SlideShare a Scribd company logo

Data protection in cloud computing - Data Protection Conference 2011

C
Cloud Legal Project

The document discusses data protection laws as they relate to cloud computing, addressing key questions such as what information is regulated, who is responsible for personal data, and applicable laws in disputes. It outlines concepts like cloud service models (SaaS, IaaS, PaaS), data storage challenges, and the implications of data processing in diverse jurisdictions. Key considerations include the risks of anonymization, encryption, and geographical control of data, emphasizing the complexities of ensuring compliance in cloud environments.

TechnologyBusiness
1 of 13
Downloaded 181 times
1
2
3
4
5
6
7
8
9
10
11
12
13
Data Protection 2011 Data Protection in the Clouds Data Protection 2011 24 February 2011 Data Protection in the Clouds Kuan Hon Cloud Legal Project Centre for Commercial Law Studies, Queen Mary, University of London www.cloudlegal.ccls.qmul.ac.uk / w.k.hon@qmul.ac.uk Introduction Cloud Legal Project Cloud terms of service analysis paper Questions we will tackle today – What information in the cloud is regulated under data protection laws? Who is responsible for personal data? Where is personal data processed? Whose laws apply in a dispute? Kuan Hon
Data Protection 2011 Data Protection in the Clouds Maturity - Gartner hype cycle Oct 2010 (as at Aug 2010) But first… what is cloud computing? • It usually involves the provision of scalable IT resources (data storage, application hosting, etc.) on demand, delivered via the internet • Cloud Legal Project definition: • Provides flexible, location-independent access to computing resources that are quickly and seamlessly allocated or released in response to demand. • Services (especially infrastructure) are abstracted and typically virtualised, generally being allocated from a pool shared as a fungible resource with other customers. • Charging, where present, is commonly on an access basis, often in proportion to the resources used. Kuan Hon
Data Protection 2011 Data Protection in the Clouds Government cloud – some recent papers ENISA - Security and Resilience in Governmental Clouds http://www.enisa.europa.eu/act/rm/emerging- and-future-risk/deliverables/security-and-resilience-in- governmental-clouds - p.41ff on data protection UK - G-Cloud Report: Data Centre Strategy G-Cloud and The Applications Store for Government - Commercial Strategy Team http://www.computerweekly.com/Articles/2011/02/07/245 289/G-Cloud-Report-Data-Centre-Strategy-G-Cloud- and-The-Applications-Store-for-Government- Commercial.htm - ANNEX C: Data Protection, including consideration of the US Patriot Act Kuan Hon
Data Protection 2011 Data Protection in the Clouds Key cloud computing concepts Virtualisation • Virtualisation = many things but in this context mainly involves multiple “virtual machines” running on shared hardware via the internet Kuan Hon
Data Protection 2011 Data Protection in the Clouds Data centers Massive data centres are being built, often containing sealed shipping containers, themselves containing pre-configured servers: “The trucks back ’em in, rack ’em and stack ’em” (Ray Ozzie: Microsoft’s former Chief Software Architect) Huge requirements for power / cooling / connectivity Google has patented a “water-based data center” - a system that includes “a floating platform-mounted computer data center comprising a plurality of computing units, a sea-based electrical generator in electrical connection with the plurality of computing units, and one or more sea-water cooling units for providing cooling to the plurality of computing units.” Google’s “water-based data center” So just when we thought we had identified all the technical, commercial and legal risks associated with outsourcing and offshore data processing … …we have to tackle maritime law …and the risk of meeting real pirates on the high seas! Kuan Hon
Data Protection 2011 Data Protection in the Clouds Types of service • Software as a Service (SaaS) (eg. Oracle CRM on demand; Gmail, Hotmail, Yahoo! Mail; Google Apps, Microsoft Office 365; Facebook, Flickr) • Infrastructure as a Service (IaaS) = delivery of servers, software, storage, etc as a fully outsourced service, typically billed on a utility computing basis (eg. Amazon Web Services, Rackspace) • Platform as a Service (PaaS) = web-based environment for developing and deploying applications (eg. Google App Engine, Microsoft Windows Azure or Force.com which provides a set of tools and applications for customising the Salesforce.com apps) • Storage as a Service (also SaaS!) = convenient way of storing / backing-up data online (eg. box.net) • NB ecosystem of players – hardware, software, support, consultancy… Possible architectures From http://csrc.nist.gov/groups/SNS/cloud-computing/cloud-computing-v26.ppt Kuan Hon
Data Protection 2011 Data Protection in the Clouds Deployment models: private, community, public and hybrid clouds… Data protection law issues Kuan Hon
Data Protection 2011 Data Protection in the Clouds Key features for data protection law purposes Storage and processing May be split up and geographically-distributed (might in practice to be local(ish), for latency reasons - but might not…) Sharding – data may be fragmented a fragment may contain personal data (or it may not?) Data replication Data deletion Design and access – encrypted? Can provider access user’s account? Internal controls on such access? Multiple parties possible – transparency? Other – shared “multi-tenant” infrastructure, eg. running same application instance, sharing same database; reliance on provider Foundational issues What information in the clouds is regulated under data protection laws? (“personal data”) Who is responsible for personal data? Where is personal data processed? Whose laws apply in a dispute? Issues may differ for cloud users, cloud providers and data subjects Kuan Hon
