on location-determined cloud management for legally

On location-determined cloud management for legally compliant outsourcing

Bernhard Doll Research Assistant

University of PassauAuthors:Bernhard Doll, Ramona Kühn, Prof. Hermann de Meer: University of PassauRalph Herkenhöner, Dirk Emmerich: Fujitsu Technology Solutions

10.11.2015 COPYRIGHT 2015 - R&D collaboration between Fujitsu and University of Passau 1

Overview

Location-determined data processing

Legal and technical requirements

Cloud Data Security Matrix

Security management

Decision and enforcement

Proof of Concept

Implementing location-determined data processing

10.11.2015 2COPYRIGHT 2015 - R&D collaboration between Fujitsu and University of Passau

Location-determined data processing

Legal and technical requirements


Overall Legal Situation

Cloud customer is accountable For outsourced IT processes For achieving legal compliance

Cloud provider is responsible For operating cloud services according to agreed SLA For implementing technical measures to ensure

• Integrity and availability of services and entrusted data• Non-disclosure of entrusted data (confidentiality)• Support of cloud customers in achieving legal compliance

Which legal requirements apply to cloud customers?How can cloud providers support achieving them in the cloud?


Global Cloud

Legal Requirements –Example (1)

Example: Global cloud sourcing

Customer

Service providerSubcontractor

Cloud provider

Service provider Corporate customer

Hardware provider

Data centreDE

Data centreCH

Data centreFR

CompanyDECloud management

DE

EU

Software provider

Personal data

Business data(incl. tax data)


Global Cloud


Can I process tax data within the cloud?

Generally: Tax data has to remain in Germany (§ 238 HGB)

Exceptions may be authorized by the local tax office;company remains responsible (§ 146 para. 2a AO)

Access by the local tax office must be ensured (§ 146 para. 2 no. 2f AO in conj. with § 147 para. 2 cl. 1 no. 2 AO)

Data centreDE

Data centreCH

Data centreFR


DE

EU

?

?

Local tax officeDE

Personal data



Global Cloud


Assumption: Contract data processing (§ 11 BDSG)

Is data transmission to Switzerland legally allowed? §4b BDSG

Necessary level of protection is given for Switzerland (cp. MEMO/05/3)

Has to be clarified by company (not cloud management)

If allowed: Cloud management becomes controller, i.e., responsible(with respect to the transmission to Switzerland)

Personal data


Data centreDE

Data centreCH

Data centreFR


DE

EU

?


Technical Requirements in Clouds

Identification of the necessary level of protectionSecurity policiesImplementation and enforcement of safeguards Basic security measures Access control Transfer control Countermeasures and incident response

Monitoring, documentation, and reporting of compliance

Major gap: location determined data processing!How to achieve location-determined cloud computing?



Security management

Decision and enforcement



Decision Identify data types and allowed location of data processing

Matching cloud services with physical resource location

Location constraints are verifying for:• Physical resource location of used virtual resource

• Location of administration and support

• Target location of communication channels

Enforcement By region (responsible)

By island

By service type


Cloud Data Security Management – Concept

Region (Europe)

Region (Asia)

Island 3

Island 1

Island 4

Island 1

Island 3

… …

… ……

Island 2

Island 5

…

Island 2

…

…

… …

…

Region (US)


Security matrix

Data centre

Secure communication

Cloud Data Security Management – Example

Asia

Switzerland

UK

Germany

JapanEuropean Union

Switzerland

JapanEurope

Security matrix

Data centre


Jurisdiction

Business data

Personal data

Tax data

Data types


Cloud Data Security Matrix –Configuration

Legal Analysis: Is transfer allowed?

In comparision to traditional IT-outsourcing

(no Cloud Computing) Origin

Private Cloud

on premise

Private Cloud

off premiseNational Cloud European Cloud Global Cloud

DE Yes1,2 Yes1,2 Yes1,2 Yes1,2 No1,2

EU Yes1,2 Yes1,2 Yes1,2 Yes1,2 No1,2

DE Yes1,2 No1,2 No1,2 No1,2 No1,2




DE Yes1,2 Yes1,2 Yes1,2 No1,2 No1,2

EU Yes1,2 Yes1,2 Yes1,2 No1,2 No1,2



DE Yes2 Yes2 Yes2 Yes2 Yes2

EU Yes2 Yes2 Yes2 Yes2 Yes2

DE Yes1,2 No1,2 No1,2 No1,2 No

EU Yes2 Yes1,2 Yes1,2 Yes1,2 No

DE Yes No1,2 No1,2 No1,2 No

EU Yes Yes1,2 Yes1,2 Yes1,2 No

DE Yes1,2 Yes1,2 Yes1,2 Yes1,2 Yes1,2

EU Yes1,2 Yes1,2 Yes1,2 Yes1,2 Yes1,2



1

2

Location

admissable if explicitly allowed and not explicitly prohibited

additional security precautions might be required

Business Data

(e.g. §§ 17 seqq. UWG)

