programming4us
           
 
 
Programming

Changes to Privacy Risk Management and Compliance in Relation to Cloud Computing

- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019
12/6/2010 9:08:57 AM
The following topics describe analysis of the potential impact of cloud computing on the key OECD and other common privacy principles.

1. Collection Limitation Principle

This principle specifies that collection of personal data should be limited to the minimum amount of data required for the purpose for which it is collected. Any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.

In the privacy arena, lack of specifics on data collection with providers creates misunderstandings down the road. For instance, one global outsourcer said, “Clients come in expecting the right things in security, but the wrong things in privacy. They are expecting best practices, but they don’t know what they are.” There are comprehensive security frameworks and standards (such as the ISO 27000 series, NIST guidelines, etc.), and organizations know how to implement them. There is no universally adopted privacy standard—instead, there are conflicting laws, regulations, and views on what privacy is and what it requires from organizations to protect it. Many organizations want to do what they perceive to be “the right thing”; however, their perception may be different from the law. As a result, there may be different expectations regarding what privacy means between the organization and the CSP, and no agreed best practices.

It is essential that service-level agreements (SLAs) are initially defined before any information is provided or shared, because it is very hard to negotiate them later. If you start the request for proposal (RFP) process with an SLA target, you will be able to disqualify providers who cannot meet your stated needs. Well-defined security and privacy SLAs should be part of the statement of work (SOW). Ensure that your SLAs have teeth with specific penalty clauses. Do not cede command of service-level negotiation to the provider.

Moreover, organizations face the risk that, as different data elements about individuals are collected and later merged, the combined information is more than needed and the original purpose as well as the organization may be in potential violation of local laws.

2. Use Limitation Principle

This principle specifies that personal data should not be disclosed, made available, or otherwise used for purposes other than those with the consent of the data subject, or by the authority of law.

Cloud computing places a diverse collection of user and business information in a single location. As data flows through the cloud, strong data governance is needed to ensure that the original purpose of collection and limitation on use is attached to the data. This is critical when organizations create a centralized database, because future applications can easily combine the data via expanded views that are utilized for new purposes never approved by data subjects.

The ability to combine data from multiple sources increases the risk of unexpected uses by governments. Governments in different countries could ask CSPs to report on particular types of behaviors or to monitor activities of particular types or categories of users. The possibility that a CSP could be obliged to inform a government or a third party about user activities might be troubling to the provider as well as to its users.

3. Security Principle

Security is one of the key requirements to enable privacy. This principle specifies that personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification, or disclosure of data.

4. Retention and Destruction Principle

This principle specifies that personal data should not be retained for longer than needed to perform the task for which it was collected, or as required by laws or regulations. Data should be destroyed in a secure way at the end of the retention period.

How long data should be retained and when it should be destroyed is still a challenge for most companies. Data growth has led to definitions of policies and procedures for data retention and destruction. Most policies have been driven or imposed by legislation and regulations, such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Sarbanes-Oxley Act (SOX), and other federal and state compliance requirements.

The actual deletion process is sometimes loosely defined. But when data copies, data backups, or archives are deleted, are they really gone? Deleting a file only marks the space (or blocks) it occupies as usable. Until the blocks are actually overwritten, the data is still there and can be retrieved. In fact, the disk space occupied by deleted files must be overwritten with other data several times before the entirety of the files is deemed irretrievable (a minimum of seven times per the U.S. federal government’s guidelines).

In many cases, disk or tape media is reused to store more data; therefore, data deletion typically does not constitute much of an issue. However, when leased IT assets, such as servers or disk arrays, must be returned, when obsolete systems are replaced, or when storage media has reached end-of-life, special care must be taken to ensure that any data once stored is irretrievable.

Encryption can play a key role in the destruction process. Encrypted data can be destroyed even when organizations lose track of their data by destroying the encryption key—data can no longer be decrypted and hence is rendered inaccessible. This is especially beneficial when the data is kept by CSPs—encrypted data can be destroyed without the involvement of the CSPs.

The problem begins when there is a lack of clearly defined policies around data destruction in cloud computing. Virtual storage devices can be reallocated to new users without deleting the data, and then allocated to new users. Personal information stored in this device may now be available to the new user, potentially violating individual rights, laws, and regulations. Servers or disks can be decommissioned without much thought as to whether data is still accessible. There are several approved methods of data destruction, including media destruction, disk degaussing, multiple data overwrites with random byte patterns, and destruction of keying material for encrypted data.

5. Transfer Principle

This principle specifies that data should not be transferred to countries that don’t provide the same level of privacy protection as the organization that collected the information.