Data Protection 2011 Data Protection in the Clouds What is regulated - “personal data” in the clouds Not “personal data” = no data protection law restrictions Processing “anonymised” data in the cloud: By cloud user, after “anonymisation” eg. by aggregation By cloud provider – may be integral to business model Encrypted data – status? Key-coded data analogy. Pro Life Alliance; Craigdale. The “personal data” definition is critical – but insufficiently clear Anonymisation/encryption procedures – status? Source Informatics. Who is responsible for personal data in the cloud? Cloud user If data controller, remains data controller Cloud provider Metadata regarding cloud service usage, where cloud user is individual etc - provider is controller Personal data processed in the cloud by cloud user – what’s the provider’s status? o It depends on the facts! Advertising, sale… Kuan Hon
Data Protection 2011 Data Protection in the Clouds Who is actually responsible for data in clouds? “...you acknowledge that you bear sole responsibility for adequate security, protection and backup of Your Content and Applications. We strongly encourage you, where available and appropriate, to (a) use encryption technology to protect Your Content from unauthorized access, (b) routinely archive Your Content, and (c) keep your Applications or any software that you use or run with our Services current with the latest security patches or updates. We will have no liability to you for any unauthorized access or use, corruption, deletion, destruction or loss of any of Your Content or Applications.” Q. Will that be good enough? A. It depends what the cloud user is going to use the service for (and how) Where is data stored - can you control where your data are stored in clouds? • It depends! • Some service providers can’t, for technical reasons, or won’t, for commercial reasons, let you choose • Other service providers are designing their clouds so as to offer customers a choice between ‘regions’ (eg. Amazon Web Services) • Other service providers, if asked, say they currently store customer data by default in the customer’s local region (eg. Decho Mozy Inc) • Geolocation may become a critical differentiator for customers concerned about where their data are stored (eg. because of disclosure risks associated with litigation or regulators) or subject to restrictions on data transfers (such as national rules based on Articles 25 + 26 of the DP Dir.) • An amorphous cloud may not be appropriate for regulated data, eg. if you don’t know where the data will be processed and by whom Kuan Hon
Data Protection 2011 Data Protection in the Clouds But… should location of data really matter? With storage virtualisation & sharding – will seizing one server necessarily afford access to intelligible data…? In practice, what may be more important is: whether the system’s design allows the cloud provider to access user data (eg. by logging into their account), cf. full encryption (where provider has no access to decryption key), and who can effectively assert jurisdiction over the provider (eg. the location of the provider, rather than of its servers) What about disclosure of cloud users’ data to third parties? Would a cloud user feel more comfortable signing up to this… “The Receiving Party [Salesforce.com] may disclose Confidential Information of the Disclosing Party [the customer] if it is compelled by law to do so, provided the Receiving Party gives the Disclosing Party prior notice of such compelled disclosure (to the extent legally permitted) and reasonable assistance, at the Disclosing Party's cost, if the Disclosing Party wishes to contest the disclosure.” … or this? “You authorize ADrive to disclose any information about You to law enforcement or other government officials as ADrive, in its sole discretion, believes necessary, prudent or appropriate, in connection with an investigation of fraud, intellectual property infringement, or other activity that is illegal or may expose ADrive to legal liability.” Kuan Hon
Data Protection 2011 Data Protection in the Clouds Whose laws apply if you have a cloud dispute? Choice of law specified by cloud provider… Number * US State: California (most common), Massachusetts (Akamai), 15 Washington (Amazon), Utah (Decho), Texas (The Planet) English law, probably because service provider based there 4 English law, for customers in Europe / EMEA 4 Other EU jurisdictions (for European customers): eg. Ireland (Apple), 2 Luxembourg (some Microsoft services) Scottish law (Flexiant) 1 The customer’s local law 2 No choice of law expressed or implied, or ambiguous choice 3 (eg. “UK Law” for g.ho.st) * Number in each category is out of 31 contracts analysed by QMUL Cloud Legal Project http://www.cloudlegal.ccls.qmul.ac.uk/ In practice Location, location, location In some situations, choose only provider that allows zoning? Contract procurement process? the provider “stack” Contract terms – standard (multiple sources); negotiate? Including: Exclusions/disclaimers Disclosure/monitoring Data location Encryption, encryption, encryption Simple scenarios only – storage o NB has provider access to key? (eg. for indexing/searching) If cloud applications run on data – data must be decrypted before they can be worked on, currently Kuan Hon
Data Protection 2011 Data Protection in the Clouds Forthcoming papers Next few weeks – What data is regulated as “personal data” in cloud computing? Who is responsible for “personal data” in the cloud? Published - Information ownership in the cloud http://www.cloudlegal.ccls.qmul.ac.uk/Research/researchpapers/37187.html Cloud terms of service analysis http://www.cloudlegal.ccls.qmul.ac.uk/Research/researchpapers/37188.html Future – Law enforcement access (soon) International transfers of data Governance Thanks for listening! Any questions… Kuan Hon Cloud Legal Project, CCLS, Queen Mary, University of London w.k.hon@qmul.ac.uk www.cloudlegal.ccls.qmul.ac.uk (or http://bit.ly/cloudlegal) Kuan Hon

