Best Practices for Cloud Security and Privacy

PRESENTATION TITLE GOES HERE

PK Gupta Chairman, SNIA South Asia, Senior Director, Specialty Presales & Presales Strategy, DELL EMC Asia Pacific & Japan

SNIA Legal Notice The material contained in this tutorial is copyrighted by the SNIA unless otherwise noted. Member companies and individual members may use this material in presentations and literature under the following conditions: Any slide or slides used must be reproduced in their entirety without modification The SNIA must be acknowledged as the source of any material used in the body of any document containing material from these presentations.

This presentation is a project of the SNIA Education Committee. Neither the author nor the presenter is an attorney and nothing in this presentation is intended to be, or should be construed as legal advice or an opinion of counsel. If you need legal advice or a legal opinion please contact your attorney. The information presented herein represents the author's personal opinion and current understanding of the relevant issues involved. The author, the presenter, and the SNIA do not assume any responsibility or liability for damages arising out of any reliance on or use of this information. NO WARRANTIES, EXPRESS OR IMPLIED. USE AT YOUR OWN RISK. Best Practices for Cloud Security and Privacy © 2014 Storage Networking Industry Association. All Rights Reserved.

2

Abstract Best Practices for Cloud Security and Privacy As organizations embrace various cloud computing offerings it is important to address security and privacy as part of good governance, risk management and due diligence. Failure to adequately handle these requirements can place the organization at significant risk for not meeting compliance obligations and exposing sensitive data to possible data breaches. Fortunately, ISO/IEC, ITU-T and the Cloud Security Alliance (CSA) have been busy developing standards and guidance in these areas for cloud computing, and these materials can be used as a starting point for what some believe is a make-or-break aspect of cloud computing. This session provides an introduction to cloud computing security concepts and issues as well as identifying key guidance and emerging standards. Specific CSA materials are identified and discussed to help address common issues. The session concludes by providing a security review of the emerging ISO/IEC and ITU-T standards in the cloud space. Best Practices for Cloud Security and Privacy © 2014 Storage Networking Industry Association. All Rights Reserved.

3

Outline Major Cloud Computing Threats & Risks Prevailing Cloud Security & Privacy Guidance Important Cloud Security & Privacy Resources Privacy vs data protection Summary

Best Practices for Cloud Security and Privacy © 2014 Storage Networking Industry Association. All Rights Reserved.

4

ITU-T Study Group 17 (Security) (International Telecommunications Union)

ITU-T X.1601 Threats For Cloud Service Customer Data loss and leakage Insecure service access Insider threats

For Cloud Service Providers Unauthorized administration access Insider threats SOURCE: Recommendation ITU-T X.1601, Security framework for cloud computing, Oct 2015 Best Practices for Cloud Security and Privacy © 2014 Storage Networking Industry Association. All Rights Reserved.

5

ITU-T X.1601 Challenges For Cloud Service Customer Ambiguity in Responsibility Loss of Trust Loss of Governance Loss of Confidentiality Service Unavailability Cloud Service Provider Lock-in Misappropriation of Intellectual Property Loss of software integrity

For Cloud Service Providers Ambiguity in Responsibility Shared Environment Inconsistency and Conflict of Protection

Mechanisms Jurisdictional Conflict Evolutionary Risks Bad Migration and Integration Business Discontinuity Cloud Service Partner Lock-in Supply Chain Vulnerability Software Dependencies

For Cloud Service Partners Ambiguity in Responsibility Misappropriation of Intellectual Property Loss of software integrity

Best Practices for Cloud Security and Privacy © 2014 Storage Networking Industry Association. All Rights Reserved.

6

CSA Top Threats #1: Data breaches #2: Insufficient Identity, Credential and Access Management #3: Insecure Interfaces and API’s #4: System vulnerabilities #5: Account hijacking #6: Malicious insiders #7: Advanced persistent threats #8: Data loss #9: Insufficient due diligence #10: Abuse of cloud services #11: Denial of service #12: Shared technology issues

SOURCE: Cloud Security Alliance (CSA), The Treacherous Twelve: Cloud Computing Top Threats in 2016, Feb-2016 Best Practices for Cloud Security and Privacy © 2014 Storage Networking Industry Association. All Rights Reserved.

