Cloud-10 User Privacy and Secondary Usage of Data

From OWASP
Jump to: navigation, search

R5 - User Privacy and Secondary Usage of Data

Privacy is local but the data flows within a Cloud are global. And yet the individuals and regulations expect and demand that their local expectations can be met in shared/global Cloud [1].


What is privacy data?

Data that uniquely identifies an individual and his/her behavior and activities. Different countries and regions have different privacy regulations.

Google and other social sites collect privacy data and leverage it.

How it can be lost?

User is unaware of how

Privacy policy of Google

Data no longer resides within the physical premises of the enterprise creating ineffective network boundary controls. This shift demonstrates the need for data centric security models and extends trust boundaries with the Cloud Service Providers (CSP). In addition, privacy and regulatory compliance requirements that drive stronger internal security controls such as Sarbanes-Oxley (SOX), Payment Card Industry (PCI), and Health Insurance Portability and Accountability Act (HIPAA) get extended to the CSP. With the exponential growth in collaboration spaces and use of social media, privacy concerns are the main focus in security discussions; however, business leaders want to reap the benefits of cloud computing without changing their risk appetite. Business leaders must balance the lower cost-of-ownership, improved functionality, and time-to-market advantages against privacy and data protection requirements. This presentation will provide information and methodologies on how an enterprise can manage security and privacy risks while adopting cloud computing. One of the biggest challenges in cloud computing is to minimize the enterprise risk. First step is to assess and scope the privacy requirements of the data managed in the cloud infrastructure. Privacy assessments for CSPs need to take into consideration the existing security controls including physical storage and distribution of data across the cloud. While working on different security initiatives, authors have designed an assessment methodology using a "Privacy Security Matrix". This matrix maps PII data elements to the required regional security controls. It is important to translate security and privacy requirements and agreements with CSPs into SLAs and uphold the providers to deliver on them. Also, enterprises may need to update privacy policies and communicating to the user community (which company lawyers and HR does not like). Finally, for ongoing risk management and compliance, an effective monitoring and auditability program that extends to the cloud provider is essential. This program should have specific and measurable criteria in order to ensure the effectiveness of the privacy and security program. In summary, authors’ first- hand experience in evaluating CSPs for security and privacy risks, and the methodologies that they have developed will help potential and existing users of cloud computing to learn how to effectively manage security and privacy risks while adopting cloud.


Reference

[1] . http://www.privacyconference2007.gc.ca/workbooks/pres_infosession1_01_abrams_e.pdf




Risks

[edit]

Google China incident.