More Related Content

PPTX
Ryan_Holt_MS_Thesis_Project_Presentation
Ryan Holt
 
PPTX
Data security in cloud computing
Prince Chandu
 
PDF
DATA STORAGE SECURITY CHALLENGES IN CLOUD COMPUTING
ijsptm
 
PPTX
Ensuring data storage security in cloud computing
Uday Wankar
 
PPTX
Data security using rsa
LAKSHMI TEJA SAYABARAPU
 
PDF
Presentation on cloud computing security issues using HADOOP and HDFS ARCHITE...
Pushpa
 
PPT
Security Problem With Cloud Computing
Martin Bioh
 
PPTX
Security in cloud computing
Abhishek Kumar Sinha
 
Ryan_Holt_MS_Thesis_Project_Presentation
Ryan Holt
 
Data security in cloud computing
Prince Chandu
 
DATA STORAGE SECURITY CHALLENGES IN CLOUD COMPUTING
ijsptm
 
Ensuring data storage security in cloud computing
Uday Wankar
 
Data security using rsa
LAKSHMI TEJA SAYABARAPU
 
Presentation on cloud computing security issues using HADOOP and HDFS ARCHITE...
Pushpa
 
Security Problem With Cloud Computing
Martin Bioh
 
Security in cloud computing
Abhishek Kumar Sinha
 

What's hot (20)

PDF
Evaluation Of The Data Security Methods In Cloud Computing Environments
ijfcstjournal
 
