On Cloud and Informational Privacy

Lilian Mitrou, Associate Professor University of the AegeanCenter for Security StudiesGreece

L.mitrou@aegean.gr

Reaching the Cloud Era in the European Union Riga, 16.06.2015

2

What are we talking about ?

We aim at providing an overview of the following issues

Privacy risks, concerns, issues Challenges to using/providing cloud servicesApplicable Law and Location Cloud customer and cloud provider as data

controller/ processorTransparency, trust and accountability

3

Cloud Computing

Quite possibly the hottest, most discussed in information technology (IT) todayOffers an impressive range of possibilitiesPresents new risks and uncertaintyMany concerns, if not barriers to the adoption of cloud computing solutions relate to - informational privacy- compliance with data protection legal requirements

Informational privacy

Underlying interests and interests: from autonomy, informational self-determination, balance of powers, over integrity, respect and dignity, to democracy and pluralism. Informational Self Determination - Control over information.Prerequisite of the capacity for autonomy- autonomous decision- and choice-making. Data Protection Regimes : Protecting against unlawful and unjustified collection, storage, use and dissemination of their personal data and regulating use and processing to struck the balance with processing needs, rights and interests.

4

5

Loss of control?

CC redefines how, where and by whom data is collected, transmitted and usedAggregation of (personal) data more likely to harm individuals’ rights when cloud providers’ business model is based on commodifying personal informationdata deployed on a wide scale or disassembled and reassembled across a highly distributed infrastructure “loss of control” related to the difficulty for the cloud customer to know and effectively check the data handling practices and data processing carried out by the cloud provider

6

Cloud Computing Privacy Issues

Location and qualification of roles ( controllers, processors - chain of (sub)providers and…affected individuals)Location and transborder flows (requirements)(Un) Certainty and (Mis) trust about the use of personal data (unlawful secondary use/ disclosure to LEAs ?) Concerns about security (security measures/ data breaches)Transparency

7

Challenges to using/providing cloud services

Need to comply with regulatory framework Maintain/ Regain control over data and its processing Restore transparency and – respectively - trust Deal with duties, accountability and liability (in case of unlawful processing and security breaches)

Cloud Customers and Cloud Providers may be strictly interrelated and have to face these challenges in collaboration in partnership with each other when Cloud Customers use cc services to process third persons’ data

8

Cloud specific concerns?

Complex and rapid changes confusing, distressing / perplexing for users (end-users, cloud customers) – and last but not least for the regulators A (real) paradigm shift ?

Specific cloud computing characteristics that magnify privacy risks and/ or concerns: – flexibility in information processing on a global basis– Sharing of cloud resources to serve multiple cloud clients

by the use of multiple data centers and a multitenant model

9

CC and “traditional” outsourcing

Cloud computing as a modernization of the “time-sharing” model of computing in the 1960s or an evolved form of ICT outsourcing that makes use of grid technologies?

Long term relationships/ contracts in “traditional” outsourcing vs contractual flexibility

Negotiated contracts vs “take it or leave it”models (public clouds)

Customisation vs. standardised,shared infrastructure/environments

Dedicated infrastructure vs multitenancy

10

Personal data and applicable law

The Data Protection Directive lays down rules for the processing of personal data while using cloud computing services Applicability is subject to the characterization of data as personal, namely as information relating to an identified or identifiable natural person (“data subject”)Identifiability is perceived in a multiple way, including both direct and indirect identifiability and relying on “all means likely reasonably to be used either by the controller or by any other person to identify the said person”.

.

11

Controller and Processor

Definition of purpose and means of processing that qualifies a person as a controller Sometimes difficult to apply to cloud computing services: responsibilities and roles are distributed, shared and shifted as personal data are moved, reconstructed and re-used continuouslyBlurring / adequate distinctions? It suffices that the cloud customer decides – finally - on the allocation of the processing operations to cloud services to be qualified as data controller The qualification of roles is not a theoretical exercise. It has to do with compliance, accountability and liability. The DPD imposes the most obligations on the actors that process data in their capacity as a data controller- who has to ensure the delivery of data protection from the part of the processor.

New RegulationNew Obligations ?

