3. Lecture Agenda
• Is cloud is a real danger?
• If I was the regulator what would I do?
• Understanding regulations types
• GDPR and the new Israeli’s privacy rules
• BOI and the Insurance Supervision regulations in Israel
• ISO and PCI DSS
4. Is cloud is a real danger?
• Yes!!
• Someone else can see your staff…
• Subpoenas…
• Who run’s the encryption keys?
• Multi tenancy risks
• Lack of transparency
• And many more…
5. So why bother?
Or why should regulators even consider of
allowing the usage of cloud services?
6. - Because cloud can be cheaper
- Because by allowing cloud - encourages competition
- Because allowing cloud is allowing progress
- Because cloud can be much more secure
Why?
7. Examples for cloud security advantages:
• If you need a stable and redundant application for your
customers.
• IfYou want to make sure that all patches and updates are
well implemented (SAAS and PAAS)
• If you want an advanced monitoring capabilities.
• If you need a fast and effective implementation of security
tools into your (cloud) environment.
8. AWS- build in security features/ capabilities
• AmazonVPC+ security groups and ACL’s
• DDOS- CloudFront and Route 53
• Multi Factor Authentication- AWS- MFA
• IAM and Federation services-AWS IAM and AWS directory
services
• Built in Encryption capabilities- EBS, S3, Glacier and more
• Keys management-AWS KMS and Cloud HSM
• APIVisibility-AWS CloudTrail
• Security Alerts- AWS CloudWatch
11. Privacy Protection Authority- FKA- Ramot
• The Privacy authority in Israel. From now on – PPA…
• It has the authority under the “Protection of Privacy” Law
• One of the most prominent issues from the privacy law Perspective is:
“are we allowed to store/ process private information:
• Outside our organization- Outsourcing
• Outside of the country?”
The common practice of using one of the international cloud providers
services contains it both…
12. PPA- Outsourcing rules
• PPA has published, few years ago, the following directive:
“בשירותי שימושOutSourcingאישי מידע לעיבוד"
• In a footnote they wrote that they are about to publish a
dedicated cloud regulation. We are still waiting…
13. • The principles of the rule are based on risk
management approach, such as:
• Check the cloud service provider background,
experience
• Take into consideration the ability of the cloud
service provider to access the information
• The legal agreement should contain the follows:
• Information security and privacy issues
• The ability to fully erase the content of data
• The ability to carry out audits
PPA- Outsourcing rules
17. Safe harbor
• Safe Harbour Privacy Principles were developed between
1998 and 2000 in order to prevent private organizations
within the United States which store customer data from
accidentally disclosing or losing personal information.
• However, after a customer complained that
his Facebook data were insufficiently protected, the ECJ
declared in October 2015 that the Safe Harbour Decision
was invalid,
• The European Commission and the United States agreed to
establish a new framework for transatlantic data flows on
2nd February 2016, known as the Privacy Shield".
19. Privacy shield
• The Privacy Shield Frameworks were designed by the U.S. Department of
Commerce, and the European Commission, to provide companies on
both sides of the Atlantic with a mechanism to comply with data
protection requirements when transferring personal data from the
European Union to the United States.
• The Privacy Shield program, is administered by the InternationalTrade
Administration (ITA) within the U.S. Department of Commerce
• To join either Privacy Shield Framework, a U.S.-based organization will
be required to self-certify to the Department of Commerce and publicly
commit to comply with the Framework’s requirements.
• While joining the Privacy Shield is voluntary, once an eligible
organization makes the public commitment to comply with the
Framework’s requirements, the commitment will become enforceable
under U.S. law
21. What about Proxy services?
http://www.justice.gov.il/Units/ilita/subjects/HaganatHapratiyut
/MeidaMerasham/Pages/DataTranfer.aspx
22. Israeli privacy new rules
• Announced earlier this year
• Going to be mandatory from the beginning of 2018
• There is no direct reference to cloud, but, like many other
regulations – it refers cloud as an outsourcing case:
23. GDPR- General
• IncreasedTerritorial Scope- extra-territorial applicability
• Penalties- organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million
(whichever is greater)
• Breach Notification- 72-hour notification for personal data breaches
• Right to Access-whether or not personal data concerning an individual is being processed, where and for
what purpose
• Right to be Forgotten -Data Erasure
• Privacy by Design
• Data Protection Officers (DPO)
• Data processing agreement (DPA) – an organization may need a DPA that will meet the requirements of
the GDPR, particularly if personal data is transferred outside the European EconomicArea.
