Adrian Ross GRC Consultant IT Governance Ltd Nigel Hawthorn … · 2018-11-27 · TM © IT...
Transcript of Adrian Ross GRC Consultant IT Governance Ltd Nigel Hawthorn … · 2018-11-27 · TM © IT...
TM
© IT Governance Ltd 2016
Copyright IT Governance Ltd 2016 – v1.0
Privacy and the GDPR: How Cloud computing could be your failing
Adrian Ross
GRC Consultant
IT Governance Ltd
Nigel Hawthorn
EMEA Marketing Director
Skyhigh Networks
TM
© IT Governance Ltd 2016
Copyright IT Governance Ltd 2016 – v1.0
Introduction
• Adrian Ross
– GRC consultant
– Intellectual property
– Data protection and information security
• Nigel Hawthorn
– Author of GDPR: An Action Guide for IT
– Speaker on data protection, privacy and security
– Chief European spokesperson for Skyhigh Networks
2
TM
© IT Governance Ltd 2016
Copyright IT Governance Ltd 2016 – v1.0
IT Governance Ltd: GRC one-stop shop
All verticals, all sectors, all organisational sizes
TM
© IT Governance Ltd 2016
Copyright IT Governance Ltd 2016 – v1.0
About Skyhigh
• Provides visibility, control and security of Cloud computing
• For shadow Cloud and approved Cloud services
• Enables faster assessment of Cloud services (50+ attributes)
• Adds full logging for data loss investigation
• Alerts on anomalies when accessing Cloud services
• Helps set policies for Cloud access
• For SaaS, IaaS and PaaS
• Adds DLP, threat protection, access control and encryption
• Enabling Cloud security for enterprises
TM
© IT Governance Ltd 2016
Copyright IT Governance Ltd 2016 – v1.0
Agenda
• An overview of the General Data Protection Regulation (GDPR).
• Breach notification requirements under the GDPR and a showcase of recent data breaches and their costs.
• Organisations’ responsibilities when storing data in the Cloud, and the roles of controller and processor.
• The outcome of subcontracting on Cloud service providers and notifications on activities in the Cloud.
• The role and responsibilities of the Cloud adoption team.
• ISO 27018 and implementing security controls for PII in the Cloud.
5
TM
© IT Governance Ltd 2016
Copyright IT Governance Ltd 2016 – v1.0
An overview of the General Data Protection Regulation
(GDPR)
A defining moment for digital rights in Europe and beyond
º Point of reference is Article 8 of the Charter of Fundamental Rights.
º The result of negotiations between the European Parliament,
Council and Commission.
º A harmonising regulation.
º Intended to be one of the longest laws on the Union’s statute book.
º Applies to organisations inside or outside the EU that process
personal data.
º Introduces legal obligations on controllers and processors.
º Fines of up to 2% or 4% of total annual worldwide turnover.
º Immediately applicable in each Member State.
º Applies from 25 May 2018.
TM
© IT Governance Ltd 2016
Copyright IT Governance Ltd 2016 – v1.0
The GDPR: Top ten aspects of the Regulation
• Increased fines -
• Opt-in consent -
• Breach notification -
• Territorial scope -
• Joint liability -
• Right to removal -
• Removes ambiguity -
• Data transfer -
• Common enforcement -
• Collective redress -
4% of global turnover or €20,000,000.
Clear, no opt-out, use data only as agreed.
72 hours to regulators, users “without delay”.
All organisations with data on EU individuals.
Data controllers and processors.
The users are in charge.
28 laws become one.
Data keeps privacy rights as it moves globally.
Authorities will be strict.
Class action lawsuits from individuals.
TM
© IT Governance Ltd 2016
Copyright IT Governance Ltd 2016 – v1.0
Data breach notification
• How do you know you have had a breach?
– Traffic anomalies, search for lost credentials on dark web, user input?
• How will you check the scope of the incident?
• Can you stop a breach in progress?
• You have 72 hours to tell the regulator after becoming aware of the breach.
• You must inform the data subjects “without undue delay”.
• This is when speculation can run riot – be precise.
• Define various communication plans, depending on circumstances.
• You do not need to tell the data subjects if the traffic has been encrypted.
Expect a data breach – define the organisation’s plan
TM
© IT Governance Ltd 2016
Copyright IT Governance Ltd 2016 – v1.0
Data loss receipt - TalkTalk
TM
© IT Governance Ltd 2016
Copyright IT Governance Ltd 2016 – v1.0
Assume the worst
• First tweet – 11:13pm Saturday night – 5th November 2016
TM
© IT Governance Ltd 2016
Copyright IT Governance Ltd 2016 – v1.0
Trust boundaries in the Cloud
• Scope extends to the trust boundary– On both sides!
