Contracts in the cloud, security and data privacy: instructions



[ad_1]

Contracts for the supply of cloud computing to pose particular legal problems.

First of all, it is necessary to clarify that they relate to different topics:

  • the cloud provider, which is the cloud service provider
  • the administrator client or the one who configures the services offered by the cloud provider
  • The end user of cloud services, which benefits from the resources configured by the client's administrator

It's not easy to legally fit a cloud computing contract. Part of the doctrine supports the view that the contract in question is a mixed contract because it represents traceable elements of the service contract. (cloud service offering) and license agreement (product use).

Another doctrine pronounced on the contract for the provision of cloud computing services has clearly traced this contractual regime to the type of contract of the service contract, observing how the result obtained by this contract is similar to that obtained through the service contract. . outsourcing contracts. It is recalled that the Italian legal system regulates the subcontracting contract in the context of atypical contracts which are largely implemented despite the absence of a regulated contractual model and which is therefore treated as a service contract.

Cloud Contracts: Privacy Features

Cloud contracts typically consist of multiple sections containing the terms and conditions of the service, the Service Level Agreement (or SLA), the obligations of the parties and the methods of processing personal data.

In summary:

  • the section relating to the general conditions of the contract defines the general aspects of the contract itself, namely the duration, the consideration, the payment, the cancellation or the withdrawal
  • the SLA section details the levels of service that the provider commits to maintain
  • the section on obligations of the parties defines the conditions to be met to avoid any interruption or suspension of the service
  • the privacy policy describes how the provider processes personal data as part of the provision of cloud computing service, also in light of the obligations imposed by EU Regulation 2016 / 679.

The identification of cloud service provider and cloud service provision contract are aspects of a particularly important phase focused on the selection of providers (seller rating) and the identification of the service contract adapted to the needs of the company. Always ensure that the following conditions are met:

  • The data stored on the vendor's servers must always remain the property of the company.
  • the provider must be able to demonstrate that it imposes appropriate access controls and ensure that data in transit, as well as download or transfer of files, are protected by encryption protocols
  • The provider must always be able to download a copy of the data at any time and independently and declare with the greatest transparency the physical location of the data.
  • The customer must be able to periodically check the supplier's response to performance and compliance with the contract.

A particularly important aspect in the cloud domain is the data portability.

at portability we hear the possibility of being able to migrate applications and data from one cloud environment to another, avoiding being "stuck" with a given cloud infrastructure provider (immobilization of the seller).

It is precisely in this regard that the "Guidelines on the right to portability of data" are found."The working group ex Article 29 (working document 29) provides guidance on the interpretation and implementation of the data portability right introduced by Regulation (EU) No 679/2016 by encouraging collaboration agreements between suppliers and professional badociations for the definition and development of shared standards and interoperable formats.

Data privacy and cloud security

Risk of loss of control of data by users Cloud services pose a serious threat to the privacy of information and the founding principles of privacy law.

ISO / IEC 27018 (Code of Conduct for the Protection of Personally Identifiable Information in Public Cloud Services for Cloud Providers) and the recommendations suggested by Enisa already in the first version of the publication Cloud Benefits Computing, risks and recommendations for information security & # 39; In fact, they are excellent reference tools for the proper management of privacy and data security in the cloud.

In particular, the ISO / IEC 27018 standard, incorporating the aspects set out in Madrid Resolution of 2009, provides precise instructions, guidelines and controls for the processing of personal data in the cloud on the public network.

Below you will find a brief summary of the instructions, instructions and controls relating to the processing of personal data mentioned in the standard in question:

  • choice and consent: the provider must facilitate the exercise of the rights of access, rectification and / or cancellation by the interested party. To facilitate the exercise of rights, the relevant technical information or measures must be specified in the contract.
  • finality treatment: the only treatment objectives are those disclosed in the service contract; advertising or direct marketing purposes imply the explicit consent of the interested party
  • minimization Data: Temporary files and documents must be deleted or destroyed during a specified and documented period of time
  • limitation of use, storage and disclosure: Unless specifically requested by law, the request for disclosure of personal data by the administrative or judicial authorities must be notified to the customer as soon as possible. In addition, the disclosure of personal data to third parties must be recorded
  • transparency: The supplier's use of the subcontractor must be reported to the cloud service customer prior to its use. The provisions relating to the use of subcontractors must be clearly stated in the contract between the supplier and the customer. The supplier must inform the customer in good time of any proposed change in this regard so as to give him the opportunity to oppose such changes or terminate the contract.
  • responsibility: the provider must promptly inform the customer of violations that result in the loss, dissemination or modification of personal data (data breach)
  • respect for privacy: the supplier must indicate the countries in which the data may be stored, also arising from the use of subcontractors, as well as the specific contractual agreements applied to the international transfer of data. The supplier must inform the customer without delay of any changes envisaged in this regard, in order to give him the opportunity to oppose the contract or to terminate it.

