Data Privacy and Security for Market Research in the Cloud

(1)

Data Privacy and Security for

Market Research in the Cloud

Peter Milla

(2)

Page 2

Agenda

1.  Background

2.  Why the Cloud?

3.  Data Privacy and Data Security in the Cloud

(3)

Page 3

The Cloud…

•  Is exploding

•  Can oﬀer real advantages/beneﬁts

•  Can present real compliance challenges

•  ATracUve to business, especially SMBs…

•  An area where MR companies are looking to

outsourcing…

(4)

Page 4

In the Simplest Terms…

•  Cloud compuUng means storing/accessing data and

programs on/over the Internet instead of your

computer's hard drive or local area network storage

•  The cloud is just a metaphor for the Internet

•  It goes back to the days of ﬂowcharts that

represented the large server-‐farm infrastructure of the Internet as puﬀy, white cumulonimbus cloud…

(5)

Page 5

(6)

Page 6

What Really is Cloud CompuUng (to the Business)?

•  Cloud compuUng is a new compuUng paradigm,

involving data and/or computaUonal outsourcing with:

–  Inﬁnite and elasUc resource scalability

–  On demand “just-‐in-‐Ume” provisioning

–  No upfront cost, pay-‐as-‐you-‐go (in general)

•  That is, use as much or a liTle as you need, use only

(7)

Page 7

(8)

Page 8

Major Cloud Deployment Models

Note: Another model is a Community Cloud where infrastructure is shared between several organizations

(9)

Page 9

Public Cloud Type EvoluUon

•  Public Cloud:

–  Credit card-‐based

–  No/very limited transparency

•  Enterprise Cloud (also Virtual Private Cloud):

–  Deeper commercial relaUonship

–  Logical segregaUon

(10)

Page 10

Small Medium Businesses (SMBs)

•  EnthusiasUc adopUon

•  Cloud providers provide beTer security than SMBs.

Amazon Web Services’ compliance programs include:

–  ISO 27001

–  SOC 2

–  PCI DSS Level 1

–  HIPAA

•  Considered oken as perhaps the only alternaUve by

(11)

Page 11

Agenda

1.  Background

(12)

Page 12

Beneﬁts for Cloud Customers

1.  Cost:

–  Very aTracUve, parUcularly to SMBs

2.  IntegraUon:

–  IntegraUon to take place across infrastructure services, data,

management, idenUty and development

3.  Investment:

–  OpEx vs. CapEx

–  Can simplify IT asset management

4.  Scalability:

(13)

Page 13

Beneﬁts for Cloud Customers (conUnued)

5.  Speed to deployment:

–  Can be hours vs. weeks

6.  Flexibility:

–  Can add new services easily

7.  Security:

(14)

Page 14

Beneﬁts for Cloud Providers

1.  Increased uUlizaUon of data center resources

2.  More clients per square foot, per kilowaT hour

3.  More clients per staﬀ person

About selling “X as a service:”

IaaS: Selling virtualized hardware

PaaS: Selling access to a conﬁgurable planorm/API SaaS: Selling sokware that runs on top of the cloud

(15)

Page 15

(16)

Page 16

Agenda

1.  Background

(17)

Page 17

(18)

Page 18

But it is Not Just About Privacy

•  Integrity:

–  How do I know that the cloud provider is doing the

computaUons correctly/not tampering with data?

•  Availability:

–  Will criUcal systems go down if the provider is aTacked?

–  What happens if the provider goes out of business?

•  Increased aTack “surface:”

–  External enUty now stores and computes data

–  ATackers can now also target the communicaUon link between

the provider and the client

(19)

Page 19

But it is Not Just About Privacy (conUnued)

•  Auditability and forensics:

–  May be diﬃcult to audit data outside the organizaUon in a cloud

•  Legal issues and transiUve trust issues:

–  Responsibility for regulaUons

–  If cloud provider subcontracts to a third party, will data be

(20)

Page 20

(21)

Page 21

Data Privacy and Data Security in the Cloud

•  ProtecUng personal data depends on safeguards supplied

by the cloud purchaser and the cloud provider – responsibiliUes must be clear

•  Privacy obligaUons don’t change if data is stored in the

cloud

•  As with all other outsourcing use cases, you can’t

outsource accountability and risk

•  CerUﬁcaUons like ISO 27001 can help companies enable

(22)

Page 22

Reasons to be Concerned

1.  Who is looking at your data?

2.  Cyber aTacks

3.  Insider threats

4.  Government intrusion

5.  Legal liability

6.  Lack of standardizaUon (cloud security)

7.  Lack of support

(23)

Page 23

Myths and ClariﬁcaUons about Cloud Privacy

Concern Clariﬁca>on

PII in cloud against the law PII in cloud is not illegal Data abroad is forbidden

Must store in country

Legal/IT conﬂict

Cross-‐border can be illegal

Oken client or requirement of law/regulaUon

Not oversees because of foreign surveillance

Monitoring is everywhere

Technical and legal controls are required

(24)

Page 24

Think Risk!

•  Need to think beyond technology, checklists and

compliance

•  For example, only a properly conﬁgured ﬁrewall can be

used to conﬁgure a network

•  A cloud soluUon can be used to achieve compliance only

if acceptable to all stakeholders:

–  Research provider

–  Legislators/regulators

(25)

Page 25

Cloud Privacy Risks

•  Certain types of data may trigger speciﬁc obligaUons

under naUonal and local law

•  Vendor issues:

–  OrganizaUons may not be aware they are using cloud-‐based

vendors

–  Due diligence sUll required

–  Data security is sUll the responsibility of the customer

–  SLAs need to account for access, correcUon and privacy

rights

(26)

Page 26

Agenda

1.  Background

(27)

Page 27

How do We Deal with It? (Measures Include…)

1.  Build privacy into technology (“Privacy by Design”)

2.  Implement privacy compliance (federal, state, local law

and regulaUon, EU Data ProtecUon framework, etc.), MR industry codes

3.  Exercise due diligence, including Risk Assessments,

Privacy Impact Assessments, etc.

4.  Develop a breach management plan

(28)

Page 28

Contractual Provisions to Consider Include…

1.  Service provider must not use PII except as necessary in

providing services

2.  Provider must not improperly disclose of PII

3.  Provider must employ safeguards to ensure PII is

retained, transferred and disposed of securely

4.  Provider must noUfy the organizaUon immediately of

any order or other requirement to compel producUon of PII

5.  Provider must noUfy the organizaUon immediately if PII

(29)

Page 29

Contractual Provisions to Consider Include..

(conUnued)

6.  Implement an oversight and monitoring program,

including audits of the provider’s compliance with the terms of the agreement

7.  No one on behalf of provider should have access to PII

unless that person agrees to comply with restricUons in the agreement

(30)

Page 30

Key Takeaways

•  Think Risk!

–  You can outsource services, but not accountability

–  Do risk assessments

•  Build privacy in and align privacy and security funcUons

•  Conduct proper due diligence on your cloud providers

•  Ensure you have the appropriate security technology in

place

•  Ensure you have the appropriate contractual provisions in

(31)

Page 31

(32)