligence Surveillance Act Amendment Act
(FISAA - 2008) allows US authorities to spy on cloud data that
includes Amazon Cloud Drive, Apple iCloud and Google Drive.
22

}  The US law allows American agencies to access all private
information stored with firms within Washington’s
jurisdiction, without a warrant, if the information is felt to be
in the US interests.
}  That means any company with a presence in the US and
regardless of where the data is stored or the existence of any
conflicting obligations under the laws where the data is
located
}  Some US-based cloud services and hosting companies might
not be able to comply with the EDPD : customers whose
private data should have been disclosed under FISA won’t be
always notified (which is not compliant with EC directives)
23

}  The famous 95/46/EC Directive
}  The European Data Protection Directive
requires companies to inform users when
they disclose personal information
}  There are clauses in the Directive that allow
data to be stored outside of the EU
}  Evolution in progress since 2012 ; but strong
lobbying against data breach notification
enforcement and data aggregation processing
restrictions
24

}  The U.S.-EU Safe Harbor Framework provides guidance for
U.S. organizations on how to provide adequate protection for
personal data from the EU as required by the European
Union's Directive on Data Protection.
}  Participation is voluntary
}  Based on principles agreed by Directive 95/46 (October,
1995)
}  Five major points :
◦  Data owner has been informed of data processing and transfer
◦  Data owner can revoke the rights he granted.
◦  Explicit agreement
◦  Access and change right (aka droit d’accès et de rectification)
◦  Data security (confidentiality, integrity, availability)
25

}  Payment card security standards body PCI Security Standards
Council (PCI SSC) has released new guidance for merchants
using cloud-based systems for customer payment data
}  “Many merchants mistakenly believe that if they outsource
everything to a cloud service provider, much of of the
responsibility goes away for being PCI compliant –
unfortunately, that’s simply not the case,” Bob Russo, general
manager at the PCI Security Standards Council “A merchant
needs to ensure that a cloud services provider is PCI-
compliant not just for its own piece, but for the entire
spectrum, including what that provider is specifically doing
for the merchant.”
26

}  TFTP (Terrorist Financing Tracking System)/
SWIFT (28 Juin 2010)
}  Europol in charge of
}  Audit conducted by Europol in Nov 2010,
with warning report issued in March 2011
}  Too generic requests are made by US (Dpt of
Treasury) but acknowledged by Europol
}  So generic, it’s impossible to confirm these
requests are compliant with European Data
Protection Directives
27

}  Nova Scotia Case - As part of a criminal
prosecution in US, the Court requested that
the US subsidiary disclosed documents stored
in Cayman Islands.
}  Valetta Case – Australian subsidiary of this
Maltin bank was summoned by australian
Court to disclose documents stored in Malta
28

29
Source:
h-p://geekandpoke.typepad.com/

}  Foreign Intelligence Surveillance Act (http://www.gpo.gov/fdsys/pkg/BILLS-110hr6304enr/
pdf/BILLS-110hr6304enr.pdf)
}  Patriot Act (http://www.justice.gov/archive/ll/highlights.htm)
}  European Data Protection Directive (http://eur-lex.europa.eu/smartapi/cgi/sga_doc?
smartapi!celexplus!prod!CELEXnumdoc&lg=FR&numdoc=31995L0046)
}  Safe Harbor (https://safeharbor.export.gov/list.aspx)
}  European Parliament – “Fighting Cyber crime and protecting privacy in the
cloud” (
http://www.europarl.europa.eu/committees/en/studiesdownload.html?
languageDocument=EN&file=79050)
}  CSA (Cloud Security Alliance) – “Privacy Level Agreement – PLA” (http://)
}  Cloud Computing in Higher Education and Research Institutions and the USA
Patriot Act (http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2181534)
30

Cloud & Privacy - Lecture at University Paris Sud - March 18th, 2013

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Destaque

Destaque (20)

Semelhante a Cloud & Privacy - Lecture at University Paris Sud - March 18th, 2013

Semelhante a Cloud & Privacy - Lecture at University Paris Sud - March 18th, 2013 (20)

Último

Último (20)

Cloud & Privacy - Lecture at University Paris Sud - March 18th, 2013