With regard to security, the ISO standard in question suggests a comprehensive set of measures to protect personal data in cloud environments, summarized below:

  • confidentiality or non-disclosure agreements between the supplier and its employees and collaborators
  • Limiting the creation of paper documents (including impressions containing personal data)
  • verification and registration procedures for data restoration
  • authorization procedure for personal data transferred to a magnetic medium outside the premises of the company and encryption of the content
  • Prohibition to use unencrypted portable storage media with exceptions
  • encrypting data transmitted over public networks
  • safe disposal of paper materials
  • use of unique identifiers for cloud clients
  • systematic writing and updating of a user registry accessing the system and badociated access profiles
  • management of user identifiers and prohibition of badigning unused or expired identifiers to third parties
  • proof of minimum security controls in contracts with customers and subcontractors
  • By ensuring that whenever data storage is allocated to a cloud service, all data previously stored on that storage space is made intelligible.

The Enisa recommendations

Regarding the recommendations suggested by Enisa, these can be subdivided into three macro-zones:

  • recommendations to ensure information processing in the cloud
  • recommendations relating to the legal aspect
  • recommendations for research purposes.

Leaving aside in this article the commentary of the recommendations for research purposes, we report a summary of the suggested recommendations on the protection of information processed in the cloud and the legal aspects of cloud computing contracts.

Regarding the recommendations concerning the protection of information and data, Enisa suggests the adoption of the following good practices:

  • badess the risk of adopting cloud services by comparing the risks badociated with maintaining a traditional architecture to those badociated with migration to a cloud computing environment
  • compare different cloud service offerings on the market
  • maintain cloud service provider warranty requirements. Many cloud service providers are receiving customer proposals to review their infrastructure and policies. This can create a particularly critical load for security personnel and increase the number of people with access to the infrastructure, which greatly increases the risk of attacks due to misuse of computers. critical information, the theft of critical or sensitive data. etc. Suppliers must therefore solve this problem by putting in place appropriate policies to handle these requests.
  • Clearly define the division of security responsibilities between customers and suppliers, as the lines of this division will vary considerably between SaaS and IaaS offerings. IaaS application providers treat applications of the client virtual instance as a "black box" and are therefore fully agnostic in terms of operation and application management. The entire "stack" – client application, runtime application platform (.Net, Java, Ruby, PHP, etc.) – is run on the client server (on the Supplier's infrastructure) and is managed by the customers themselves; Therefore, customers should be aware that they are responsible for the security of their IaaS infrastructure.

Design and management of secure applications

With respect to the design and management of secure cloud applications, the following good practices are also suggested:

  • standard security countermeasures must be designed or integrated to protect against the most common web vulnerabilities
  • Customers are responsible for updating their applications in the cloud and must therefore put in place an appropriate strategy to ensure their protection against malware and vulnerabilities.
  • Customers should not use custom authentication and authorization implementations because they may not be properly implemented.

It should be noted that while some of the risks may be transferred to the cloud service provider as a result of a security incident resulting in unauthorized disclosure of data, the loss of consumer confidence and potential penalties would be primarily felt by the end customer. Therefore, any risk badessment should be decided according to the appetite for the risk of the organization and the financial savings that can be achieved through an adequate risk mitigation policy.

In terms of operational security, Enisa suggests to the vendor the following recommendations to ensure that the appropriate controls are used to mitigate the risk of unauthorized disclosure of data:

  • define the host and network controls used to protect systems hosting applications and information for the end customer
  • specify the controls used to protect against malicious code
  • Implement secure configurations to allow only authorized code execution and allowed functionality
  • ensure the use of appropriate policies and procedures for backup. This should include procedures for managing removable media and methods for safely destroying unnecessary media.

With regard to legal aspects, the Enisa recommendations highlight a first fundamental distinction between small and medium-sized enterprises and large firms, as the former would choose between a multitude of contracts offered on the market, while the latter would have bargaining power. . broader than this would allow to negotiate the contractual terms with the cloud service providers. In all cases, special attention should be given to the rights and obligations regarding security breach notifications, data transfer and changes regarding control and access. In summary:

  • Data protection: it is appropriate to choose a provider that provides sufficient technical and organizational security measures to regulate and enforce data processing.
  • Data security: Attention should be paid to mandatory security measures that may result in fines and penalties for the cloud service provider or the customer if the contract does not meet these obligations
  • Data transfer: Care should be taken to provide information to the customer on how to transfer data to the cloud that belongs to the cloud provider, outside of this cloud, in and out of the European Union.
  • access to law enforcement: each country imposes restrictions and requirements that allow law enforcement to access the data. The customer should pay attention to the information provided by the supplier regarding the countries in which the data may be stored and processed and badess the risks arising from the applicable legislation.
  • care should be taken to ensure that the contract respects intellectual property rights, to the extent possible, without compromising the quality of the service provided
  • Risk Allocation and Limitation of Liability: When reviewing their respective contractual obligations, the parties should pay particular attention to obligations presenting a significant risk and provide for possible indemnification clauses. In addition, all standard clauses regarding limitations of liability must be carefully evaluated.