PPTX
Security issues in cloud database
أحلام انصارى
 
PPTX
Data Confidentiality in Cloud Computing
Ritesh Dwivedi
 
PPTX
Data storage security in cloud computing
Sonali Jain
 
PPT
Cloud computing security
Akhila Param
 
PPTX
Ensuring data security in cloud computing. - Anusha Tuke
Anusha Chavan
 
PPT
Cloud Computing Security Issues
Discover Cloud Computing
 
PPT
security Issues of cloud computing
prachupanchal
 
PPTX
Security Issues in Cloud Computing
Jyotika Pandey
 
PPT
Data security in the cloud
IBM Security
 
PPT
Security in Cloud Computing
Ashish Patel
 
PPT
Cloud Computing - Security Benefits and Risks
William McBorrough
 
PPTX
Introduction to Cloud Computing and Security
Oran Epelbaum
 
PPTX
Authentication cloud
vidhya dharmarajan
 
PPTX
Cloud Computing Security Issues
Stelios Krasadakis
 
PPTX
Cloud computing and its security issues
Jyoti Srivastava
 
PPTX
Cloud Computing Security
Nithin Raj
 
PPTX
Cloud computing security issues and challenges
Dheeraj Negi
 
DOCX
Cloud Computing Security Issues in Infrastructure as a Service” report
Vivek Maurya
 
PPT
On technical security issues in cloud computing
sashi799
 
Evaluation Of The Data Security Methods In Cloud Computing Environments
ijfcstjournal
 
Security issues in cloud database
أحلام انصارى
 
Data Confidentiality in Cloud Computing
Ritesh Dwivedi
 
Data storage security in cloud computing
Sonali Jain
 
Cloud computing security
Akhila Param
 
Ensuring data security in cloud computing. - Anusha Tuke
Anusha Chavan
 
Cloud Computing Security Issues
Discover Cloud Computing
 
security Issues of cloud computing
prachupanchal
 
Security Issues in Cloud Computing
Jyotika Pandey
 
Data security in the cloud
IBM Security
 
Security in Cloud Computing
Ashish Patel
 
Cloud Computing - Security Benefits and Risks
William McBorrough
 
Introduction to Cloud Computing and Security
Oran Epelbaum
 
Authentication cloud
vidhya dharmarajan
 
Cloud Computing Security Issues
Stelios Krasadakis
 
Cloud computing and its security issues
Jyoti Srivastava
 
Cloud Computing Security
Nithin Raj
 
Cloud computing security issues and challenges
Dheeraj Negi
 
Cloud Computing Security Issues in Infrastructure as a Service” report
Vivek Maurya
 
On technical security issues in cloud computing
sashi799
 
Ad

Similar to Data protection in cloud computing - Data Protection Conference 2011 (20)

PDF
Cloud Webinar Neiditz Weitz Mitchell Goodman
jonneiditz
 
PDF
Klibel5 law 7
KLIBEL
 
PPTX
Executive Briefing: Strategic Issues Surrounding Cloud Services
WhitmeyerTuffin
 
PDF
Cloud Computing Contracts and Services: What's Really Happening Out There? T...
Cloud Legal Project
 
PDF
The Complexities of Cloud Computing - The Rules are New, But is the Game
Janine Anthony Bowen, Esq.
 
PDF
Taking Account of Privacy When Designing Cloud Computing Services
white paper
 
PDF
Cloud Computing Contracts and Services: What’s Really Happening Out There?
Cloud Legal Project
 
PDF
Legal issues in the cloud renzo marchini & gene landy
IFCLA - International Federation of Computer Law Associations
 
PPTX
Slides 530 a2
onlineservice530
 
PDF
Data Protection Jurisdiction and International Transfers in Cloud Computing
Cloud Legal Project
 
PDF
Cloud computing: identifying and managing legal risks
Cloud Legal Project
 
PDF
Cloud Computing Risk Management (Multi Venue)
Brian K. Dickard
 
PDF
Cloud computing pros and cons for computer forensic investigations
poojagupta010
 
PDF
Bird&Bird
Frits Bussemaker
 
PDF
International Journal of Computational Engineering Research(IJCER)
ijceronline
 