– Adapted from Cloud Computing www.itgovernance.co.uk/shop/p-465-cloud-computing-assessing-the-risks.aspx – Figure 2
• What happens beyond the trust boundary?
TM
© IT Governance Ltd 2016
Copyright IT Governance Ltd 2016 – v1.0
The responsibility of the controller when storing data in the Cloud
• Implement appropriate technical and organisational measures;
• Implement appropriate data protection policies;
• Adhere to approved codes of conduct or certification mechanisms;
• Controller still needs legitimising reason for transfer;
• Data protection principles still apply;
• Use of model clause meets the above criteria;
• Legal obligation is on the controller to ensure compliance with law;
• Legal obligation is on the controller to inform data subject of transfer.
TM
© IT Governance Ltd 2016
Copyright IT Governance Ltd 2016 – v1.0
The responsibility of the processor when storing data in the Cloud
A legal contract must ensure that the processor:
• processes the personal data only on documented instructions from the controller;
• ensures that persons authorised to process the personal data observe
confidentiality;
• takes appropriate security measures;
• respects the conditions for engaging another processor;
• assists the controller by applying appropriate technical and organisational
measures;
• assists the controller in ensuring compliance with the obligations to security of
processing;
• deletes or returns all the personal data to the controller after the end of the
provision of services;
• makes available to the controller all information necessary to demonstrate
compliance with the Regulation.
TM
© IT Governance Ltd 2016
Copyright IT Governance Ltd 2016 – v1.0
This will lead to
• Clearer delineation of lines of responsibility for data.
• A focus on how the Cloud infrastructure is protected.
• An increased focus on how customer data is protected.
• A bigger focus by Cloud providers on what data is stored on
infrastructure.
• Increased costs of compliance for Cloud providers.
• How does a Cloud provider comply with ‘the right to be forgotten’?
• Increased use of metadata about individuals to identify what data is
stored where.
• The EU GDPR can now be viewed as global data protection law.
• ISO 27001 and ISO 27018 now brought more into focus.
TM
© IT Governance Ltd 2016
Copyright IT Governance Ltd 2016 – v1.0
Dealing with the complexity of Cloud and subcontracting
How Many Unsanctioned Apps & Cloud Services Are We Using?
TM
© IT Governance Ltd 2016
Copyright IT Governance Ltd 2016 – v1.0
• Per company, unique services
TM
© IT Governance Ltd 2016
Copyright IT Governance Ltd 2016 – v1.0
Security controls vary by provider
TM
© IT Governance Ltd 2016
Copyright IT Governance Ltd 2016 – v1.0
Authentication and logging
TM
© IT Governance Ltd 2016
Copyright IT Governance Ltd 2016 – v1.0
Cloud adoption team: Responsibilities
• Review current data sets and services
– Don’t forget employee data
• Set minimum standards for Clouds and app services
• Implement contracts with approved services
• Define approved Cloud services
– Migrate users to approved services
• Implement policies to block/allow/warn users of risks
• Implement monitoring, DLP, anomaly checking
• Integrate with LDAP, AD, SSO services
• Publish approved Cloud services list
• Review requests for new Cloud services
TM
© IT Governance Ltd 2016
Copyright IT Governance Ltd 2016 – v1.0
First two steps: Gain visibility and identify solutions
• Gain visibility into today’s use
– Declare amnesty – ask for input
– Review data traffic
• Identify the high-need services
– Evaluate the business benefits from different solutions
– Define minimum security attributes
– Declare the standard app/service
– Encourage use and enforce controls
– Provide time to migrate
– Block/redirect to approved services
• Build a cross-functional team
TM
© IT Governance Ltd 2016
Copyright IT Governance Ltd 2016 – v1.0
Cloud adoption goal
• Start publishing a list of acceptable services/apps
– Explain why these were chosen
• Clearly communicate data categorisation if you have it
– Use a real-life example to explain why
• Review AUP; see if it can be more flexible
– “if no confidential information…”
• Go from the department of ‘no’ to the department of ‘know’
• Add controls to secure Cloud as you would on premises
– SSO, encryption, logging, anomaly investigation, sharing policies, etc.
TM
© IT Governance Ltd 2016
Copyright IT Governance Ltd 2016 – v1.0
IT Governance: GDPR self-help
• One-day accredited Foundation course (classroom,
online, distance learning
– www.itgovernance.co.uk/shop/product/certified-eu-general-data-
protection-regulation-foundation-gdpr-training-course
• Four-day accredited Practitioner course (classroom,
online, distance learning)
– www.itgovernance.co.uk/shop/product/certified-eu-general-data-
protection-regulation-practitioner-gdpr-training-course
• Pocket guide www.itgovernance.co.uk/shop/Product/eu-gdpr-a-
pocket-guide
• Implementation manual http://www.itgovernance.co.uk/shop/Product/eu-general-data-
protection-regulation-gdpr-an-implementation-and-compliance-guide
• Documentation toolkit www.itgovernance.co.uk/shop/product/eu-general-data-protection-
regulation-gdpr-documentation-toolkit
TM
© IT Governance Ltd 2016
Copyright IT Governance Ltd 2016 – v1.0
Other useful sources of information
Clou
dAcce
ptable
UsePo
licy
Below is
a tem
plate
our c
ustom
ers m
ay use
for t
heir use
rs to
request
access
to cl
oud serv
ices.
