Charles Mok, profile picture
Uploaded byCharles Mok
PPTX, PDF1,547 views

The Impact of Cloud: Cloud Computing Security and Privacy

This document discusses security issues related to cloud computing and storing sensitive personal data in the cloud. It identifies data security, privacy, and ensuring data resides within the proper legal jurisdiction as the biggest challenges. Various countries and regions have different laws governing how personal data can be collected, transferred, stored, and protected. When using cloud services, organizations need to understand these legal compliance issues, evaluate cloud vendors' security practices, and implement appropriate governance, operations, and risk management strategies to safely leverage the benefits of cloud computing while protecting sensitive data and ensuring privacy.

Downloaded 71 times
“Technological advances, combined with the ubiquity of the Internet, have spawned a near-infinite range of potentially grave security threats to governments, commercial entities and individuals.” Paul Rosenzweig
Can we still trust the „cloud‟? What are the local laws that govern data being collected, transferred and stored?
BIGGEST INHIBITOR TO THE ADOPTION OF CLOUD COMPUTING Data Security
SENSITIVE DATA IN THE CLOUD More data, more storage Personally identifiable information examples • Credit card information • Medical records • Tax records • Customer account records • Human resources information • Banking and insurance records • Browsing history, emails and other communication
CLOUD SECURITY - STAKEHOLDERS Data collector/owner Cloud service providers •Outsourcing: How to select a cloud vendor? •How to maintain direct control to safeguard data integrity? •How to satisfy data residency and privacy requirements •How to remain flexible and provide costeffective service? Regulator •Formulation of relevant standards and practices •How to ensure adoption and compliance? •Would sensitive data end up overseas? Customers/endusers •Are my data safe in the cloud? •Would I know if there is security or privacy breach?
ISSUES ON CLOUD SECURITY Security Residency Privacy Is the data protected from theft, leakage, spying or attacks? Where is the data stored? geographically disbursed? Who can see personally identifiable information (PII)? What is the level of control and protection? What to do with data in transit & outside territory? Storing, transferring, locating and protecting PII
Info on 3rd party service and distributed infrastructure Deliver resiliency, availability and flexibility of cloud services Maintaining ownership and control of data Challenges of cloud and security
COMPLIANCE REQUIREMENTS • Some countries have laws restricting storage of data outside their physical country borders: India, Switzerland, Germany, Australia, South Africa and Canada • EU: Data Protection Directive; Safe Harbor Principles – no sending PII outside European Economic area unless protections guaranteed • USA: US Patriot Act, 40+ states have breach notification laws (25 states have exemption for encrypted personal data) • Canada: Freedom of Information and Protection of Privacy Act
HONG KONG • Section 33(2)(f) of Personal Data (Privacy) Ordinance, • Forming standards through HK/Guangdong Expert Committee on Cloud Computing Services and Standards • Guidelines and information via infocloud.gov.hk
INTERCEPTION OF COMMUNICATIONS: REGULATIONS IN HK • Article 30 of the Basic Law: freedom and privacy of communication of Hong Kong residents shall be protected by law • Law enforcement agencies: Interception of Communications and Surveillance Ordinance (Cap 589) • Non-public officers and non-governmental bodies: Telecommunications Ordinance (s24, s27, s29), Personal Data (Privacy) Ordinance, s161 of Crimes Ordinance
TWO ISSUES TO THINK ABOUT - Data residency: Transfer of personal information or moving data storage device outside of local jurisdiction - Data encryption: Data should be encrypted before being sent to the cloud, and that data owner retains the encryption keys
KEY QUESTIONS TO ASK • What do we need? What is our goal? • Where are the risks? • What are the systems, processes, policies and practices we need to mitigate risks? • How to protect our data assets and keep cloud platform secure? • How to ensure transparency and compliance? • How to evaluate potential cloud service providers?
CRITICAL AREAS Governance Operation Governance and Enterprise Risk Management Traditional Security, Business Continuity and Disaster Recovery Legal and Electronic Discovery Data Center Operations Compliance and Audit Incident Response, Notification and Remediation Information Lifecycle Management Application Security Portability and Interoperability Encryption and Key Management Identity and Access Management Virtualization
PLANNING AHEAD: STRATEGIC APPROACH • Service models: SaaS, PaaS, IaaS? • Multiple layers: Physical security (facilities) Network security (infrastructure) System security (IT systems) Application and data security
IDENTIFY, LOCATE AND DEFINE THE RISKS Identification and valuation of assets Identification and analysis of threats and vulnerabilities Risk and incident scenarios Analysis of the likelihoods of scenarios, risk acceptance levels and criteria risk treatment plans with multiple options (control, avoid, transfer, accept)
CONSISTENCY BETWEEN YOU AND YOUR PROVIDER • Alignment of impact analysis criteria and definition of likelihood • Specify assessment and risk management requirement e.g. vulnerability assessment, audit logs, activity monitoring • Detailed in Service Level Agreements, contract requirements, and provider documentation
OPERATION: KEY AREAS • Disaster Recovery and Business Continuity • Breach notification and data residency • Data management at rest • Data protection in motion • Encryption key management • Identification and Access controls • Long-term resiliency of the encryption system
Charles Mok Legislative Councillor (Information Technology) charles@charlesmok.hk www.charlesmok.hk Facebook: Charles Mok B Twitter: @charlesmok