PPT
Cloudcomputingoct2009 100301142544-phpapp02
abhisheknayak29
 
PDF
Cloud computing security from single to multi clouds
Cholavaram Sai
 
PPT
Risks and Benefits of Cloud Computing
DLA Piper (Canada) LLP
 
PDF
Dr. Michael Valivullah, NASS/USDA - Cloud Computing
ikanow
 
PDF
Cloud Computing 101 Workshop Sample
Alan Quayle
 
Cloud Webinar Neiditz Weitz Mitchell Goodman
jonneiditz
 
Klibel5 law 7
KLIBEL
 
Executive Briefing: Strategic Issues Surrounding Cloud Services
WhitmeyerTuffin
 
Cloud Computing Contracts and Services: What's Really Happening Out There? T...
Cloud Legal Project
 
The Complexities of Cloud Computing - The Rules are New, But is the Game
Janine Anthony Bowen, Esq.
 
Taking Account of Privacy When Designing Cloud Computing Services
white paper
 
Cloud Computing Contracts and Services: What’s Really Happening Out There?
Cloud Legal Project
 
Legal issues in the cloud renzo marchini & gene landy
IFCLA - International Federation of Computer Law Associations
 
Slides 530 a2
onlineservice530
 
Data Protection Jurisdiction and International Transfers in Cloud Computing
Cloud Legal Project
 
Cloud computing: identifying and managing legal risks
Cloud Legal Project
 
Cloud Computing Risk Management (Multi Venue)
Brian K. Dickard
 
Cloud computing pros and cons for computer forensic investigations
poojagupta010
 
Bird&Bird
Frits Bussemaker
 
International Journal of Computational Engineering Research(IJCER)
ijceronline
 
Cloudcomputingoct2009 100301142544-phpapp02
abhisheknayak29
 
Cloud computing security from single to multi clouds
Cholavaram Sai
 
Risks and Benefits of Cloud Computing
DLA Piper (Canada) LLP
 
Dr. Michael Valivullah, NASS/USDA - Cloud Computing
ikanow
 
Cloud Computing 101 Workshop Sample
Alan Quayle
 
Ad

Recently uploaded (20)

PPTX
Simple and concise overview about Quantum computing..pptx
mughal641
 
PDF
Presentation about Hardware and Software in Computer
snehamodhawadiya
 
PDF
Economic Impact of Data Centres to the Malaysian Economy
flintglobalapac
 
PDF
Software Development Methodologies in 2025
KodekX
 
PDF
Accelerating Oracle Database 23ai Troubleshooting with Oracle AHF Fleet Insig...
Sandesh Rao
 
PDF
Make GenAI investments go further with the Dell AI Factory
Principled Technologies
 
PDF
The Future of Artificial Intelligence (AI)
Mukul
 
PDF
Responsible AI and AI Ethics - By Sylvester Ebhonu
Sylvester Ebhonu
 
PPTX
The-Ethical-Hackers-Imperative-Safeguarding-the-Digital-Frontier.pptx
sujalchauhan1305
 
PDF
OFFOFFBOX™ – A New Era for African Film | Startup Presentation
ambaicciwalkerbrian
 
PPTX
OA presentation.pptx OA presentation.pptx
pateldhruv002338
 
PDF
NewMind AI Weekly Chronicles - July'25 - Week IV
NewMind AI
 
PPTX
What-is-the-World-Wide-Web -- Introduction
tonifi9488
 
PPTX
Dev Dives: Automate, test, and deploy in one place—with Unified Developer Exp...
AndreeaTom
 
PPTX
AI in Daily Life: How Artificial Intelligence Helps Us Every Day
vanshrpatil7
 
PDF
Structs to JSON: How Go Powers REST APIs
Emily Achieng
 
PDF
Automating ArcGIS Content Discovery with FME: A Real World Use Case
Safe Software
 
PDF
Doc9.....................................
SofiaCollazos
 
PDF
Security features in Dell, HP, and Lenovo PC systems: A research-based compar...
Principled Technologies
 