If you h
ave any suggest
ions o
n how to
impro
ve the d
ocum
ent, ple
ase se
nd them
to (i
s there
a
CS team
alias?
)
This polic
y is th
e cloud co
mputin
g accepta
ble u
se p
olicy, p
rovid
ed as part
of the te
rms o
f
emplo
yment a
nd in addit i
on to th
e Inte
rnet A
ccepta
ble U
se Pol ic
y.
La
test
versio
n of t
his polic
y can b
e found o
nline at:
ht tps:/
/ intra
net.com
pany.com
/ clo
ud-pol ic
y.htm
l
Appro
ved cloud se
rvice
s are
l ist
ed onlin
e at:
ht tps:/
/ intra
net.com
pany.com
/appro
ved-clo
ud.htm
l
The cl
oud managem
ent team
can b
e conta
cted o
n cloudte
am@
com
pany.com
Clo
ud com
puting o
f fers
a num
ber of a
dvantages i
ncludin
g low co
sts,
high p
erform
ance and
ef f icie
nt deliv
ery o
f serv
ices.
However, with
out adequate
contro
ls, it
also expose
s indiv
iduals
to o
nline th
reats
such
as data
loss
or t
heft, u
nauthoriz
ed access
to co
rpora
te n
etwork
s, lo
ss o
f
name/p
assword
credent ia
ls and viru
ses a
nd oth
er malw
are.
The co
mpany al lo
ws em
ployee to
access
safe
, secu
re cl
oud serv
ices w
ith appro
val fro
m th
e
cloud m
anagement t
eam in
certa
in ci
rcum
stance
s.
This
cloud co
mputin
g polic
y is d
esigned to
safe
guard th
e emplo
yee and the co
mpany’s
info
rmatio
n. It is
impera
tive th
at em
ployees N
OT open cl
oud serv
ices a
ccounts
or e
nter i
nto
cloud se
rvice
contra
cts f
or the st
orage, m
anipula
tion o
r exch
ange of c
ompany-re
late
d
com
munica
tions o
r com
pany-owned d
ata w
ithout a
pproval o
f the cl
oud managem
ent team
.
This is
necess
ary to
pro
tect
the in
tegrit
y and conf id
ential it
y of c
ompany d
ata and th
e secu
rity
of the co
rpora
te n
etwork
.
The fo
llowin
g guidelin
es are
inte
nded to est
ablish a p
roce
ss w
hereby em
ployees c
an use
cloud se
rvice
s with
out jeopard
izing co
mpany d
ata and co
mputin
g reso
urces.
Sco
pe
This
policy applie
s to all
emplo
yees in all
departments
with
no exce
pt ions.
This polic
y perta
ins t
o al l exte
rnal c
loud se
rvice
s, e.g. c
loud-b
ased em
ail, docu
ment s
tora
ge,
Software
-as-
a-Serv
ice (S
aaS), Infra
stru
cture
-as-
a-Serv
ice (I
aaS), Pla
tform
-as-
a-Serv
ice (P
aaS),
etc. P
ersonal a
ccounts
are exclu
ded.
If
you are n
ot sure
wheth
er a se
rvice
is cl
oud-base
d or n
ot, ple
ase co
ntact
the cl
oud
managem
ent team
.
Clou
dCom
putingM
anagem
entTeam
Organiza
tions s
hould b
e able to
em
brace
cloud se
rvice
s with
out risk
, to co
mply
with
regula
tory
polic
ies a
nd loca
l data
pro
tect
ion la
ws, id
entify co
mpro
mise
d accounts
and device
s
and insid
er thre
ats.