Tax Data

(e.g., $ 238 HGB)

Financial Data

(e.g., §16 InvG)

Data is relevant for Dual-Use / Export Control List

(e.g., Council Regulation (EC) No. 428/2009)

Governmental Data

(according to Art. 33 GG)

Note: Data may apply to multiple categories of data types

D

a

t

a

T

y

p

e

Personal Data (e.g., § 11 BDSG)

Protected Personal Data (e.g. Medical Data)

(e.g., §203 StGB)

Employee Data

(e.g., §32 BDSG)

Social Data

(e.g., § 35 SGB I)

Usage Data, Customer Data, Accounting Data,

Traffic Data (e.g., $$ 11-15a TMG)


Data Centric Security –Security Policy

Security classes For assets: i.e. data and virtual resources

For hardware resources

Formal description: ASSET x (C x I x A x Loc)

RESOURCE x (C x I x A x Loc)

Example object:

C = Confidentiality

I = Integrity

A = Availability

Loc = Location

(Customer_Database_1,

(Personal Data,

High Integrity,

99,99%,

European Union))


Security Classes within Clouds


Data Centric Security –Example

Asia

Switzerland

UK

Germany

JapanEuropean Union

Switzerland

Japan

EU

(Customer_Database_1,

(Personal Data,

High Integrity,

99,99%,

European Union))

Business data

Personal data

Tax data

Data types


Security matrix

Data centre


Jurisdiction

Proof of Concept

Implementing location-determined data processing


Global

EU Non-EU

DE FR UK CH

Local (Customer)

JP

Classification and configuration

Global

EU

DE FR UK

CH Asia

JP

Security Class

Cell

data type =

personal data

cell

DE FR UK CH

data

orig

in

EU

DE

FR

CH

Example configuration:

Classification


Filtering Resources –An Example

Global

EU

DE FR UK

CH Asia

JP

Scenario:Corporate Customer requests VM to process personal data of European customers.

1) Selecting Security Class:

(personal data, France) EU

2) Filtering Cells:

EU (DE,FR,UK)

3) Requesting resources:

Start VM in (DE,FR,UK)Securityclass

Cell

Global

EU Non-EU

DE FR UK CH

Local (Customer)

JP


Filtering Resources –An Example with Separate Backup Strategy

Global

EU

DE FR UK

CH Asia

JP

Scenario:Corporate Customer requests VM to process personal data of European customers. Additionally, a separate backup is required.

1) Selecting Security Class:

(personal data, France) EU

2) Filtering Cells:

EU (DE,FR,UK)

Global

EU Non-EU

DE FR UK CH

Local (Customer)

JP

3) Filtering Backup Cells:

(DE,FR,UK) (DE,FR) + (UK)

4) Requesting resources:

Start VM in (DE,FR)

Start Backup in (UK)User space Backup space

Securityclass

Cell


OpenStack Demonstrator –Screenshots


Conclusion

Location-determined data processing in compliance with legal requirements and customer preferences

Cloud data security management with secure data communication between regions and islandsCloud Data Security Matrix Configured by data type and data origin Controls location by region, island and service type

Data centric security to protect and track location of data and virtual machines

Supporting legal compliance within the cloud Empowering cloud customer to keep control


Thank you for listening


Contact: [email protected]

Web:http://www.fim.uni-passau.de/en/computer-networks/


mailto:[email protected]

http://www.fim.uni-passau.de/en/computer-networks/

Security Classes within Clouds - Confidentiality


The project NGCert is part of the “Secure Cloud Computing” program, which is derived from the so-called High-Tech-Strategy by the German government.

Funded by the BMBF (Bundesministerium für Bildung und Forschung)

Start: October 2014, End: September 2017

Goal:Research and development of a dynamic certification for providing ongoing assurance of certification adherence.

About NGCert: Next Generation Certification


on location-determined cloud management for legally

Documents