PDF
Oracle AI Vector Search- Getting Started and what's new in 2025- AIOUG Yatra ...
Sandesh Rao
 
Simple and concise overview about Quantum computing..pptx
mughal641
 
Presentation about Hardware and Software in Computer
snehamodhawadiya
 
Economic Impact of Data Centres to the Malaysian Economy
flintglobalapac
 
Software Development Methodologies in 2025
KodekX
 
Accelerating Oracle Database 23ai Troubleshooting with Oracle AHF Fleet Insig...
Sandesh Rao
 
Make GenAI investments go further with the Dell AI Factory
Principled Technologies
 
The Future of Artificial Intelligence (AI)
Mukul
 
Responsible AI and AI Ethics - By Sylvester Ebhonu
Sylvester Ebhonu
 
The-Ethical-Hackers-Imperative-Safeguarding-the-Digital-Frontier.pptx
sujalchauhan1305
 
OFFOFFBOX™ – A New Era for African Film | Startup Presentation
ambaicciwalkerbrian
 
OA presentation.pptx OA presentation.pptx
pateldhruv002338
 
NewMind AI Weekly Chronicles - July'25 - Week IV
NewMind AI
 
What-is-the-World-Wide-Web -- Introduction
tonifi9488
 
Dev Dives: Automate, test, and deploy in one place—with Unified Developer Exp...
AndreeaTom
 
AI in Daily Life: How Artificial Intelligence Helps Us Every Day
vanshrpatil7
 
Structs to JSON: How Go Powers REST APIs
Emily Achieng
 
Automating ArcGIS Content Discovery with FME: A Real World Use Case
Safe Software
 
Doc9.....................................
SofiaCollazos
 
Security features in Dell, HP, and Lenovo PC systems: A research-based compar...
Principled Technologies
 
Oracle AI Vector Search- Getting Started and what's new in 2025- AIOUG Yatra ...
Sandesh Rao
 

