We at Cloud First Company provide services to help you achieve a compliant level of architecture and business practice aligned with the latest security practices and methodologies, for a due diligence approach for all of your data and enterprise applications.
GDPR regulations will effect all businesses holding “Personally Identifiable Data” in the Public or Private Cloud ( Data Center). The current directive is for all businesses to comply and prove that due diligence has been followed in the event of any data breach.
GDPR (General Data Protection Regulation)
EU Regulations for Cloud EU Regulations for Cloud
The Council of the European Union has finished writing its new regulation; “The regulation of the protection of individuals with regard to the processing of personal data and on the free movement of such data” commonly known as the GDPR.
The EU GDPR (General Data Protection Regulation) is a major update to the previous EU Data Protection Directive published in 1995.It is intended to harmonise the laws across the 28 member states; clarify areas that were previously interpreted differently in different countries; increase its scope to include any organisation or individual that collects data on EU citizens; and ensure that the regulations are enforced in a similar manner across all states.Any organisation that collects (a “data controller”) or stores and processes (a “data processor) data on individuals (data subjects) in the EU must conform to this regulation and incorporate appropriate policies and technology to conform. This will be applied to all contracts holding personal data in the public and private cloud.
On 4 May 2016, the official texts of the Regulation (EU) 2016/679) and the (Directive (EU) 2016/680) were published in the EU Official Journal in all the official languages. While the Regulation entered into force on 24 May 2016, it shall apply from 2th May 2018. The Directive has entered into force on 5th May 2016 and EU Member States will have to transpose it into their national law by 6 May 2018.
Major Aspects of the Regulation
- Increased Fines for Data Loss – Fines can be up to 4% of global turnover or up to €20m
- Opt in Consent – Users must be given clear unambiguous consent
- Data can be used for defined purposes only Breach notification
- Local Supervisory Authority is to be notified within 72 hrs, users should be notified without undue delay regarding any data loss
- Territorial: Any Organisation with data on EU individuals has to conform (worldwide) Enforcement consistency across all member states
- Joint Liability – Data Controllers + Processors both liable for data loss incidents
- Users Right to removal of data Removal of ambiguity
- One law across EU Transfer of data outside of EU is allowed, however the HSE will be responsible if any data is lost via non-EU Cloud Service Provider Collective Redress
- Users* can work together to sue using class action Data controller’s right to audit the data processor (CSP).
*Users in this case refers to Data Subjects
Privacy and data protection involves laws and regulations relating to the acquisition, storage and use of personally identifiable information. The concern for privacy is heightened by newsworthy cases in which major companies and financial institutions suffered thefts of critical personally identifiable information such as credit card numbers. It is important to note that while security and privacy are related, they are also distinct.
A key distinction is that security is primarily concerned with defending against attacks, not all of which are aimed at stealing data, while privacy is specifically related to personal data held by an organization, which may be endangered by negligence or software bugs, not necessarily by malevolent persons.
Typically, data protection requires imposing limitations on the use and accessibility of personally identifiable information, based on policies that are written by non-IT personnel, especially the Legal and Risk Management departments, which are consistent with applicable regulations and laws, and are approved at the highest levels of the organization. Enforcement of such limitations implies associated requirements to tag the data appropriately, store it securely and to permit access only by authorized users. This requires appropriate controls, which can be more challenging when the data is stored within a cloud service provider’s infrastructure. The ISO/IEC 27018 standard addresses the controls required for the protection of personally identifiable information.
THE EU-U.S. PRIVACY SHIELD
If any data is to be transferred to the USA, there’s another option under discussion between the US and EU governments called the Privacy Shield (the replacement and enhancement to Safe Harbor
that was struck down in October 2015).
The Privacy Shield is not yet fully operational at the time of writing this business case however the negotiators hope that it will be agreed and available end of 2016. Privacy Shield puts strong privacy obligations on the companies receiving the data, robust enforcement, clearer safeguards on US government access to that data, a redress mechanism for EU citizens and any organization receiving data using this mechanism must not send it on to other organizations unless they also support the Privacy Shield principles.
US organizations will self-certify to Privacy Shield annually and the framework will be administered by the US Department of Commerce and Federal Trade Commission.
EU-U.S. Memorandum of Understanding
To support an innovative collaborative community of public and private-sector entities, including
the suppliers of eHealth solutions, working toward the shared objective of developing, deploying, and using eHealth science and technology to empower individuals, support care, improve clinical outcomes, enhance patient safety and improve the health of populations.