In a cloud computing environment, infrastructure is shared between organizations; therefore, there are threats associated with the fact that the data is stored and processed remotely, and there is increased sharing of platforms between users, which increases the need to protect privacy of data stored in the cloud. Another feature of cloud computing is that it is a dynamic environment; for example, service interactions can be created in a more dynamic way than in traditional e-commerce. Services can potentially be aggregated and changed dynamically by customers, and service providers can change the provisioning of services. In such scenarios, personal and sensitive data can move around within a single CSP infrastructure and across CSP organizational boundaries. The goal of integrated services provided by multiple CSPs is to enhance the possibility of data transfer to third parties. This transfer should be disclosed to the data subject prior to collection. In many cases there is a need for unambiguous consent by the individual to the data transfer. Typically the organization is required to agree to the provider’s standard terms of service without any scope for negotiation. The terms are likely to be biased in the provider’s favor, and the organization may not know all the entities that are involved in the process, and hence is rendered unable to provide an accurate notice to the data subjects.

The transfer challenge is further complicated because data can be anywhere in the world—usually, a company computing in the cloud does not know in what country its data resides at any given time. Instead of its data being stored on the company’s servers, data is stored on the service provider’s servers, which could be in Europe, China, or anywhere else. This tenet of cloud computing conflicts with various legal requirements, such as the European laws that require that a company know where the personal data in its possession is at all times, and there may be a need to report to data protection authorities on the data transfer. In some cases there may be a need to preapprove the transfer by data subjects.

The U.S. Safe Harbor Program—perhaps the most common means of compliance with EU requirements imposed when transferring the personal data of EU citizens to the United States—may not satisfy a multinational’s EU legal obligations, because in cloud computing data could be stored on servers outside of both Europe and the United States, making the Safe Harbor Program ineffective. Furthermore, the Safe Harbor option may not be available for certain organizations not regulated by the Federal Trade Commission, such as those in the financial services industry. This may be the case even if the CSP is registered under the Safe Harbor Program.

One cloud computing application service provider (ASP) offers its customers the option to store their data only on European servers (for a higher fee, naturally). However, it is an impractical solution because it limits the very flexibility and efficiency that cloud computing is designed to provide. Given the enormous potential and benefits of computing in the cloud, it seems that, once again, the law needs to catch up with technology.

6. Accountability Principle

This principle states that an organization is responsible for personal information under its control and should designate an individual or individuals who are accountable for the organization’s compliance with the remaining principles.

Accountability within cloud computing can be achieved by attaching policies to data and mechanisms to ensure that these policies are adhered to by the parties that use, store, or share that data, irrespective of the jurisdiction in which the information is processed.

The way to move onward is for organizations to value accountability and build mechanisms for accountable, responsible decision making while handling data. Specifically, accountable organizations ensure that obligations to protect data are observed by all processors of the data, irrespective of where that processing occurs.
Other -----------------
- Cloud Security and Privacy : What Are the Key Privacy Concerns in the Cloud?
- Cloud Security and Privacy : What Is the Data Life Cycle?
- Making Your Site Accessible to Search Engines
- Security Management in the Cloud - Security Vulnerability, Patch, and Configuration Management (part 2)
- Security Management in the Cloud - Security Vulnerability, Patch, and Configuration Management (part 1)
- Security Management in the Cloud - Access Control
- Security Management in the Cloud - IaaS Availability Management
- Security Management in the Cloud - PaaS Availability Management
- Security Management in the Cloud - SaaS Availability Management
- Security Management in the Cloud - Availability Management
- Security Management in the Cloud
- The Art of SEO : Trending, Seasonality, and Seasonal Fluctuations in Keyword Demand
- The Art of SEO : Leveraging the Long Tail of Keyword Demand
- The Art of SEO : Determining Keyword Value/Potential ROI
- Identity and Access Management : Cloud Service Provider IAM Practice
- Identity and Access Management : Cloud Authorization Management
- Identity and Access Management : IAM Practices in the Cloud (part 2) - Federated Identity
- Identity and Access Management : IAM Practices in the Cloud (part 1) - Cloud Identity Administration
- iPad SDK : Keyboard Extensions and Replacements (part 4) - Creating the Calculator
- iPad SDK : Keyboard Extensions and Replacements (part 3) - Creating the Keyboard Input View
 
 
 
Top 10
 
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
- First look: Apple Watch

- 3 Tips for Maintaining Your Cell Phone Battery (part 1)

- 3 Tips for Maintaining Your Cell Phone Battery (part 2)
programming4us programming4us