Legal and Policy Issues on Cloud Service Security in Korea

2015. 06. 12

Jonghyun Baek

Ⅰ : Cloud Service Promotion and User Protection Law

Ⅱ : Cloud Service Security Policy of Korea

III : Future Plans

Cloud Service Promotion and User Protection Law

Ⅰ

The world ICT industry paradigm is transforming with the revolution triggered by

cloud computing.

- US, JP and EU countries have developed ICT policies based on cloud computing. ※ Over 40% of US businesses use cloud services(CDW, ‘13). In particular, CIA, NASA, and other

government agencies have actively introduced cloud services.

- Major global enterprises(Amazon, Google, MS, etc.) have made aggressive efforts to

occupy new markets for cloud service based on the domestic demand or market.

Legislation background (1/2)1

On the other hand, Korean conditions are still immature for cloud industries.

- Even though Korea possesses world-class IT infrastructure, the introduction

of local cloud service has been slow. ※ Sales of local cloud service businesses in 2014 : 523.8 billion KRW( 0.466 billion USD)≒ (33.2% YOY growth)

Legislation background (2/2)1

The Korean Gov. has improved the related statutes and implemented diverse

policies in order to address these concerns regarding the local cloud industry.

2013 BSA Global Cloud Computing Scorecard

Main contents of the law (1/4)2Legislation process

- Legislation plan announced(Jul. 2012) → Public hearing(Aug. 2012) → Bill passed by the National Assembly(Mar. 2015) → Enforced(Sept. 2015)

Main contents of the law (2/4)2

Provision of legal grounds for government support to cloud service promotion

- ICT Strategy Committee(chaired by Premier) shall establish a master plan and

provide a pan-government structure for cloud service development. (Article 5)

- Plans for substantial government support shall be prepared for R&D, pilot

projects, support for SMEs, development of expert personnel and advancement

into overseas markets. (Article 8, 9, 11, 14, 17)

- When making a budget of computerized information service, the introduction of cloud service in the public sector shall be considered with priority. (Article 12)

Improvement of existing regulations for developing the local cloud industry

- The government shall make an effort that the public institution would be able to use cloud service in business. (Article 20)

- The government shall deregulate to use cloud services without the deploying computer facilities when approves of various businesses. (Article 21)

Main contents of the law (3/4)2Development of safe conditions by providing legal grounds for user protection

- Prepare a structure for the protection of information by publishing standards for service quality and performance and standards for the protection of information (Article 23) and provisions concerning the notification of security incidents (Article 25)

Article 23 (Enhancement of Reliability)

① Cloud computing service providers shall do their best to enhance

the quality, performance, and information protection level of their

computing service.

② The Minister of Science, ICT, and Future Planning may encourage

cloud computing service providers to comply with the Standards for

Quality and Performance Level and Information Protection that he de-

termines and publishes (including administrative, physical, and tech-

nical protection measures) with regard to their cloud computing ser-

vice.

③ The Minister of Science, ICT, and Future Planning shall listen to the

opinions of the Korea Communications Commission to publish Stan-

dards for the Quality and Performance Level of Cloud Computing Ser-

vice pursuant to Paragraph 2.

Article 25 (Notification of security incidents)

① Cloud computing service providers shall notify the service users

without delay in cases falling under any of the following: (……)

② Cloud computing service providers shall immediately notify the Min-

ister of Science, ICT, and Future Planning in cases falling under any of

Paragraph 1, Subparagraph 2.

③ Upon being notified or informed of the relevant fact pursuant to

Paragraph 2, the Minister of Science, ICT, and Future Planning may

take the necessary actions to prevent the spread or recurrence of

damage or recovery.

④ The Presidential Decree shall set forth the matters required for noti-

fication and actions under Paragraphs 1 ~ 3.

Main contents of the law (4/4)2Development of safe conditions by providing legal grounds for user protection

- The Act prohibits the provision of user-related information to a third party

without consent, requires the return or destruction of information when

the service is terminated (Article 27), and sets forth the liability for

compensation for damages (Article 29).

Article 27 (Protection of User-related Information)

① Cloud computing service providers shall neither provide any user-re-

lated information to a third party nor use the information for purposes

other than the provision of services without the user’s consent unless

the submission is ordered by a court or a warrant is issued by a judge.

This shall apply to all third parties provided with the user-related in-

formation by cloud computing service providers.

