on location-determined cloud management for legally
TRANSCRIPT
On location-determined cloud management for legally compliant outsourcing
Bernhard Doll Research Assistant
University of PassauAuthors:Bernhard Doll, Ramona Kühn, Prof. Hermann de Meer: University of PassauRalph Herkenhöner, Dirk Emmerich: Fujitsu Technology Solutions
10.11.2015 COPYRIGHT 2015 - R&D collaboration between Fujitsu and University of Passau 1
Overview
Location-determined data processing
Legal and technical requirements
Cloud Data Security Matrix
Security management
Decision and enforcement
Proof of Concept
Implementing location-determined data processing
10.11.2015 2COPYRIGHT 2015 - R&D collaboration between Fujitsu and University of Passau
Location-determined data processing
Legal and technical requirements
10.11.2015 3COPYRIGHT 2015 - R&D collaboration between Fujitsu and University of Passau
Overall Legal Situation
Cloud customer is accountable For outsourced IT processes For achieving legal compliance
Cloud provider is responsible For operating cloud services according to agreed SLA For implementing technical measures to ensure
• Integrity and availability of services and entrusted data• Non-disclosure of entrusted data (confidentiality)• Support of cloud customers in achieving legal compliance
Which legal requirements apply to cloud customers?How can cloud providers support achieving them in the cloud?
10.11.2015 4COPYRIGHT 2015 - R&D collaboration between Fujitsu and University of Passau
Global Cloud
Legal Requirements –Example (1)
Example: Global cloud sourcing
Customer
Service providerSubcontractor
Cloud provider
Service provider Corporate customer
Hardware provider
Data centreDE
Data centreCH
Data centreFR
CompanyDECloud management
DE
EU
Software provider
Personal data
Business data(incl. tax data)
10.11.2015 5COPYRIGHT 2015 - R&D collaboration between Fujitsu and University of Passau
Global Cloud
Legal Requirements –Example (2)
Can I process tax data within the cloud?
Generally: Tax data has to remain in Germany (§ 238 HGB)
Exceptions may be authorized by the local tax office;company remains responsible (§ 146 para. 2a AO)
Access by the local tax office must be ensured (§ 146 para. 2 no. 2f AO in conj. with § 147 para. 2 cl. 1 no. 2 AO)
Data centreDE
Data centreCH
Data centreFR
CompanyDECloud management
DE
EU
?
?
Local tax officeDE
Personal data
Business data(incl. tax data)
10.11.2015 6COPYRIGHT 2015 - R&D collaboration between Fujitsu and University of Passau
Global Cloud
Legal Requirements –Example (3)
Assumption: Contract data processing (§ 11 BDSG)
Is data transmission to Switzerland legally allowed? §4b BDSG
Necessary level of protection is given for Switzerland (cp. MEMO/05/3)
Has to be clarified by company (not cloud management)
If allowed: Cloud management becomes controller, i.e., responsible(with respect to the transmission to Switzerland)
Personal data
Business data(incl. tax data)
Data centreDE
Data centreCH
Data centreFR
CompanyDECloud management
DE
EU
?
10.11.2015 7COPYRIGHT 2015 - R&D collaboration between Fujitsu and University of Passau
Technical Requirements in Clouds
Identification of the necessary level of protectionSecurity policiesImplementation and enforcement of safeguards Basic security measures Access control Transfer control Countermeasures and incident response
Monitoring, documentation, and reporting of compliance
Major gap: location determined data processing!How to achieve location-determined cloud computing?
