Considerations in an Outsourced / Cloud World ARMA Information Management Symposium Bill Wilson, Chief Privacy Technologist
ARMA Information Management Symposium - April 18 th 2012 Privacy in the Outsourcing World
ARMA Information Management Symposium - April 18 th 2012 Privacy in the Outsourcing World
ARMA Information Management Symposium - April 18 th 2012 Privacy in the Outsourcing World
ARMA Information Management Symposium - April 18 th 2012 Privacy in the Outsourcing World The times, they are a-changin 40 years ago – truck full of paper 30 years ago – crates of floppy disks 10 years ago – hard drives Today, same information can fit on a single DVD or a thumb drive!
ARMA Information Management Symposium - April 18 th 2012 Privacy in the Outsourcing World Cybercrime Fraud-related offences are now thought to be as profitable as drug-related offences, estimated at between $10 and $30 billion annually in Canada by the RCMPs Commercial Crime Branch. The majority of these crimes arent committed by kids at their computers, 80% or more of the work is conducted by criminal organizations.
ARMA Information Management Symposium - April 18 th 2012 Privacy in the Outsourcing World Identity Fraud Victims of identity theft or fraud can experience financial loss and difficulty obtaining credit or restoring their "good name". In 2009 the average data breach cost the affected business $6.75 million, up from $6.65 million in 2008, according to a Ponemon Institute study.
ARMA Information Management Symposium - April 18 th 2012 Privacy in the Outsourcing World What your information could be used for: Criminals can use your stolen or reproduced personal or financial information to: access your bank accounts open new bank accounts transfer bank balances apply for loans, credit cards and other goods and services make purchases hide their criminal activities obtain passports or receive government benefits
ARMA Information Management Symposium - April 18 th 2012 Privacy in the Outsourcing World
ARMA Information Management Symposium - April 18 th 2012 Privacy in the Outsourcing World
ARMA Information Management Symposium - April 18 th 2012 Privacy in the Outsourcing World Threat Landscape - Trends Top threat events involved external hacking/malware on servers Increase in all forms of attacks by all actors Industrialization of attacks Targeting weak points in the financial system Top three industries targeted – Hospitality, Retail, Financial
ARMA Information Management Symposium - April 18 th 2012 Privacy in the Outsourcing World Threat Landscape - Trends Market Segmentation –Organization size –Geographic location –Industry Low risk, automated attacks against vulnerable systems Sophisticated attacks targeted at intellectual property
ARMA Information Management Symposium - April 18 th 2012 Privacy in the Outsourcing World Defences Understand the threat landscape for your business Assess the risks –Vulnerabilities –What are you seeing –Regulatory requirements –Industry requirements
ARMA Information Management Symposium - April 18 th 2012 Privacy in the Outsourcing World Legislation Personal Information Protection and Electronic Documents Act (PIPEDA) Key elements to cloud computing: –Consent –Collection –Use –Disclosure –Retention –Safeguards
ARMA Information Management Symposium - April 18 th 2012 Privacy in the Outsourcing World Personal Information Personal information includes any factual or subjective information, recorded or not, about an identifiable individual. This includes information in any form Personal information does not include the name, title, business address or telephone number of an employee of an organization
ARMA Information Management Symposium - April 18 th 2012 Privacy in the Outsourcing World Cloud Computing Models Infrastructure as a Service (IaaS) Platform as a Service (PaaS) Platform as a Service (PaaS) Software as a Service (SaaS) Software as a Service (SaaS) Private Public Partner Deployment ModelsService Models Cost Liability Assurance Risks vary by deployment and service model
ARMA Information Management Symposium - April 18 th 2012 Privacy in the Outsourcing World Considerations Ceding of control to the cloud/outsource provider and related impact on governance Cloud computing is new – standards are still being developed, supporting technologies being enhanced and little to no case law.
ARMA Information Management Symposium - April 18 th 2012 Privacy in the Outsourcing World Considerations Amalgamation of existing technologies; risks in cloud/outsourced computing can be: –Existing risks inherent in the technologies used –Magnification of existing risks –New risks Consumer-focused cloud services may present greater risks to data security and privacy due to click-through terms.
ARMA Information Management Symposium - April 18 th 2012 Privacy in the Outsourcing World Jurisdiction Location of the cloud/outsource provider, their infrastructure and your data Some countries may be considered higher- risk Does the cloud/outsource provider outsource any of its services to other providers in other jurisdictions
ARMA Information Management Symposium - April 18 th 2012 Privacy in the Outsourcing World Trans Border Data Flows PIPEDA does not prohibit the transfer of Personal Information (PI) –But does establish rules Sharing of information to service provider is considered a use –Additional consent is not required Accountability is not transferred –The buck stops with you
ARMA Information Management Symposium - April 18 th 2012 Privacy in the Outsourcing World Trans Border Data Flows Data protection formalized in a contract –Contract cannot override laws Assess the risks –Dont jeopardize the integrity, security and confidentiality of customer personal information Transparency and notification –Advise customers
ARMA Information Management Symposium - April 18 th 2012 Privacy in the Outsourcing World Lawful Access What laws apply to the data both in transit and at rest –Does the host country have lawful access to your data? i.e. US Patriot Act –Un-lawful access? Shared storage - consider implications if a physical device is seized
ARMA Information Management Symposium - April 18 th 2012 Privacy in the Outsourcing World Compliance Maintaining compliance with required regulations –PIPEDA, Sarbanes-Oxley, or industry- requirements such as PCI-DSS Maintaining compliance with certifications –ISO Breach reporting –Does the providers breach reporting policy and procedure align with your requirements
ARMA Information Management Symposium - April 18 th 2012 Privacy in the Outsourcing World Data Ownership Must be clearly defined –Explicitly state what data the provider has access to and what they can do with the data What happens to the data on contract termination –By you –By them –Other reasons, i.e. failure of the vendor
ARMA Information Management Symposium - April 18 th 2012 Privacy in the Outsourcing World Data Handling Data classification and labelling –Prerequisite –Drives requirements for data handling in SLA –Encryption or additional controls for sensitive data Understand providers data handling practices
ARMA Information Management Symposium - April 18 th 2012 Privacy in the Outsourcing World Processing and creation of new data Understand what is happening to your data in the cloud/service provider –What is your service provider doing with the data? Data matching Creation of new data
ARMA Information Management Symposium - April 18 th 2012 Privacy in the Outsourcing World Data Permanence Proper disposal of data must be addressed –redundancy images –backups Proof of disposal –Certification of Disposal
ARMA Information Management Symposium - April 18 th 2012 Privacy in the Outsourcing World Security Existing risks inherent to the technologies used –Virtualization, web New risks –Lack of isolation, Magnification of existing risks inherent to your processes
ARMA Information Management Symposium - April 18 th 2012 Privacy in the Outsourcing World Security Implications of multi-tenant, shared resources Availability and segmentation of audit logs Authentication and identity management Access control Management and monitoring of privileged access Security incident response capability
ARMA Information Management Symposium - April 18 th 2012 Privacy in the Outsourcing World Security Providers provision for handling conflicting requirements between customers on shared infrastructure Clear division of security responsibilities and liabilities between the customer and the provider Cloud/outsourcing can provide benefits, mostly related to economies of scale –Small business may benefit
ARMA Information Management Symposium - April 18 th 2012 Privacy in the Outsourcing World Summary Risk assessment Transparency by the provider on approach to privacy and security Certifications Contract review, including SLA and any related/reference Terms of Service Contract monitoring