The d
ecisio
n-makin
g on acc
eptable
cloud se
rvice
s is m
ulti-fa
cete
d and so it
is re
com
mended
that c
ustom
ers cr
eate a C
loud C
omputin
g Managem
ent Team
with
the fo
l lowin
g
resp
onsibil i
t ies:
· Decid
e on appro
ved, acc
eptable
and denie
d serv
ices f
or the o
rganisa
tion
· Com
munica
te th
at list
for e
mplo
yees to ch
eck b
efore
askin
g for a
pproval f
or new
serv
ices
· Def in
e the cl
oud com
puting acc
eptable
use
polic
y for t
he com
pany
· Revie
w cloud co
mputin
g access
, to ch
eck th
at em
ployees a
re u
sing cl
oud com
puting in
line w
ith th
e polic
ies
· Contin
uous monito
ring o
f clo
ud com
puting fo
r changes i
n circ
umst
ances o
f clo
ud
provid
ers
· Contin
uous monito
ring o
f clo
ud traf f i
c to ch
eck fo
r appro
priate
use
, act
ivity
that m
ay
indica
te lo
ss o
f cre
dentials,
pote
nt ial i
nsider t
hreats
& e
mplo
yee f lig
ht risk
s, in
fect
ed
mach
ines,
over-sharin
g of c
onf identia
l data
, unsu
pported d
evice d
ownloads,
&
uploads t
o unusu
al or p
revio
usly u
nknown d
estin
ations
· M
ake sure
that t
he com
pany is ach
ievin
g optim
al pric
ing and th
at the co
mpany is
not
engaging w
ith m
any overla
pping se
rvice
s
· Ensu
ring th
at oth
er asp
ects o
f com
puting in
tegra
te w
ith th
e cloud co
mputin
g serv
ices,
such
as sin
gle-s
ign-o
n serv
ices
· The cl
oud com
puting se
rvice
must
be fu
lly in
tegra
ted w
ith o
ther I
T funct
ions s
uch as
network
ing (d
el iverin
g pol ic
ies t
o egre
ss d
evices),
Act
ive D
irect
ory, d
ata le
ak
prevent io
n, loggin
g and activ
e report i
ng.
· Check
and approve co
ntract
s with
cloud p
rovid
ers
· Educa
te e
mplo
yees on appro
priate
and inappro
priate
cloud u
se
· Regula
r report i
ng on cl
oud use
to se
nior m
anagement.
The C
loud C
omputin
g Managem
ent Team
should
be m
ulti-d
iscip
l ined and co
ntain
repre
senta
tives w
ith th
ese are
as of k
nowledge.
· IT
Secu
rity
· Fi
nance
· Risk
& C
omplia
nce
· Le
gal
· A re
prese
ntativ
e of t
he em
ployees
· A re
prese
ntativ
e from
senio
r managem
ent
Decis
ion-m
aking o
n cloud co
mputin
g should
be b
ased o
n mult i
ple se
ts o
f crit
eria, in
cludin
g
Clou
dRequestForm
Below
is a te
mpla
te o
ur cust
omers
may u
se fo
r their
users
to re
quest acc
ess to
cloud se
rvice
s.
If you h
ave any suggest
ions o
n how
to im
prove th
e docu
ment,
please
send th
em to
(is t
here a
CS team
em
ail alia
s?)
Emplo
yees are
al low
ed to acc
ess cl
oud serv
ices t
o impro
ve their
product
ivity
.
Sadly
, many cl
oud serv
ices c
an be d
angerous t
o use
as they m
ay be co
nduits fo
r data
loss
due
to la
ck o
f secu
rity m
easure
s, poorly
conf ig
ured o
r even d
esigned sp
ecifica
lly to
steal
conf id
ential d
ata. T
hey can also
be a so
urce o
f viru
ses a
nd oth
er malic
ious c
ode, host
ed in
countri
es with
no p
rivacy
regula
t ions,
break o
ur com
pany polic
ies,
regula
t ions o
r data
prote
ctio
n law
s and th
erefo
re e
mplo
yees must
request
access
befo
re u
sing cl
oud serv
ices.
The cl
oud managem
ent team
wil l
resp
ond with
in 4
8 hours
to g
ive in
it ial a
pproval, d
enial o
r
suggest
oth
er clo
ud serv
ices t
hat may b
e equiv
alent.
The co
mpany
’s fu
l l clo
ud accepta
ble u
se p
ol icy is
available
onlin
e at:
ht tps:/
/ intra
net.com
pany.com
/ clo
ud-pol ic
y.htm
l
Once
f il le
d out,
please
send th
e form
to:
mailt
o:cloudte
am@
com
pany.com
?subje
ct=Clo
ud Request
Requester
Department
Address
Phone num
ber
Manager’s
nam
e
Cloud S
ervice
Request
ed
url if
known
Purpose
for a
ccess
Number o
f em
ployees r
equiring acc
ess
Cost, if
any
End date
(if t
empora
ry)
Business
Partn
er Acc
essin
g Data
(if a
ny)
Skyhigh European Cloud Adoption & Risk Report:
http://info.skyhighnetworks.com/WPCARRQ12016EU_Download_White.html
Cloud Security Alliance 2016 Survey:
http://info.skyhighnetworks.com/WPCSASurvey2016_Download_Green.html
Skyhigh GDPR: An Action Guide for IT:
http://bit.ly/GDPR-Action-Guide
TM
© IT Governance Ltd 2016
Copyright IT Governance Ltd 2016 – v1.0
0845 070 1750
www.itgovernance.co.uk