7

Outline Major Cloud Computing Threats & Risks Prevailing Cloud Security & Privacy Guidance Important Cloud Security & Privacy Resources Privacy vs data protection Summary

Best Practices for Cloud Security and Privacy © 2014 Storage Networking Industry Association. All Rights Reserved.

8

Cloud Standards Customer Council Security for Cloud Computing – 10 Steps to Ensure Success 01: 02: 03: 04: 05: 06: 07: 08: 09: 10:

Ensure effective governance, risk and compliance processes exist Audit operational & business processes Manage people, roles and identities Ensure proper protection of data and information Enforce policies for the protection of personal data Assess the security provisions for cloud applications Ensure cloud networks and connections are secure Evaluate security controls on physical infrastructure and facilities Manage security terms in the cloud SLA Understand the security requirements of the exit process SOURCE: Cloud Standards Customer Council, Cloud Security Standards: What Best Practices for Cloud Security and Privacy to Expect & What to Negotiate V2, Aug-2016, http://www.cloud-council.org © 2014 Storage Networking Industry Association. All Rights Reserved.

9

Cloud Security (or Insecurity) Core Information Assurance issues to address: Confidentiality Integrity Availability Possession Authenticity Utility Privacy Authorized use Non-repudiation

Data loss and/or leakage measures become even more important Data aggregation changes the risk equation Legal and compliance forces require additional due diligence Forced exits and data disposition have to be carefully thought out Incident management become much more complicated

Best Practices for Cloud Security and Privacy © 2014 Storage Networking Industry Association. All Rights Reserved.

10

CSA Cloud Security Guidance Governance Governance and Enterprise Risk Management

Operations

Legal issues: Contracts and Electronic Discovery

Traditional Security, Business Continuity and Disaster Recovery Data Center Operations

Compliance and Audit

Incident Response, Notification and Remediation

Information Management and data security

Application Security

Portability and Interoperability

Encryption and Key Management Identity and Access Management Virtualization

NOTE: The governance domains are broad and address strategic and policy issues within a cloud computing environment, while the operational domains focus on more tactical security concerns and implementation within the architecture.

SOURCE: Cloud Security Alliance, Security Guidance for Critical Areas of Focus in Best Practices for Cloud Security and Privacy Cloud Computing, Version 3.0, Networking 2011, http://www.cloudsecurityalliance.org © 2014 Storage Industry Association. All Rights Reserved.

11

CSA GRC (Government, Risk Management, and Compliance) Stack Cloud Controls Matrix (CCM) v3.0.1 Provides mappings on Architectural relevance (Physical, Network, Compute, Storage, Application, Data and Corporate Governance) Delivery Models (SaaS, PaaS, IaaS) Supplier relationships (Service Provider and Tenant) Scope Applicability

Aligned with ISO/IEC 27001:2013

CloudAudit Consensus Assessments Initiative Questionnaire (CAIQ) Cloud Trust Protocol (CTP) SOURCE: Cloud Security Alliance, GRC Stack, Best Practices for Cloud Security and Privacy https://cloudsecurityalliance.org/research/grc-stack/ © 2014 Storage Networking Industry Association. All Rights Reserved.

12

CSA CCM v3 Control Domains Application & Interface Security [4] Audit Assurance & Compliance [3] Business Continuity Management & Operational Resilience [12] Change Control & Configuration [5] Data Security & Information Lifecycle Management [8] Datacenter Security [9] Encryption & Key Management [4] Governance and Risk Management [12] Human Resources [12] Identity & Access Management [13] Infrastructure & Virtualization Security [12] Interoperability & Portability [5] Mobile Security [20] Security Incident Management, E-Discovery & Cloud Forensics [5] Supply Chain Management, Transparency and Accountability [9] Threat and Vulnerability Management [3] Best Practices for Cloud Security and Privacy © 2014 Storage Networking Industry Association. All Rights Reserved.