② Cloud computing service providers shall notify and obtain consent

from the users concerning the following when intending to provide the

user-related information to a third party or use the information for

purposes other than the provision of the services (this shall also apply

to cases wherein any of the following is changed):……

Article 29 (Liability for Damage Compensation)

The users may claim from cloud computing service providers compen-

sation for damages they inflicted on the users through acts in viola-

tion of the provisions of this Act. In such case, cloud computing ser-

vice providers shall not be exempted from responsibility unless they

prove that they committed no intentional or negligent errors. Cloud

computing service providers shall immediately notify the Minister of

Science, ICT, and Future Planning in cases falling

Cloud Service Security Policy of KoreaⅡ

Governmental security promotion policy1Plans include ①law enactment, ②security check, ③security guideline, ④security

technology development, ⑤security education.

MSIP and KISA cooperates security reinforcement for cloud service providers. ※ MSIP(Ministry of Science, ICT and Future Planning), KISA(Korea Internet & Security Agency)

Main security promotion policy (1/4)2Security Guideline for Cloud Service ('11)

- Target : Cloud Computing Users, Cloud Service Providers

- Summary : Outline of cloud service security threats and considerations

< Cloud Service Security Threats >

< Cloud Service Security Guideline >

Main security promotion policy (2/4)2Security Consulting on Cloud Service ('12)

- 4 Small and Middle Sized Cloud Service Providers

- Management System, Server Protection, Identification of Vulnerabilities

through Simulation Hacking

< The result of security consulting >

Main security promotion policy (3/4)2Guideline for Data Protection in Cloud Service Environments ('13)

- Target : Cloud Service Provider

- Summary : Outline of data security threats and guide for data protection in

cloud service environments

< Data encryption/decryption in cloud service environments >

< Cloud Service Security Guideline >

Main security promotion policy (4/4)2Standardization of Information Security Guidelines of CSPs ('14)

- Contents : Standardizing the security management control items and

frameworks of CSPs for service security

- Composition : Drawn security management requirement based on international

standards such as ISO/IEC 27017/18, FedRAMP(SP 800-53A), CSA(CCM 3.0)

This standard defines Information security framework for cloud service providers which are classified into governance, management processes and technology processes. And this standard provides Information se-curity guidelines that should be considered in order to provide secure cloud service by cloud service provider.

< Security guideline of cloud service providers >

Future PlansⅢ

Cloud Service Security Plans (1/4)1Provision of security measures for providing safe cloud service and user confidence

Realize a country that provides the world’s most secure cloud servicethrough the development of conditions for safe cloud service

Security Man-agement

Security Tech-nologies

Security Busi-ness

Development of conditions for security-embedded cloud service Voluntary enhancement of security level by cloud service providers

Development of infrastructure for safe cloud service

Enhancing capabilities for the protection of cloud service users or addressing in-

fringement accidents

Development of core security technologies for global cloud service Development of cloud security framework

Development of core source technologies for cloud computing security

Enhancement of industrial competitiveness of cloud service security Development of technological support center for cloud security

Creation of new cloud security markets

Proactive introduction of cloud service between public and private sectors

Development of cloud security personnel or enhancement of their understanding

Cloud Service Security Plans (2/4)1Security Certification on Cloud Service

- Implementation of pilot project to identify potential cloud security threats ① Development of cloud service security verification methodology and survey on security level

※ Self Test by CSPs (around 20 providers) with survey and checklists for security level examination

② Cloud service security check by demo-users (2 ~ 3 CSPs)

- Development of cloud service security certification scheme ※ The cloud security certification is developed targeting the private sector in priority, and it will be

expended into the public sector to disseminate the use of public cloud service by public agencies.

Cloud Service Security Plans (3/4)1Development of core technologies for enhancing the security level of global services

- Technologies for risk-based multiple certifications or control of dynamic access

based on the security status of cloud services

- Technologies for detecting or monitoring abnormal acts by collecting information

concerning the status or acts of cloud services

- Technologies for policy-based response based on the outcome of cloud safety

tests or inspection or verification of security status

Cloud Service Security Plans (4/4)1Deployment of support structure for enhancing the industrial competitiveness

- Developing or supporting diverse SecaaS (web firewall, IDS/IPS, e-mail encryption, etc.)

- Pilot application of cloud-based security service to small business operators

- Cloud security consulting to SME(small and medium enterprises)s

- Deployment of cooperative structures between SecaaS providers and cloud

service providers

Cloud Service Provider

Security as a Service (SecaaS)

(Web Firewall, DB encryption, Security Management etc.) development

SME-1

SME-2

SME-3

Cloud Security Consulting

Thank you