Implementation of exceptions to net neutrality rules that allow Internet traffic for “specialized services” (for example in eHealth) to be given guaranteed “fast lane” capacity on broadband infrastructure. Modernisation of the e-Privacy Directive, which lays down additional privacy and confidentiality rules on electronic communications services (helping ensure confidentiality of services used for telemedicine).
Brexit and the GDPR
Across the main Cloud Providers in Ireland that have their head offices housed in Ireland, Ireland is where their data is primarily held, their DR sites or other sites are not housed in Great Britain, some have chosen Germany and Holland, therefore should be no impact on data storage, disaster recovery and synchronous transfer of data outside of the EU by any these cloud service providers as Great Britain is not used as a DR region. One of these Cloud Service Providers has one Data Centre which is still in development in the UK however this has still not come in production live (as of 15/02/2017). After any potential exit or invocation of article 50, It is likely that the Great Britain will want to be still considered a “safe place for data on EU individuals” to be held and subsequently appear on the EU’s list of countries having “adequate” data protection laws. If UK laws are amended to enact similar safeguards to GDPR this could be the case, as of the time of writing this document, Britain is still a member of the EU.
Network and Information Security (NIS) Directive
New measures designed to ensure critical IT systems in central sectors of the economy like banking, energy, health and transport are secure were written into EU law 17 May 2016.The Network and Information Security Directive set to came into force on the 8th August 2016. Each EU member state now has 21months to enforce the legislation, the deadline being May 2018. All national laws will be required to meet the new directive.
Additionally, each EU Member will need to establish a national competent authority that will oversee implementation and enforcement, as well as Computer Incident Response Teams (CSIRT) if they do not already exist. This is the first EU-wide piece of legislation regarding cyber-security, designed to strengthen strategic cooperation and information sharing. It requires companies to establish risk management procedures and to report any data breaches.
Data Security Policy
Security Policy Considerations:
Responsibility for handling particular security controls:
For IaaS, more responsibility is likely to be with the business (e.g. for encrypting data stored on a cloud storage device)• For SaaS, more responsibility is likely to be with the provider, since neither the stored data nor the application code is directly visible or controllable by the business.• PaaS cloud services present unique challenges in that responsibility is likely shared between the business and the provider. It is important to understand how each service being utilized within the PaaS environment handles data security, including encryption as well as log file handling and administrative access. In addition, the business needs to know what obligations it retains and what are the available features and configuration of the PaaS service that can facilitate data security.Further Reading:
Considerations for a successful cloud Adoption
A cloud exit policy:
Should the business wish to change Cloud Service Provider or exit fully from the public cloud, it is important from a security perspective that once the business has completed the termination process, and “reversibility” is achieved, none of the cloud service business data should remain with the provider.
The provider must ensure that any copies of the data are permanently erased from its environment, wherever they may have been stored (including backup locations as well as online data stores). Note that cloud service derived data held by the provider may need “cleansing” of information relating to the business (e.g. logs and audit trails), although some jurisdictions may require retention of records of this type for periods specified by law.
The business must be able to ensure a smooth transition, without loss or breach of data. Thus the exit process must allow the business to retrieve their data in a suitably secure form, backups must be retained for agreed periods before being eliminated and associated event logs and reporting data must also be retained until the exit process is complete.It is important to note that all Application development cannot be tied down to a particular Internet Address Space or Vendor lock-in limitation as explained earlier in this section.
Understand the security requirements of the exit process:
• Is there a documented exit process as part of the cloud service agreement?
• Is it clear that all business cloud service data is deleted from the provider’s environment at the end of the exit process?
• Is the business cloud service data protected against loss or breach during the exit process?
• What works or appraisals were cited?
Manage security terms in the cloud service agreement:
Since cloud computing typically involves two organizations – in this case the business and the Cloud service provider, the security responsibilities of each party must be made clear. The incorporation of a legal entity to ensure all enterprise agreements conform to business acceptable use policies is recommended.
Business I.T. Acceptable Use Policy:
A feature of any Cloud service agreement relating to security; is that any requirements that are placed on the cloud provider must also pass on to any peer cloud service providers that the provider may use in order to supply any part of their service(s).
It should be explicitly documented in the cloud service agreement that providers must notify the business in a timely manner of the occurrence of any breach of their system, regardless of the parties or data directly impacted.
The provider should:
- Include specific pertinent information in the notification
- Stop the data breach as quickly as possible
- Restore secure access to the service as soon as possible
- Apply best-practice forensics in investigating the circumstances and causes of the breach
- Make long-term infrastructure changes to correct the root causes of the breach and ensure that it does not recur
- Due to the high financial and reputation costs resulting from a breach, business may want the provider to compensate them if the breach was their fault.
- An indemnification clause in the contract should not protect the provider from liability in the case of negligence.