13

Securing Cloud Storage ISO/IEC FDIS 27040 Ensure that transport security such as IPsec or Transport Layer Security (TLS) is used for all transactions When sensitive data is stored in a third party cloud environment, data at rest encryption (and appropriate key management processes) should be used to prevent access by the unauthorized parties (e.g., cloud service provider personnel, other tenants, adversaries, etc.) Use secure user registrations and strong password authentication to protect access to data Employ access controls that guard against unauthorized access from other tenants while providing appropriate access privileges to users permitted to access the data; Use the provided sanitization capabilities to clear sensitive data from the cloud computing storage Cloud computing implementations often leverage different forms of virtualization, so virtualization security controls should be considered as well Best Practices for Cloud Security and Privacy © 2014 Storage Networking Industry Association. All Rights Reserved.

14

Secure Multi-tenancy ISO/IEC FDIS 27040 Secure isolation that assures: no tenant can determine the existence or identity of any other tenant; no tenant can access the data in motion (network) of any other tenant; no tenant can access the data at rest (storage) of any other tenant; no tenant can perform an operation that affects an operation performed by another tenant; no tenant can perform an operation that might deny service to another tenant; each tenant can have a configuration that is independent of other tenant's existence and configuration when a resource (compute, storage or network) is decommissioned from a tenant the resource should be sanitized of all data and configuration information; and accountability and traceability measures are available at the tenant level

The following additional security measures should be used as well: encrypted storage that is aligned with the tenants' usage of resources; strong symmetric encryption (i.e., minimum of 128-bits of security strength) to protect data at rest; secure and rapid de-provisioning trusted third-party data storage management (e.g., SNMPv3, SMI-S with TLS , etc.); automated key management providing tenant-controlled key management secure data replication (e.g., data in motion and at rest encryption); protect data from administrators highly available storage networking fabrics (multi-path and diverse path); centralized and secure audit logging (e.g., syslog over TLS); validation and certification of cryptographic modules and other security measures Best Practices for Cloud Security and Privacy © 2014 Storage Networking Industry Association. All Rights Reserved.

15

Cloud Security Certifications CSA Security, Trust & Assurance Registry (STAR) Certification Level 1 – STAR Entry - Self Assessment: Publication of the results of a due diligence self assessment based on CSA Consensus Assessment Initiative (CAI) Questionnaire and/or Cloud Control Matrix (CCM). Level 2 – STAR Certification / Attestation: Publication of available results of a third party assessment based on CCM v3.0.1 and ISO/IEC 27001:2013 or AICPA SOC2. Level 3 – STAR Continuous: Publication of results of security properties monitoring, based on Cloud Trust Protocol (CTP). Maturity of the Management Capability will also be scored as: “No”, “Bronze”, “Silver” or “Gold” awards

FedRAMP Certification required for cloud suppliers to the U.S. Government Third-party assessments Security criteria based on NIST SP 800-53; as of June 2014, Revision 4 is now required (approximately 72 new Rev. 4 controls).

Best Practices for Cloud Security and Privacy © 2014 Storage Networking Industry Association. All Rights Reserved.

16

FedRAMP Federal Risk and Authorization Management Program (FedRAMP) US Government-wide program provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.

Relevant for Cloud Service Providers (CSPs), Third Party Assessment Organizations (3PAOs), government employees and contractors working on FedRAMP projects, and any outside organizations that want to use or understand the FedRAMP assessment process.

More information at:

http://www.gsa.gov/portal/category/102371

Best Practices for Cloud Security and Privacy © 2014 Storage Networking Industry Association. All Rights Reserved.

17

FedRAMP Security Controls Access Control (AC) Awareness & Training (AT) Audit & Accountability (AU) Assessment & Authorization (CA) Configuration Management (CM) Contingency Planning (CP) Identification & Authentication (IA) Incident Response (IR) Maintenance (MA)

Media Protection (MP) Physical & Environmental Protection (PE) Planning (PL) Risk Assessment (RA) System & Services Acquisition (SA) System & Communications Protection (SC) System & Information Integrity (SI)

NOTE: Security controls were selected from the NIST catalog of controls and enhancements as described in Special Publication 800-53 as revised Best Practices for Cloud Security and Privacy © 2014 Storage Networking Industry Association. All Rights Reserved.