More Related Content

PPTX
Evolving international privacy regulations and cross border data transfer - g...
byUlf Mattsson
 
PPTX
Eight principles of consumer data privacy
bySolix Technologies, Inc
 
PDF
GDPR Cyber Insurance 11/1/2017
byisc2-hellenic
 
PPTX
Simple GDPR Overview
byGydeline Ltd
 
PDF
Isaca new delhi india privacy and big data
byUlf Mattsson
 
PPTX
May 6 evolving international privacy regulations and cross border data tran...
byUlf Mattsson
 
PPTX
Privacy Secrets Your Systems May Be Telling
byRebecca Leitch
 
PPTX
India'a Proposed Privacy & Personal Data Protection Law
byPriyanka Aash
 
Evolving international privacy regulations and cross border data transfer - g...
byUlf Mattsson
 
Eight principles of consumer data privacy
bySolix Technologies, Inc
 
GDPR Cyber Insurance 11/1/2017
byisc2-hellenic
 
Simple GDPR Overview
byGydeline Ltd
 
Isaca new delhi india privacy and big data
byUlf Mattsson
 
May 6 evolving international privacy regulations and cross border data tran...
byUlf Mattsson
 
Privacy Secrets Your Systems May Be Telling
byRebecca Leitch
 
India'a Proposed Privacy & Personal Data Protection Law
byPriyanka Aash
 

What's hot

PPTX
General Data Protection Regulation (GDPR)
byKimberly Simon MBA
 
PDF
Is it time for an IT Assessment?
byRaffa Learning Community
 
PDF
DAMA Ireland - GDPR
byDAMA Ireland
 
PPTX
Global Data Privacy Regulation
byJatin Kochhar
 
PDF
GDPR Overview
byTrish McGinity, CCSK
 
PDF
Block Chain Record Management
byCharles Moore
 
PDF
Data Privacy & Security
byEryk Budi Pratama
 
PDF
(SACON) Shivangi Nadkarni & Sandeep Rao - An introduction to Data Privacy
byPriyanka Aash
 
PPT
DFG Demo
bydfgroup
 
PDF
12 02-14 information security managers - unannotated
bywdsnead
 
PPTX
Fuel Good 2018: Is your Nonprofit at Risk? Security and Privacy Best Practices
bySparkrock
 
PPTX
When Big Data is Personal Data - Data Analytics in The Age of Privacy Laws
byTara Aaron
 
PDF
Jadu GDPR guide: A easy to follow guide for Digital Service Managers and Webs...
byJadu
 