Data protection in cloud computing - Data Protection Conference 2011

  • 1. Data Protection 2011 Data Protection in the Clouds Data Protection 2011 24 February 2011 Data Protection in the Clouds Kuan Hon Cloud Legal Project Centre for Commercial Law Studies, Queen Mary, University of London www.cloudlegal.ccls.qmul.ac.uk / [email protected] Introduction Cloud Legal Project Cloud terms of service analysis paper Questions we will tackle today – What information in the cloud is regulated under data protection laws? Who is responsible for personal data? Where is personal data processed? Whose laws apply in a dispute? Kuan Hon
  • 2. Data Protection 2011 Data Protection in the Clouds Maturity - Gartner hype cycle Oct 2010 (as at Aug 2010) But first… what is cloud computing? • It usually involves the provision of scalable IT resources (data storage, application hosting, etc.) on demand, delivered via the internet • Cloud Legal Project definition: • Provides flexible, location-independent access to computing resources that are quickly and seamlessly allocated or released in response to demand. • Services (especially infrastructure) are abstracted and typically virtualised, generally being allocated from a pool shared as a fungible resource with other customers. • Charging, where present, is commonly on an access basis, often in proportion to the resources used. Kuan Hon
  • 3. Data Protection 2011 Data Protection in the Clouds Government cloud – some recent papers ENISA - Security and Resilience in Governmental Clouds http://www.enisa.europa.eu/act/rm/emerging- and-future-risk/deliverables/security-and-resilience-in- governmental-clouds - p.41ff on data protection UK - G-Cloud Report: Data Centre Strategy G-Cloud and The Applications Store for Government - Commercial Strategy Team http://www.computerweekly.com/Articles/2011/02/07/245 289/G-Cloud-Report-Data-Centre-Strategy-G-Cloud- and-The-Applications-Store-for-Government- Commercial.htm - ANNEX C: Data Protection, including consideration of the US Patriot Act Kuan Hon
  • 4. Data Protection 2011 Data Protection in the Clouds Key cloud computing concepts Virtualisation • Virtualisation = many things but in this context mainly involves multiple “virtual machines” running on shared hardware via the internet Kuan Hon
  • 5. Data Protection 2011 Data Protection in the Clouds Data centers Massive data centres are being built, often containing sealed shipping containers, themselves containing pre-configured servers: “The trucks back ’em in, rack ’em and stack ’em” (Ray Ozzie: Microsoft’s former Chief Software Architect) Huge requirements for power / cooling / connectivity Google has patented a “water-based data center” - a system that includes “a floating platform-mounted computer data center comprising a plurality of computing units, a sea-based electrical generator in electrical connection with the plurality of computing units, and one or more sea-water cooling units for providing cooling to the plurality of computing units.” Google’s “water-based data center” So just when we thought we had identified all the technical, commercial and legal risks associated with outsourcing and offshore data processing … …we have to tackle maritime law …and the risk of meeting real pirates on the high seas! Kuan Hon
  • 6. Data Protection 2011 Data Protection in the Clouds Types of service • Software as a Service (SaaS) (eg. Oracle CRM on demand; Gmail, Hotmail, Yahoo! Mail; Google Apps, Microsoft Office 365; Facebook, Flickr) • Infrastructure as a Service (IaaS) = delivery of servers, software, storage, etc as a fully outsourced service, typically billed on a utility computing basis (eg. Amazon Web Services, Rackspace) • Platform as a Service (PaaS) = web-based environment for developing and deploying applications (eg. Google App Engine, Microsoft Windows Azure or Force.com which provides a set of tools and applications for customising the Salesforce.com apps) • Storage as a Service (also SaaS!) = convenient way of storing / backing-up data online (eg. box.net) • NB ecosystem of players – hardware, software, support, consultancy… Possible architectures From http://csrc.nist.gov/groups/SNS/cloud-computing/cloud-computing-v26.ppt Kuan Hon
  • 7. Data Protection 2011 Data Protection in the Clouds Deployment models: private, community, public and hybrid clouds… Data protection law issues Kuan Hon
  • 8. Data Protection 2011 Data Protection in the Clouds Key features for data protection law purposes Storage and processing May be split up and geographically-distributed (might in practice to be local(ish), for latency reasons - but might not…) Sharding – data may be fragmented a fragment may contain personal data (or it may not?) Data replication Data deletion Design and access – encrypted? Can provider access user’s account? Internal controls on such access? Multiple parties possible – transparency? Other – shared “multi-tenant” infrastructure, eg. running same application instance, sharing same database; reliance on provider Foundational issues What information in the clouds is regulated under data protection laws? (“personal data”) Who is responsible for personal data? Where is personal data processed? Whose laws apply in a dispute? Issues may differ for cloud users, cloud providers and data subjects Kuan Hon