18

Privacy Many countries—the U.S. being a notable exception—consider privacy to be a fundamental human right Privacy protection laws have been introduced in a significant number of countries The types of “protected” data can vary significantly Privacy violations can include the unlawful storage of personal data, the storage of inaccurate personal data, or the abuse or unauthorized disclosure of such data There may be cross-border restrictions imposed on data European Commission’s proposal for cloud: New rights (to be forgotten/data deletion and data portability) Privacy by Default and Privacy by Design Security obligations and data breach notification regime

Best Practices for Cloud Security and Privacy © 2014 Storage Networking Industry Association. All Rights Reserved.

19

ISO/IEC 29100 Privacy Principles 1. Consent and choice 2. Purpose legitimacy and specification 3. Collection limitation 4. Data minimization 5. Use, retention and disclosure limitation 6. Accuracy and quality 7. Openness, transparency and notice 8. Individual participation and access 9. Accountability 10. Information security 11. Privacy compliance Best Practices for Cloud Security and Privacy © 2014 Storage Networking Industry Association. All Rights Reserved.

20

CSA Privacy Level Agreement (1) (Sale of Cloud Services in the EU)

1) Identity of the CSP 2) Categories of personal data that the customer is prohibited from sending to or processing in the cloud 3) Ways in which the data will be processed 4) Data transfer 5) Data security measures 6) Monitoring 7) Third-party audits 8) Personal data breach notification SOURCE: Cloud Security Alliance, Privacy Level Agreement Outline for the Sale of Cloud Services in the European Union, February 2013, Best Practices for Cloud Security and Privacy https://cloudsecurityalliance.org/research/grc-stack/ © 2014 Storage Networking Industry Association. All Rights Reserved.

21

CSA Privacy Level Agreement (2) (Sale of Cloud Services in the EU)

9) Data portability, migration, and transfer-back assistance 10) Data retention, restitution, and deletion 11) Accountability 12) Cooperation 13) Law enforcement access 14) Remedies 15) Complaint and dispute resolution 16) CSP insurance policy Best Practices for Cloud Security and Privacy © 2014 Storage Networking Industry Association. All Rights Reserved.

22

Outline Major Cloud Computing Threats & Risks Prevailing Cloud Security & Privacy Guidance Important Cloud Security & Privacy Resources Privacy vs data protection Summary

Best Practices for Cloud Security and Privacy © 2014 Storage Networking Industry Association. All Rights Reserved.

23

ISO/IEC JTC 1/SC38 (IT – Distribute Application Platforms & Systems) ISO/IEC 17788:2014 Cloud computing – Overview and vocabulary

ISO/IEC 17789:2014 Cloud computing – Reference architecture

ISO/IEC 17826:2012 Information technology - Cloud Data Management Interface (CDMI)

ISO/IEC 19086 (draft) Cloud computing – Service Level Agreement (SLA) framework & terminology Multi-part: overview & concepts, metrics, and core requirements

ISO/IEC 19941 (new project) Cloud computing – Interoperability and Portability

ISO/IEC 19944 (new project) Cloud computing – Data Flow and their Flow Across Devices and Cloud Services

Best Practices for Cloud Security and Privacy © 2014 Storage Networking Industry Association. All Rights Reserved.

24

ISO/IEC JTC 1/SC27 (IT – Security techniques) ISO/IEC 27017 (draft) Additional implementation guidance for relevant information security controls specified in ISO/IEC 27002 Additional controls and implementation guidance that specifically relate to cloud computing services.

ISO/IEC 27018:2014 Applies to organizations providing public cloud computing services that act as PII processors (possibly PII controllers) Establishes commonly accepted control objectives, controls and guidelines for implementing controls to protect

ISO/IEC 27036-4 (draft) Define guidelines supporting the implementation of Information Security Management for the use of cloud service

ISO/IEC 27040 (final draft) Addresses general storage security issues, including cloud storage and CDMI guidance

Best Practices for Cloud Security and Privacy © 2014 Storage Networking Industry Association. All Rights Reserved.