10.11.2015 8COPYRIGHT 2015 - R&D collaboration between Fujitsu and University of Passau
Cloud Data Security Matrix
Security management
Decision and enforcement
10.11.2015 9COPYRIGHT 2015 - R&D collaboration between Fujitsu and University of Passau
Cloud Data Security Matrix
Decision Identify data types and allowed location of data processing
Matching cloud services with physical resource location
Location constraints are verifying for:• Physical resource location of used virtual resource
• Location of administration and support
• Target location of communication channels
Enforcement By region (responsible)
By island
By service type
10.11.2015 10COPYRIGHT 2015 - R&D collaboration between Fujitsu and University of Passau
Cloud Data Security Management – Concept
Region (Europe)
Region (Asia)
Island 3
Island 1
Island 4
Island 1
Island 3
… …
… ……
Island 2
Island 5
…
Island 2
…
…
… …
…
Region (US)
10.11.2015 11COPYRIGHT 2015 - R&D collaboration between Fujitsu and University of Passau
Security matrix
Data centre
Secure communication
Cloud Data Security Management – Example
Asia
Switzerland
UK
Germany
JapanEuropean Union
Switzerland
JapanEurope
Security matrix
Data centre
Secure communication
Jurisdiction
Business data
Personal data
Tax data
Data types
10.11.2015 12COPYRIGHT 2015 - R&D collaboration between Fujitsu and University of Passau
Cloud Data Security Matrix –Configuration
Legal Analysis: Is transfer allowed?
In comparision to traditional IT-outsourcing
(no Cloud Computing) Origin
Private Cloud
on premise
Private Cloud
off premiseNational Cloud European Cloud Global Cloud
DE Yes1,2 Yes1,2 Yes1,2 Yes1,2 No1,2
EU Yes1,2 Yes1,2 Yes1,2 Yes1,2 No1,2
DE Yes1,2 No1,2 No1,2 No1,2 No1,2
EU Yes1,2 Yes1,2 Yes1,2 Yes1,2 No1,2
DE Yes1,2 Yes1,2 Yes1,2 Yes1,2 No1,2
EU Yes1,2 Yes1,2 Yes1,2 Yes1,2 No1,2
DE Yes1,2 Yes1,2 Yes1,2 No1,2 No1,2
EU Yes1,2 Yes1,2 Yes1,2 No1,2 No1,2
DE Yes1,2 Yes1,2 Yes1,2 Yes1,2 No1,2
EU Yes1,2 Yes1,2 Yes1,2 Yes1,2 No1,2
DE Yes2 Yes2 Yes2 Yes2 Yes2
EU Yes2 Yes2 Yes2 Yes2 Yes2
DE Yes1,2 No1,2 No1,2 No1,2 No
EU Yes2 Yes1,2 Yes1,2 Yes1,2 No
DE Yes No1,2 No1,2 No1,2 No
EU Yes Yes1,2 Yes1,2 Yes1,2 No
DE Yes1,2 Yes1,2 Yes1,2 Yes1,2 Yes1,2
EU Yes1,2 Yes1,2 Yes1,2 Yes1,2 Yes1,2
DE Yes1,2 Yes1,2 Yes1,2 Yes1,2 No1,2
EU Yes1,2 Yes1,2 Yes1,2 Yes1,2 No1,2
1
2
Location
admissable if explicitly allowed and not explicitly prohibited
additional security precautions might be required
Business Data
(e.g. §§ 17 seqq. UWG)
Tax Data
(e.g., $ 238 HGB)
Financial Data
(e.g., §16 InvG)
Data is relevant for Dual-Use / Export Control List
(e.g., Council Regulation (EC) No. 428/2009)
Governmental Data
(according to Art. 33 GG)
Note: Data may apply to multiple categories of data types
D
a
t
a
T
y
p
e
Personal Data (e.g., § 11 BDSG)
Protected Personal Data (e.g. Medical Data)
(e.g., §203 StGB)
Employee Data
(e.g., §32 BDSG)
Social Data
(e.g., § 35 SGB I)
Usage Data, Customer Data, Accounting Data,
Traffic Data (e.g., $$ 11-15a TMG)
10.11.2015 13COPYRIGHT 2015 - R&D collaboration between Fujitsu and University of Passau
Data Centric Security –Security Policy
Security classes For assets: i.e. data and virtual resources
For hardware resources
Formal description: ASSET x (C x I x A x Loc)
RESOURCE x (C x I x A x Loc)
Example object:
C = Confidentiality
I = Integrity
A = Availability
Loc = Location
(Customer_Database_1,
(Personal Data,
High Integrity,
99,99%,
European Union))
10.11.2015 14COPYRIGHT 2015 - R&D collaboration between Fujitsu and University of Passau
Security Classes within Clouds
10.11.2015 15COPYRIGHT 2015 - R&D collaboration between Fujitsu and University of Passau