The Draft General Data Protection Regulation establishes directly processor-specific obligationsProcessing of personal data based on a contract or another legal act binding the processor to the controller [26(2) ] – Ensuring data security, by way of appropriate technical and organisational measures [30(1)] Alerting the controller in case of a data breach [31(2)]Imposing the same data protection obligations when sub-contracting a sub-processor [26 (2a)] / conditions for enlisting another processor, such as a requirement of specific prior permission of the controller

. 12

13

Location as privacy issue

Cloud model is strongly based on the concept of “location independence”: – Data is stored on multiple dynamic virtual servers across the

Cloud– Data is automatically fragmented, before being distributed to

multiple servers– Customer has no control or knowledge over the exact location

of the provided resourcesLocation relates to – applicable law and compliance with specific requirements– Regulation (and restriction) of data transfers– Cloud forensic issues (access by or disclosure to “foreign LEAs

14

Location and the Law EU law applies to data controllers who have one or more establishments within the European Economic Area (EEA) and also to data controllers who are established outside of the EEA that use equipment (such as servers) located within the EEAAbandoning the ‘‘chase for the server” the Draft General Data Protection Regulation will apply a) to processing in the context of the activities of an establishment

of controller or a processor in the Union, b) to processing activities that are related to the offering of goods

and services to data subjects in the Union even if the controller is not established in this area, c) to processing related to monitoring of data subjects’ s behaviour in the Union [3 (2)].

15

Transparency as crucial issue

No visibility of location, level of security (measures), processes and procedures used by cloud (sub)providers that may participate in a cloud supply chain

Information of the cloud customer about all relevant issues/measures that may foster or undermine the lawfulness of the processing: security measures, security incidents notification, implications by processing etc.

Information about the results of auditing of the cloud services

Information about the chain of subcontractors.

Due to the decentralized and dynamic nature of cloud services is actually difficult to comply with transparency requirements with regard to location

16

Trust is good…

Trust is an “affected asset” : Lack of trust has proven to be one of the significant barriers limiting the wide adoption of cloud computingWith regard to the cloud provider trustworthiness means primarily considering security and privacy aspects when offering cloud services. A “chain of confidence-building steps to create trust in cloud solutions”: Most ubiquitous requirements for trust building are Information security andcompliance with data protection rules and principles by providing clarity and legal certainty regarding applicable law, allocation of roles and responsibilities, security measures and the regime of transborder data transfers

17

Control is better? Use of SLAs and business activities monitoring is suggested as a method to guarantee the quality of cloud services – a trust building mechanism for cloud computing adoption, which consists of

authentication, system security, service quality and non-repudiation [Bogataj and Pucihar] .

– a trustmark to help consumers of cloud computing to build trustworthiness. [Lynn et al.]

A CIAMAU model to demonstrate mutual trustworthiness? Confidentiality, Integrity, Availability with the addition of the “Mutual Auditability” parameter -Mutual auditability can also significantly assist with incident response and recoveryBYOE (bring your own encryption) : cloud computing security model that allows cloud service customers to use their own encryption software and manage their own encryption keys

18

Accountability as a critical aspect of data protection

Accountability principle: In general, the parties involved have to demonstrate that they took and take appropriate steps to ensure that data protection principles have been implemented “accountability for data stewardship by Cloud Services” : accepting responsibility for the stewardship of personal and/or confidential data with which the cloud service provider is entrusted in a cloud environment, for processing, storing, sharing, deleting and otherwise using the data according to contractual and legal requirements from the time it is collected until when the data is destroyed (including onward transfer to and from third parties)

19

Accountability and compliance frameworks

Governance and compliance frameworks such as ISO/IEC 27001/02 contain many of the elements of accountability defined above: the information security management system of an organization is meant to generate assurance, transparency and responsibility in support of control and trustISO/IEC 27018 : Information technology — Securitytechniques — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors developed by the International Organization for Standardization (ISO) to establish a uniform, international approach to protecting privacy for personal data stored in the cloud

20

Risk and Data ProtectionImpact Assessment

According to the Draft GDPR [22 (2b)] adherence to approved codes of conduct or an approved certification mechanism may be used as an element to demonstrate compliance with the obligations of the controllerRisk assessment: central part of the process used to determine and demonstrate that the policies signed up to and implemented by the organization are appropriate to the context. A Data Protection Impact Assessment as a decision support tool for a cloud environment : surface privacy issues at an early stage, and tackle those issues at the architectural level.

21

Some final thoughts When considering privacy risks in the cloud, as considered already within the introduction, context is very important as privacy risks, concerns and challenges differ according to the type of cloud scenario Allocation of responsibilities should be left to the parties or rather it should be specified in the law or recommended contractual clause. Cloud specific provisions or technological neutrality ? The fundamental concepts of such frameworks are in the main technology neutral, and their validity would still apply to cloud computing But the word “cloud” is not included in the Draft General Data Protection Regulation!

An ongoing process

Legal frameworks need to be constantly reviewed, updated and adjusted with current and future technologies, current and future threats and concerns in mind !Dialogue between regulators, organisations and stakeholders to ensure that the regulatory framework does adapt to new frameworks and business models without eroding consumers’ trust and interest and last but not least fundamental rights like individual privacy

22

Thank you

For

Your Attention

23