25

ITU-T/Study Group 17 (Security) X.1601 (X.ccsec) – High-level security framework for cloud computing X.cc-control (ISO/IEC 27017) – Guidelines supporting the implementation of information security controls for cloud service providers and cloud service customers of cloud computing services X.goscc – Guidelines of operational security for cloud computing X.sfcse – Security functional requirements for Software as a Service (SaaS) application environment X.ccidm – Requirement of IdM in cloud computing

Best Practices for Cloud Security and Privacy © 2014 Storage Networking Industry Association. All Rights Reserved.

26

Cloud Security Alliance (CSA) Security Guidance for Critical Areas of Focus in Cloud Computing Open Certification Framework Cloud Controls Matrix (CCM) Trusted Cloud Initiative (TCI) Reference Architecture Model Top Threats to Cloud Computing Security as a Service (SecaaS) Implementation Guidance Privacy Level Agreement (PLA)

Many others… 27 Best Practices for Cloud Security and Privacy © 2014 Storage Networking Industry Association. All Rights Reserved.

NIST – Cloud Computing Special Publication 800-144, Guidelines on Security and Privacy in Public Cloud Computing Special Publication 800-145, The NIST Definition of Cloud Computing Special Publication 800-146, Cloud Computing Synopsis and Recommendations Special Publication 500-291, NIST Cloud Computing Standards Roadmap Special Publication 500-292, NIST Cloud Computing Reference Architecture Special Publication 500-293, (Draft). US Government Cloud Computing Technology Roadmap, Volume I High-Priority Requirements to Further USG Agency Cloud Computing Adoption Special Publication 500-293, (Draft). US Government Cloud Computing Technology Roadmap, Volume II Useful Information for Cloud Adopters Special Publication 500-299, (Draft) NIST Cloud Computing Security Reference Architecture Interagency Report 7904, (Draft) Trusted Geolocation in the Cloud: Proof of Concept Implementation

Best Practices for Cloud Security and Privacy © 2014 Storage Networking Industry Association. All Rights Reserved.

28

Other Resources SNIA Cloud Storage Initiative, http://www.snia.org/cloud European Network and information Security Agency (ENISA), Cloud Computing – Benefits, risks and recommendations for information security, http://www.enisa.europa.eu/ Information Systems Audit and Control Association (ISACA), Cloud Computing: Business Benefits With Security, Governance and Assurance Perspectives, http://www.isaca.org

Best Practices for Cloud Security and Privacy © 2014 Storage Networking Industry Association. All Rights Reserved.

29

SNIA Security Organizations SNIA Security Technical Work Group (TWG) Focus: Requirements, architectures, interfaces, practices, technology, educational materials, and terminology for storage networking. http://www.snia.org/tech_activities/workgroups/security/

Storage Security Industry Forum (SSIF) Focus: Educational materials, customer needs, whitepapers, and best practices for storage security. http://www.snia.org/ssif Best Practices for Cloud Security and Privacy © 2014 Storage Networking Industry Association. All Rights Reserved.

30

Outline Major Cloud Computing Threats & Risks Prevailing Cloud Security & Privacy Guidance Important Cloud Security & Privacy Resources Privacy vs data protection Summary

Best Practices for Cloud Security and Privacy © 2014 Storage Networking Industry Association. All Rights Reserved.

31

Privacy Versus Data Protection Privacy The appropriate use of personal information under the circumstances. What is appropriate will depend on context, law, and the individual’s expectations; also, the right of an individual to control the collection, use and disclosure of information. Source: International Association of Privacy Professionals (IAPP) Glossary

Data Protection The management of personal information. In the United States, “privacy” is the term that is used in policies, laws and regulation. However, in the European Union and other countries, the term “data protection” often identifies privacy-related laws and regulations. Source: International Association of Privacy Professionals (IAPP) Glossary Best Practices for Cloud Security and Privacy © 2014 Storage Networking Industry Association. All Rights Reserved.

32

APJ Legal & Regulatory Requirements Largest Legal and Regulatory study conducted in Asia Includes Australia, New Zealand, Japan, Korea, China, Taiwan, Macau, India and South East Countries (Indonesia, Malaysia, Vietnam, Philippines, Thailand, Essential information for Global, National and any that is impacted legal and regulatory Best Practices for Cloud Security and Privacy © 2014 Storage Networking Industry Association. All Rights Reserved.