Data Centric Security –Example
Asia
Switzerland
UK
Germany
JapanEuropean Union
Switzerland
Japan
EU
(Customer_Database_1,
(Personal Data,
High Integrity,
99,99%,
European Union))
Business data
Personal data
Tax data
Data types
10.11.2015 16COPYRIGHT 2015 - R&D collaboration between Fujitsu and University of Passau
Security matrix
Data centre
Secure communication
Jurisdiction
Proof of Concept
Implementing location-determined data processing
10.11.2015 17COPYRIGHT 2015 - R&D collaboration between Fujitsu and University of Passau
Global
EU Non-EU
DE FR UK CH
Local (Customer)
JP
Classification and configuration
Global
EU
DE FR UK
CH Asia
JP
Security Class
Cell
data type =
personal data
cell
DE FR UK CH
data
orig
in
EU
DE
FR
CH
Example configuration:
Classification
10.11.2015 18COPYRIGHT 2015 - R&D collaboration between Fujitsu and University of Passau
Filtering Resources –An Example
Global
EU
DE FR UK
CH Asia
JP
Scenario:Corporate Customer requests VM to process personal data of European customers.
1) Selecting Security Class:
(personal data, France) EU
2) Filtering Cells:
EU (DE,FR,UK)
3) Requesting resources:
Start VM in (DE,FR,UK)Securityclass
Cell
Global
EU Non-EU
DE FR UK CH
Local (Customer)
JP
10.11.2015 19COPYRIGHT 2015 - R&D collaboration between Fujitsu and University of Passau
Filtering Resources –An Example with Separate Backup Strategy
Global
EU
DE FR UK
CH Asia
JP
Scenario:Corporate Customer requests VM to process personal data of European customers. Additionally, a separate backup is required.
1) Selecting Security Class:
(personal data, France) EU
2) Filtering Cells:
EU (DE,FR,UK)
Global
EU Non-EU
DE FR UK CH
Local (Customer)
JP
3) Filtering Backup Cells:
(DE,FR,UK) (DE,FR) + (UK)
4) Requesting resources:
Start VM in (DE,FR)
Start Backup in (UK)User space Backup space
Securityclass
Cell
10.11.2015 20COPYRIGHT 2015 - R&D collaboration between Fujitsu and University of Passau
OpenStack Demonstrator –Screenshots
10.11.2015 21COPYRIGHT 2015 - R&D collaboration between Fujitsu and University of Passau
Conclusion
Location-determined data processing in compliance with legal requirements and customer preferences
Cloud data security management with secure data communication between regions and islandsCloud Data Security Matrix Configured by data type and data origin Controls location by region, island and service type
Data centric security to protect and track location of data and virtual machines
Supporting legal compliance within the cloud Empowering cloud customer to keep control
10.11.2015 22COPYRIGHT 2015 - R&D collaboration between Fujitsu and University of Passau
Thank you for listening
10.11.2015 23COPYRIGHT 2015 - R&D collaboration between Fujitsu and University of Passau
Contact: [email protected]
Web:http://www.fim.uni-passau.de/en/computer-networks/
10.11.2015 24COPYRIGHT 2015 - R&D collaboration between Fujitsu and University of Passau
Security Classes within Clouds - Confidentiality
10.11.2015 26COPYRIGHT 2015 - R&D collaboration between Fujitsu and University of Passau
The project NGCert is part of the “Secure Cloud Computing” program, which is derived from the so-called High-Tech-Strategy by the German government.
Funded by the BMBF (Bundesministerium für Bildung und Forschung)
Start: October 2014, End: September 2017
Goal:Research and development of a dynamic certification for providing ongoing assurance of certification adherence.
About NGCert: Next Generation Certification
10.11.2015 27COPYRIGHT 2015 - R&D collaboration between Fujitsu and University of Passau