Ran Adler, VP Services at 2BSecure Presentation on privacy regulations in Israel, Privacy Shield & GDPR.

1. Cloud and Privacy regulations
Ran Adler, VP consulting services, 2Bsecure

2. Our Goal…

3. Lecture Agenda
• Is cloud is a real danger?
• If I was the regulator what would I do?
• Understanding regulations types
• GDPR and the new Israeli’s privacy rules
• BOI and the Insurance Supervision regulations in Israel
• ISO and PCI DSS

4. Is cloud is a real danger?
• Yes!!
• Someone else can see your staff…
• Subpoenas…
• Who run’s the encryption keys?
• Multi tenancy risks
• Lack of transparency
• And many more…

5. So why bother?
Or why should regulators even consider of
allowing the usage of cloud services?

6. - Because cloud can be cheaper
- Because by allowing cloud - encourages competition
- Because allowing cloud is allowing progress
- Because cloud can be much more secure
Why?

7. Examples for cloud security advantages:
• If you need a stable and redundant application for your
customers.
• IfYou want to make sure that all patches and updates are
well implemented (SAAS and PAAS)
• If you want an advanced monitoring capabilities.
• If you need a fast and effective implementation of security
tools into your (cloud) environment.

8. AWS- build in security features/ capabilities
• AmazonVPC+ security groups and ACL’s
• DDOS- CloudFront and Route 53
• Multi Factor Authentication- AWS- MFA
• IAM and Federation services-AWS IAM and AWS directory
services
• Built in Encryption capabilities- EBS, S3, Glacier and more
• Keys management-AWS KMS and Cloud HSM
• APIVisibility-AWS CloudTrail
• Security Alerts- AWS CloudWatch

9. Regulation types
• Standards
• Laws/ Regulations
• Framework

10. Laws- Regulations

11. Privacy Protection Authority- FKA- Ramot
• The Privacy authority in Israel. From now on – PPA…
• It has the authority under the “Protection of Privacy” Law
• One of the most prominent issues from the privacy law Perspective is:
“are we allowed to store/ process private information:
• Outside our organization- Outsourcing
• Outside of the country?”
The common practice of using one of the international cloud providers
services contains it both…

12. PPA- Outsourcing rules
• PPA has published, few years ago, the following directive:
“‫בשירותי‬ ‫שימוש‬OutSourcing‫אישי‬ ‫מידע‬ ‫לעיבוד‬"
• In a footnote they wrote that they are about to publish a
dedicated cloud regulation. We are still waiting…

13. • The principles of the rule are based on risk
management approach, such as:
• Check the cloud service provider background,
experience
• Take into consideration the ability of the cloud
service provider to access the information
• The legal agreement should contain the follows:
• Information security and privacy issues
• The ability to fully erase the content of data
• The ability to carry out audits
PPA- Outsourcing rules

15. http://ec.europa.eu/justice/data-
protection/international-
transfers/adequacy/index_en.htm
SO – who are these countries?

16. Who is missing?Why?

17. Safe harbor
• Safe Harbour Privacy Principles were developed between
1998 and 2000 in order to prevent private organizations
within the United States which store customer data from
accidentally disclosing or losing personal information.
• However, after a customer complained that
his Facebook data were insufficiently protected, the ECJ
declared in October 2015 that the Safe Harbour Decision
was invalid,
• The European Commission and the United States agreed to
establish a new framework for transatlantic data flows on
2nd February 2016, known as the Privacy Shield".

18. Indeed – PPA response came right after

19. Privacy shield
• The Privacy Shield Frameworks were designed by the U.S. Department of
Commerce, and the European Commission, to provide companies on
both sides of the Atlantic with a mechanism to comply with data
protection requirements when transferring personal data from the
European Union to the United States.
• The Privacy Shield program, is administered by the InternationalTrade
Administration (ITA) within the U.S. Department of Commerce
• To join either Privacy Shield Framework, a U.S.-based organization will
be required to self-certify to the Department of Commerce and publicly
commit to comply with the Framework’s requirements.
• While joining the Privacy Shield is voluntary, once an eligible
organization makes the public commitment to comply with the
Framework’s requirements, the commitment will become enforceable
under U.S. law

20. Privacy shield

21. What about Proxy services?
http://www.justice.gov.il/Units/ilita/subjects/HaganatHapratiyut
/MeidaMerasham/Pages/DataTranfer.aspx

22. Israeli privacy new rules
• Announced earlier this year
• Going to be mandatory from the beginning of 2018
• There is no direct reference to cloud, but, like many other
regulations – it refers cloud as an outsourcing case:

23. GDPR- General
• IncreasedTerritorial Scope- extra-territorial applicability
• Penalties- organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million
(whichever is greater)
• Breach Notification- 72-hour notification for personal data breaches
• Right to Access-whether or not personal data concerning an individual is being processed, where and for
what purpose
• Right to be Forgotten -Data Erasure
• Privacy by Design
• Data Protection Officers (DPO)
• Data processing agreement (DPA) – an organization may need a DPA that will meet the requirements of
the GDPR, particularly if personal data is transferred outside the European EconomicArea.

24. GDPR- some steps towards compliance
• Know the location where cloud apps are processing or storing data.
• Take adequate security measures to protect personal data from
loss, alteration, or unauthorized processing..
• Close a data processing agreement (DPA) with the cloud apps
you’re using.
• Collect only “necessary” data and limit the processing of “special”
data.
• Don’t allow cloud apps to use personal data for other purposes.
• Ensure that you can erase the data when you stop using the app. .

25. GDPR- AWS
• General declaration:
• https://aws.amazon.com/compliance/eu-data-protection/

26. BOI- regulations

27. BOI- regulations

28. Insurance supervision regulation

29. YAHAV

30. YAHAV

31. Standards

32. ISO- 27017, 27018
• 27017-This standard provides guidance on the information
security aspects of cloud computing, recommending and
assisting with the implementation of cloud-specific
information security controls .
• 27018-This standard provides guidance aimed at ensuring
that cloud service providers (such as Amazon and Google)
offer suitable information security controls to protect the
privacy of their customers’ clients by securing PII (Personally
Identifiable Information) entrusted to them.

34. PCI DSS and Cloud
• PCI Council has published a unique manual to assist
merchants who uses cloud services to comply with PCI DSS
• “PCI DSS Cloud Computing Guidelines”

35. PCI DSS and Cloud

36. TOHAG
• TOHAG is the new Israeli Cyber Authority Cyber seucity
framework
• I refers to cloud in section 11.
• We think it is going to take a central place in future
assessments by entities

37. Thank you!