Requirements Hong Kong,

Singapore) MultiOrganisation by requirements

APJ Regulations Overview - Data Protection/Privacy Laws (1/3) The concept of ‘privacy’ or ‘right to privacy’ is relatively new to AP region But, privacy laws are expanding and changing quickly. Commonwealth legislations are imposing tighter rules Australia passed an amendment to grant greater enforcement power to the privacy commissioner NZ’s Law Commission reviewed the existing laws and made a number of recommendations HK raised penalties and extended the enforcement power of the privacy Best Practices for Cloud Security and Privacy © 2014 Storage Networking Industry Association. All Rights Reserved.

APJ Regulations Overview - Data Protection/Privacy Laws (2/3) Adoption status is fragmented by country ANZ and North Asia (HK, Japan, Korea, and Taiwan) have comprehensive privacy laws in line with OECD principles or EU Data Protection Directive China, India and most of ASEAN countries intend to adopt privacy laws (guidelines) for the private sector only

Privacy laws expanded / changed over the past 12-24 months ANZ, HK, and Korea passed amendments China added new rules to regulate online personal data The Philippines enacted a comprehensive privacy laws Singapore and Malaysia have just enacted new privacy laws for the privacy sector Best Practices for Cloud Security and Privacy © 2014 Storage Networking Industry Association. All Rights Reserved.

APJ Regulations Overview - Data Protection/Privacy Laws (3/3) Most APJ jurisdictions fail to meet EU standards NZ is the only jurisdiction considered as to have “adequate protection” aligned with the demands of the EU directive Besides NZ, airline passengers’ data had been agreed to transfer from EU to Australian Customs

Data breach notification is uneven, but growing Generally voluntary in ANZ, and mandatory data breach requirements has been discussed (mandatory for significant data breaches in Finance in Australia, encouraged to notify the commissioner and affected individuals in case of risk of harm in NZ) Japan, Korea (if 10,000+ individuals being affected), and the Philippines mandates data breach notification to individuals and dedicated authority But, Japan revised guidelines to exempt breach notification if robust encryption method was used, and no significant impact occurred

Best Practices for Cloud Security and Privacy © 2014 Storage Networking Industry Association. All Rights Reserved.

Data Protection Laws in APJ Country

Status

Enacted Year

Latest Amendment

Data Breach Notification

Australia

Comprehensive

1988

2014

Voluntary Mandatory (Finance for significant breach)

New Zealand

Comprehensive

1993

2014

Voluntary

Sectoral - guidelines/ provisions for the private sector only

2011

2014

Mandatory (ISPs)

Hong Kong

Comprehensive

1996

2012

Mandatory (Finance)

Taiwan

Comprehensive

1995 (public and 8 private sectors) 2012 (comprehensive)

-

Not required

India

Sectoral - private sector only

2011

-

Not required

Japan

Comprehensive

2005

2014

Mandatory (5,000+ individuals data holder

South Korea

Comprehensive

1995 (public sector) 2011 (comprehensive)

2014

China

Best Practices for Cloud Security and Privacy © 2014 Storage Networking Industry Association. All Rights Reserved.

for 6 month or longer)

Mandatory (if 10,000+ individuals affected)

being

Data Protection Laws in APJ (cont.) Status

Enacted Year

Latest Amendment

Data Breach Notification

Singapore

Comprehensive

2013

2014

Not required

Indonesia

Partly covered by other laws

-

2015

Not required

Malaysia

Sectoral - private sector only

2013

2014

Not required

Comprehensive

2012

2014

Mandatory

Thailand

Sectoral - draft, private sector only

1997

Draft

Not required

Vietnam

Partly covered by other laws

-

-

Not required

Country

Philippines

Best Practices for Cloud Security and Privacy © 2014 Storage Networking Industry Association. All Rights Reserved.