  • 9. Data Protection 2011 Data Protection in the Clouds What is regulated - “personal data” in the clouds Not “personal data” = no data protection law restrictions Processing “anonymised” data in the cloud: By cloud user, after “anonymisation” eg. by aggregation By cloud provider – may be integral to business model Encrypted data – status? Key-coded data analogy. Pro Life Alliance; Craigdale. The “personal data” definition is critical – but insufficiently clear Anonymisation/encryption procedures – status? Source Informatics. Who is responsible for personal data in the cloud? Cloud user If data controller, remains data controller Cloud provider Metadata regarding cloud service usage, where cloud user is individual etc - provider is controller Personal data processed in the cloud by cloud user – what’s the provider’s status? o It depends on the facts! Advertising, sale… Kuan Hon
  • 10. Data Protection 2011 Data Protection in the Clouds Who is actually responsible for data in clouds? “...you acknowledge that you bear sole responsibility for adequate security, protection and backup of Your Content and Applications. We strongly encourage you, where available and appropriate, to (a) use encryption technology to protect Your Content from unauthorized access, (b) routinely archive Your Content, and (c) keep your Applications or any software that you use or run with our Services current with the latest security patches or updates. We will have no liability to you for any unauthorized access or use, corruption, deletion, destruction or loss of any of Your Content or Applications.” Q. Will that be good enough? A. It depends what the cloud user is going to use the service for (and how) Where is data stored - can you control where your data are stored in clouds? • It depends! • Some service providers can’t, for technical reasons, or won’t, for commercial reasons, let you choose • Other service providers are designing their clouds so as to offer customers a choice between ‘regions’ (eg. Amazon Web Services) • Other service providers, if asked, say they currently store customer data by default in the customer’s local region (eg. Decho Mozy Inc) • Geolocation may become a critical differentiator for customers concerned about where their data are stored (eg. because of disclosure risks associated with litigation or regulators) or subject to restrictions on data transfers (such as national rules based on Articles 25 + 26 of the DP Dir.) • An amorphous cloud may not be appropriate for regulated data, eg. if you don’t know where the data will be processed and by whom Kuan Hon
  • 11. Data Protection 2011 Data Protection in the Clouds But… should location of data really matter? With storage virtualisation & sharding – will seizing one server necessarily afford access to intelligible data…? In practice, what may be more important is: whether the system’s design allows the cloud provider to access user data (eg. by logging into their account), cf. full encryption (where provider has no access to decryption key), and who can effectively assert jurisdiction over the provider (eg. the location of the provider, rather than of its servers) What about disclosure of cloud users’ data to third parties? Would a cloud user feel more comfortable signing up to this… “The Receiving Party [Salesforce.com] may disclose Confidential Information of the Disclosing Party [the customer] if it is compelled by law to do so, provided the Receiving Party gives the Disclosing Party prior notice of such compelled disclosure (to the extent legally permitted) and reasonable assistance, at the Disclosing Party's cost, if the Disclosing Party wishes to contest the disclosure.” … or this? “You authorize ADrive to disclose any information about You to law enforcement or other government officials as ADrive, in its sole discretion, believes necessary, prudent or appropriate, in connection with an investigation of fraud, intellectual property infringement, or other activity that is illegal or may expose ADrive to legal liability.” Kuan Hon
  • 12. Data Protection 2011 Data Protection in the Clouds Whose laws apply if you have a cloud dispute? Choice of law specified by cloud provider… Number * US State: California (most common), Massachusetts (Akamai), 15 Washington (Amazon), Utah (Decho), Texas (The Planet) English law, probably because service provider based there 4 English law, for customers in Europe / EMEA 4 Other EU jurisdictions (for European customers): eg. Ireland (Apple), 2 Luxembourg (some Microsoft services) Scottish law (Flexiant) 1 The customer’s local law 2 No choice of law expressed or implied, or ambiguous choice 3 (eg. “UK Law” for g.ho.st) * Number in each category is out of 31 contracts analysed by QMUL Cloud Legal Project http://www.cloudlegal.ccls.qmul.ac.uk/ In practice Location, location, location In some situations, choose only provider that allows zoning? Contract procurement process? the provider “stack” Contract terms – standard (multiple sources); negotiate? Including: Exclusions/disclaimers Disclosure/monitoring Data location Encryption, encryption, encryption Simple scenarios only – storage o NB has provider access to key? (eg. for indexing/searching) If cloud applications run on data – data must be decrypted before they can be worked on, currently Kuan Hon
  • 13. Data Protection 2011 Data Protection in the Clouds Forthcoming papers Next few weeks – What data is regulated as “personal data” in cloud computing? Who is responsible for “personal data” in the cloud? Published - Information ownership in the cloud http://www.cloudlegal.ccls.qmul.ac.uk/Research/researchpapers/37187.html Cloud terms of service analysis http://www.cloudlegal.ccls.qmul.ac.uk/Research/researchpapers/37188.html Future – Law enforcement access (soon) International transfers of data Governance Thanks for listening! Any questions… Kuan Hon Cloud Legal Project, CCLS, Queen Mary, University of London [email protected] www.cloudlegal.ccls.qmul.ac.uk (or http://bit.ly/cloudlegal) Kuan Hon

Editor's Notes

  • #20: ‘ Amazon Web Services Customer Agreement’ Clause 7.2, available online at http:// aws.amazon.com/agreement/