24. GDPR- some steps towards compliance
• Know the location where cloud apps are processing or storing data.
• Take adequate security measures to protect personal data from
loss, alteration, or unauthorized processing..
• Close a data processing agreement (DPA) with the cloud apps
you’re using.
• Collect only “necessary” data and limit the processing of “special”
data.
• Don’t allow cloud apps to use personal data for other purposes.
• Ensure that you can erase the data when you stop using the app. .
25. GDPR- AWS
• General declaration:
• https://aws.amazon.com/compliance/eu-data-protection/
32. ISO- 27017, 27018
• 27017-This standard provides guidance on the information
security aspects of cloud computing, recommending and
assisting with the implementation of cloud-specific
information security controls .
• 27018-This standard provides guidance aimed at ensuring
that cloud service providers (such as Amazon and Google)
offer suitable information security controls to protect the
privacy of their customers’ clients by securing PII (Personally
Identifiable Information) entrusted to them.
33.
34. PCI DSS and Cloud
• PCI Council has published a unique manual to assist
merchants who uses cloud services to comply with PCI DSS
• “PCI DSS Cloud Computing Guidelines”
36. TOHAG
• TOHAG is the new Israeli Cyber Authority Cyber seucity
framework
• I refers to cloud in section 11.
• We think it is going to take a central place in future
assessments by entities
אני מעריך שיושבים כאן בקהל באופן גס שתי קבוצות:
א. לקוחות שחושבים לעבור לענן. ממשלה, בנקים וכו'
ב. חברות הייטק שנעזרות ביום יום בענן ורוצות לדעת מה כדאי להן לעשות כדי לעבוד נכון
מה שבסוף מעניין את הרגולטור זה הנושא של ניהול סיכונים. הוא צריך לדאוג שהגופים עליהם מפקח נשארים יציבים
הנה רצף של דוגמאות בהן אולי כדאי לעבור לענן.
אני לא אומר שזה תמידי אבל בניהול הסיכונים אני מעריך שבמקרים רבים תיווצר עדיפות לענן
הנה רצף של דוגמאות בהן אולי כדאי לעבור לענן.
אני לא אומר שזה תמידי אבל בניהול הסיכונים אני מעריך שבמקרים רבים תיווצר עדיפות לענן
הנה רצף של דוגמאות בהן אולי כדאי לעבור לענן.
אני לא אומר שזה תמידי אבל בניהול הסיכונים אני מעריך שבמקרים רבים תיווצר עדיפות לענן
השאלה הראשונה היא האם קיים חוק ייעודי בנושא ענן? התשובה היא לא. אלו דברים שיכולים להיגזר מתוך חוקים קיימים
השימוש בשירותי ענן מכניס אותנו תחת שתי קטגוריות. הראשונה שבהן עיבוד או שמירת מידע על ידי גוף צד ג'. השניה היא שמירת המידע מחוץ לישראל
וכאן נדבר על ההיבט השני- הוצאת המידע מחוץ לגבולות ישראל
מי חסר לנו? ארה"ב!
מי חסר לנו? ארה"ב!
למעשה זה המצב החוקי שבו תקוע היום המשק הישראלי
למעשה זה המצב החוקי שבו תקוע היום המשק הישראלי
אין התייחסות ממוקדת לגבי ענן
למעשה אלו דרישות שידרשו הרבה יותר תיעוד\ גיבוי\ יכולת התחקות לאחור\ מעקב אחר מידע וכו'
הממשלה – באופן מפתיע יצאה בהכרזה כי יש לה מגמה לקדם שירותי ענן במגזרת הממשלתי