conclusions

At the end of this badysis, it is clear that businesses of all types and sizes using cloud-based computing services and technologies of increasing complexity must be able to effectively manage platforms and applications by providing special attention to privacy, security and obligations aspects. contractually provided. It would therefore be desirable for all organizations to have adequate systems and human resources, trained and prepared to take full advantage of the benefits of cloud computing and to intervene effectively in the event of data breaches or threats. security incident may be a concrete problem. threat to the reputation of the company and to the rights and freedoms of the people concerned.

keyboard_arrow_right

keyboard_arrow_left

Cloud computing is one of the fastest growing IT sectors: in recent years, more and more public and private companies have chosen to rely on cloud-based infrastructures, encouraged by indisputable advantages of the solutions offered by the market and the ease of access from the market. remotely via smartphones, netbooks and tablets.

According to a projection of the multinational Gartner Inc. carried out last year, the cloud computing market will reach more than $ 300 billion in 2018 and, exceeding that value, it will exceed $ 400 billion in 2020 2020, the annual growth rate of the global cloud market will average 13.4%.

According to research by Oracle Corporation, the cloud computing market in Italy has grown steadily in recent years, reaching even higher percentages than the global average, even registering a 21% increase in 2016, 5%.

The National Institute of Standards and Technology (NIST) has proposed a definition of cloud computing that has become widely accepted: & # 39; Cloud Computing is a model that allows, through the network, extended, simple, on-demand access to a set of shared and configurable processing resources (such as networks, servers, memory, applications and services) that can be acquired. and released quickly and with minimal management effort or interaction with the service provider. & # 39;

There are three different types of cloud services, each with different types of badets:

  • Infrastructure as a service (IaaS, Infrastructure as a Service): The provider provides remote virtual resources accessible online (hardware, network and storage resources). The user does not have control of the infrastructure but that of the applications and configurations and resources is instantiated on demand or according to the needs of the platform used. Among the most popular Iaas: Dropbox, Amazon Simple Storage Service.
  • Platform as a service: (PaaS, Platform as a Service), the cloud provider provides application servers (platforms) for running applications. However, PaaS vendors can also provide middleware and development tools, providing developers with support throughout the web application lifecycle. Examples of applications run in Paas are PHP scripts and Java servlets; other examples of Paas: Google App Engine, Microsoft Azure.
  • Software as a service (SaaS, software as a service): the provider offers software or applications used directly by the user from multiple devices via the Internet. They are widely used and used as email tools or document management tools; it is also possible for SaaS providers to run their applications on IaaS or PaaS from other providers (for example, Netflix video streaming (SaaS) runs on Amazon AWS PaaS / IaaS cloud services) .

For the exhibition to be more complete, it is necessary to clarify the substantial difference between private cloud and public cloud.

Microsoft defines private cloud (or also business cloud or cloud internal) computing services offered on the Internet or on an internal private network only to selected users and not to the general public. Private cloud computing provides businesses with many benefits, such as self-service capabilities, scalability, and flexibility, with additional control and customization provided by dedicated resources through a locally hosted IT infrastructure. And yet, "private clouds provide a high level of security and privacy through enterprise firewalls and internal hosting to ensure sensitive transactions and data are not accessible to third-party vendors" . In terms of costs, however, private clouds require the same human resource, maintenance, and management costs as traditional enterprise data centers.

the public cloudInstead, it is defined as "processing services offered by third-party providers via the public Internet and accessible to anyone who wishes to use or buy them. These services can be free or sold on demand to allow customers to pay only for the processor cycles, storage resources, or bandwidth that they use. & # 39;

Cloud services are a particularly attractive solution, especially for SMEs, as the implementation costs are often much lower than those of traditional IT solutions. However, this is not the only benefit: Collaboration tools in the cloud, for example, provide access to multiple users from sites anywhere and from any device. Geographical location is therefore an effective measure of risk mitigation related to natural disasters (floods, disasters) and DOS attacks (denial of service), as well as, of course, cost control compared to distributed infrastructure. traditional type that would require the implementation and management of remote sites whose infrastructure costs would be entirely the responsibility of the company. Another feature of the cloud is to respond quickly to sudden changes in resource usage, malfunctions and cyberattacks: providers have large data centers and many IT resources. reserve resources (that an SME can not afford to use partially and therefore not profitable), the latter to be used in case of peaks of exploitation of particular intensity or attacks of the type DDos (denial of service distributed, distributed service interruption).

_____________________________________________________________

    REPRODUCTION RESERVED
[ad_2]
Source link