Cross-Border Transfer Rules Have A Strong Sector Focus Country

Australia

New Zealand

China (mainland)

Hong Kong

Taiwan

Cross-Border Data Control Requirement Limited: Under the amended privacy act to became effective in March 2014, cross-border disclosure of privacy information may occur: 1) if the recipient is subject to a law that protects the personal information as comparable as defined by the Australian Privacy Principles (APPs); or 2) to ensure that the overseas recipient does not breach the APPs. Financial institutions must notify the APRA of any transfer of data offshore and demonstrate that appropriate risk management procedures are in place. Limited: The privacy commissioner may prohibit cross-border transfer of personal information from New Zealand to another jurisdiction that lacks comparable privacy protection to the OECD guidelines or EU directive.

Limited: Transferring personal data abroad without explicit legal authorization or regulatory approval is prohibited. Information involving “state secrets” shall not be stored, processed, or transmitted in computer information systems with international networking. Limited: Transferring personal data outside Hong Kong is prohibited without the data subject’s written consent and a similar degree of personal data protection in the destination. Limited: The respective government authority may limit data export to outside Taiwan under certain conditions, including: 1) major national interests are involved; 2) national treaty or agreement specifies otherwise; 3) recipient country lacks proper regulations to protect personal information; and 4) the data transfer is made indirectly where Taiwanese law is not applicable.

Best Practices for Cloud Security and Privacy © 2014 Storage Networking Industry Association. All Rights Reserved.

Cross-Border Transfer Rules Have A Strong Sector Focus (cont.) Country Japan South Korea

India

Cross-Border Data Control Requirement No restriction: There is no law explicitly limiting international data transfer. rd However, the PIPA requires prior consent from individuals when transferring data to 3 parties. Limited: Transferring personal data outside Korea requires notice and consent from the individual. Limited: Transferring personal data to a third party requires certain conditions, including that the third party affords the same level of data protection in India, and the transfer is necessary for the performance of the lawful contract; or the information provider has consented to such transfer.

Singapore

No restriction

Indonesia

No restriction

Malaysia

Restricted: Transferring personal data to any place outside Malaysia other than a place specified by the minister is prohibited. The approved countries are to be announced by the minister in the official gazette.

Philippines

No restriction

Thailand

No restriction

Vietnam

Limited: no restriction except documents and objects that contain “state secrets” that are restricted without authorization. Best Practices for Cloud Security and Privacy © 2014 Storage Networking Industry Association. All Rights Reserved.

Penalties For Non-compliance Can Be Significant Country

Australia

Penalty Examples Under the amended privacy act effective in March 2014: • For a small-scale data breach: AUD 110,000 (≈USD 115,000) for organizations; AUD 22,000 (≈USD 23,000) for individuals • For repeated and serious offenders: up to AUD 1.1 million (≈USD 1.15 million) for organizations; AUD 220,000 (≈USD 230,000) for individuals

New Zealand

For unlawful disclosure of personal information, maximum penalty: NZD 200,000 (≈USD 167,000), imprisonment of two years, or both

China (mainland)

For violating encryption laws: Confiscation of offending products, forfeiture of illegal income, fines ranging from 1 to 3 times the value of illegal income, and possibility of criminal prosecution

Hong Kong

Taiwan

For a repeated contravention intentionally: • Up to HKD 50,000 (≈USD 6,450) and imprisonment for up to two years; for a continuing offense, a daily fine of up to HKD 1,000 (≈USD 130). For a second and subsequent convictions: up to HKD 100,000 (≈USD 13,000) and imprisonment of up to 2 years; for a continuing offense, a daily fine of up to HKD 2,000 (≈USD 260). For unauthorized disclosure of personal data relating to direct marketing: • Up to HKD 1 million (≈USD 130,000) and imprisonment for up to ve years Violation of the act may result in: Up to TWD 200,000 (≈USD 6,800), a maximum prison sentence of five years, or both Best Practices for Cloud Security and Privacy © 2014 Storage Networking Industry Association. All Rights Reserved.

Recommendations

Best Practices for Cloud Security and Privacy © 2014 Storage Networking Industry Association. All Rights Reserved.

