Presentation to HKQAA: The Impact of Cloud: Cloud Computing Security and Privacy (2013.10.29)

2. “Technological advances, combined with the ubiquity of
the Internet, have spawned a near-infinite range of
potentially grave security threats to governments,
commercial entities and individuals.”
Paul Rosenzweig

4. Can we still trust the „cloud‟?
What are the local laws that govern data being
collected, transferred and stored?

5. BIGGEST INHIBITOR TO THE
ADOPTION OF CLOUD COMPUTING
Data Security

6. SENSITIVE DATA IN THE CLOUD
More data, more storage
Personally identifiable information examples
• Credit card information
• Medical records
• Tax records
• Customer account records
• Human resources information
• Banking and insurance records
• Browsing history, emails and other communication

7. CLOUD SECURITY - STAKEHOLDERS
Data
collector/owner
Cloud service
providers
•Outsourcing:
How to select
a cloud vendor?
•How to
maintain
direct control
to safeguard
data integrity?
•How to satisfy
data residency
and privacy
requirements
•How to remain
flexible and
provide costeffective
service?
Regulator
•Formulation of
relevant
standards and
practices
•How to ensure
adoption and
compliance?
•Would
sensitive data
end up
overseas?
Customers/endusers
•Are my data
safe in the
cloud?
•Would I know
if there is
security or
privacy breach?

8. ISSUES ON CLOUD SECURITY
Security
Residency
Privacy
Is the data
protected from
theft, leakage,
spying or attacks?
Where is the
data stored?
geographically
disbursed?
Who can see
personally
identifiable
information (PII)?
What is the level
of control and
protection?
What to do with
data in transit &
outside territory?
Storing,
transferring,
locating and
protecting PII

9. Info on 3rd
party service
and distributed
infrastructure
Deliver
resiliency,
availability and
flexibility of
cloud services
Maintaining
ownership and
control of data
Challenges
of cloud
and
security

10. COMPLIANCE REQUIREMENTS
• Some countries have laws restricting storage of data
outside their physical country borders: India, Switzerland,
Germany, Australia, South Africa and Canada
• EU: Data Protection Directive; Safe Harbor Principles – no
sending PII outside European Economic area unless
protections guaranteed
• USA: US Patriot Act, 40+ states have breach notification
laws (25 states have exemption for encrypted personal
data)
• Canada: Freedom of Information and Protection of Privacy
Act

11. HONG KONG
• Section 33(2)(f) of Personal Data (Privacy) Ordinance,
• Forming standards through HK/Guangdong Expert
Committee on Cloud Computing Services and
Standards
• Guidelines and information via infocloud.gov.hk

12. INTERCEPTION OF COMMUNICATIONS:
REGULATIONS IN HK
• Article 30 of the Basic Law: freedom and privacy of
communication of Hong Kong residents shall be protected
by law
• Law enforcement agencies: Interception of
Communications and Surveillance Ordinance (Cap 589)
• Non-public officers and non-governmental bodies:
Telecommunications Ordinance (s24, s27, s29), Personal
Data (Privacy) Ordinance, s161 of Crimes Ordinance

13. TWO ISSUES TO THINK ABOUT
- Data residency: Transfer of personal information or
moving data storage device outside of local
jurisdiction
- Data encryption: Data should be encrypted before
being sent to the cloud, and that data owner retains
the encryption keys

14. KEY QUESTIONS TO ASK
• What do we need? What is our goal?
• Where are the risks?
• What are the systems, processes, policies and
practices we need to mitigate risks?
• How to protect our data assets and keep cloud
platform secure?
• How to ensure transparency and compliance?
• How to evaluate potential cloud service providers?

15. CRITICAL AREAS
Governance
Operation
Governance and Enterprise Risk
Management
Traditional Security, Business
Continuity and Disaster Recovery
Legal and Electronic Discovery
Data Center Operations
Compliance and Audit
Incident Response, Notification and
Remediation
Information Lifecycle Management
Application Security
Portability and Interoperability
Encryption and Key Management
Identity and Access Management
Virtualization

16. PLANNING AHEAD:
STRATEGIC APPROACH
• Service models: SaaS, PaaS, IaaS?
• Multiple layers:
Physical security (facilities)
Network security (infrastructure)
System security (IT systems)
Application and data security

17. IDENTIFY, LOCATE AND DEFINE THE RISKS
Identification and valuation of assets
Identification and analysis of threats
and vulnerabilities
Risk and incident scenarios
Analysis of the likelihoods of scenarios,
risk acceptance levels and criteria
risk treatment plans with multiple
options (control, avoid, transfer, accept)

18. CONSISTENCY BETWEEN
YOU AND YOUR PROVIDER
• Alignment of impact analysis criteria and definition
of likelihood
• Specify assessment and risk management
requirement e.g. vulnerability assessment, audit logs,
activity monitoring
• Detailed in Service Level Agreements, contract
requirements, and provider documentation

19. OPERATION: KEY AREAS
• Disaster Recovery and Business Continuity
• Breach notification and data residency
• Data management at rest
• Data protection in motion
• Encryption key management
• Identification and Access controls
• Long-term resiliency of the encryption system

20. Charles Mok
Legislative Councillor (Information Technology)
charles@charlesmok.hk
www.charlesmok.hk
Facebook: Charles Mok B
Twitter: @charlesmok