Compliance Management Framework Understanding Regulatory landscape

Listing Compliance requirements at each location Audit of the existing state Mapping Compliance responsibilities Highlighting the gaps/Weak spots Measures to address the concerns - Automating and operationalizing

Update and monitoring Best Practices for Cloud Security and Privacy © 2014 Storage Networking Industry Association. All Rights Reserved.

Recommendation for Organizations Principle 1:Handling data fairly and lawfully • Ensuring that individuals are notified of the purpose for which their data will be used. • Ensuring that nothing unlawful is done with the data • Ensuring that consent has been taken for specified purposes before processing the data.

Principle 2: Obtaining data for lawful purposes only • Organizations should determine why are they collecting personal data and what they intend to do with the data • Clear guidelines on how the information is being used • Data should not be used for purposes other than that for which the consent has been obtained Best Practices for Cloud Security and Privacy © 2014 Storage Networking Industry Association. All Rights Reserved.

44

Recommendation for Organizations Principle 3: Ensuring the relevancy and adequacy • Identify if each information is relevant to the use • Delete the excess information

Principle 4: Ensuring that the information obtained is correct and up to date • • • • •

Demonstrate proper measures to ensure the accuracy of personal data obtained Record the sources of personal information Ensure challenges to the accuracy of data are given proper consideration Establish processes by which personal data can be updated Ensure safeguards are in place to prevent the personal data from being altered and misused Best Practices for Cloud Security and Privacy © 2014 Storage Networking Industry Association. All Rights Reserved.

Recommendation for Organizations Principle 5 : Record Retention • Ensure personal data is deleted when its purpose is no longer served • Anonymise personal data when the identity is no longer required • Securely archive personal data which must be kept as per requirements

Principle 6: Rights of Individuals • Understand the rights with respect to direct marketing – opt-in/out • Understand the rights of individuals with respect to their request to access and see their data

Principle 7: Information Security • Ensure that physical records, IT equipment and building are secure • Establish password procedures • Encrypt data • Ensure staff has been trained in their responsibilities Best Practices for Cloud Security and Privacy © 2014 Storage Networking Industry Association. All Rights Reserved.

Recommendation for Organizations

Principle 8: Data Transfer • Consider whether the data transfer is within or outside country • Consider whether the third ensures that an adequate level of protection will be given to the data • Consider what are the contractual obligations • Consider whether the data can be transferred outside the jurisdiction Best Practices for Cloud Security and Privacy © 2014 Storage Networking Industry Association. All Rights Reserved.

47

Outline Major Cloud Computing Threats & Risks Prevailing Cloud Security & Privacy Guidance Important Cloud Security & Privacy Resources Privacy vs data protection Summary

Best Practices for Cloud Security and Privacy © 2014 Storage Networking Industry Association. All Rights Reserved.

48

Summary Compliance is a challenge, and no longer optional. Organizations are having to closely monitor relevant laws & regulation changes. Compliance requirements differ depending on where you operate Multi-nationals also have to consider US and EU legislation

Customers realising that data now also requires classification by sensitivity. Best Practices for Cloud Security and Privacy © 2014 Storage Networking Industry Association. All Rights Reserved.

Final Thoughts It is possible to engineer solutions across most cloud services today that meet or exceed the security provided within the enterprise…however, the capability to execute may not be a reality! The various value propositions of cloud (agility, low cost, scalability, security) are often conflated, suggesting all four can be achieved simultaneously and in equal proportions; this is a fallacy because trade-off’s are almost always required. Best Practices for Cloud Security and Privacy © 2014 Storage Networking Industry Association. All Rights Reserved.

50

Attribution & Feedback The SNIA Education Committee thanks the following individuals for their contributions to this Tutorial. Authorship History

Additional Contributors

Eric A. Hibbard – April 2014

SNIA Security TWG (incorporating materials from earlier tutorial dating back to 2012) Updates (Aug-2014): Eric A. Hibbard (for SDC)

CSA International Standardization Council ABA SciTech Cloud Computing Committee

Please send any questions or comments regarding this SNIA TutorialBesttoPractices [email protected] for Cloud Security and Privacy © 2014 Storage Networking Industry Association. All Rights Reserved.

51

Thank you! PRESENTATION TITLE GOES HERE @pkg99 [email protected]