PDF
Protective Monitoring
byjohandev
 
PDF
Data Privacy
bycliff_rudolph
 
PDF
Data protection compliance for tech startups
byEkoInnovationCentre
 
PDF
ICANN WhoIs Backgrounder
byInternet Law Center
 
PPTX
Privacy Discusssion GM667 Saint Mary's University of MN
bySaint Mary's University of Minnesota
 
General Data Protection Regulation (GDPR)
byKimberly Simon MBA
 
Is it time for an IT Assessment?
byRaffa Learning Community
 
DAMA Ireland - GDPR
byDAMA Ireland
 
Global Data Privacy Regulation
byJatin Kochhar
 
GDPR Overview
byTrish McGinity, CCSK
 
Block Chain Record Management
byCharles Moore
 
Data Privacy & Security
byEryk Budi Pratama
 
(SACON) Shivangi Nadkarni & Sandeep Rao - An introduction to Data Privacy
byPriyanka Aash
 
DFG Demo
bydfgroup
 
12 02-14 information security managers - unannotated
bywdsnead
 
Fuel Good 2018: Is your Nonprofit at Risk? Security and Privacy Best Practices
bySparkrock
 
When Big Data is Personal Data - Data Analytics in The Age of Privacy Laws
byTara Aaron
 
Jadu GDPR guide: A easy to follow guide for Digital Service Managers and Webs...
byJadu
 
Protective Monitoring
byjohandev
 
Data Privacy
bycliff_rudolph
 
Data protection compliance for tech startups
byEkoInnovationCentre
 
ICANN WhoIs Backgrounder
byInternet Law Center
 
Privacy Discusssion GM667 Saint Mary's University of MN
bySaint Mary's University of Minnesota
 

Viewers also liked

PDF
Dean carey - data loss-prevention - atlseccon2011
byAtlantic Security Conference
 
PDF
Cyber Summit 2016: Privacy Issues in Big Data Sharing and Reuse
byCybera Inc.
 
PDF
IBM's four key steps to security and privacy for big data
byIBM Analytics
 
PPTX
Privacy in Computing - Impact on emerging technologies
byMensah Sitti
 
PDF
Robert beggs incident response teams - atlseccon2011
byAtlantic Security Conference
 
PPTX
iTrack WP3 workshop
byTrilateral Research
 
PDF
Privacy Impact Assessment Management System (PIAMS)
byThe Canton Group
 
PDF
Privacy Impact Assessment Methodologies for Protection of Personal Data
byH. T. Besik
 
PPTX
Impact of CCTV on 'Right to Privacy'
bySSoujanya
 
PPT
Integrated Privacy Impact Assessment
byJeremy Hilton
 
PDF
Privacy preserving detection of sensitive data exposure
byredpel dot com
 
PPTX
From Privacy Impact Assessment to Social Impact Assessment: Preserving TRrus...
byLilian Edwards
 
PPTX
Brussels Privacy Hub: SATORI and iTRACK
byTrilateral Research
 
PDF
Trackment
bymeaannn
 
PDF
StuartMillar_13616005_PIA
byStuart Millar
 
PPT
Impact of ict on privacy and personal data
bymohd kamal
 
PPT
Data Privacy & Security Update 2012
byJason Haislmaier
 
PDF
走出IT人才荒 研討會
byCharles Mok
 
PDF
opncc_certificate
byDilshan Ranasinghe
 
PDF
WRC Newsletter Feb 2013
byLarell Scardelli
 
Dean carey - data loss-prevention - atlseccon2011
byAtlantic Security Conference
 
Cyber Summit 2016: Privacy Issues in Big Data Sharing and Reuse
byCybera Inc.
 
IBM's four key steps to security and privacy for big data
byIBM Analytics
 
Privacy in Computing - Impact on emerging technologies
byMensah Sitti
 
Robert beggs incident response teams - atlseccon2011
byAtlantic Security Conference
 
iTrack WP3 workshop
byTrilateral Research
 
Privacy Impact Assessment Management System (PIAMS)
byThe Canton Group
 
Privacy Impact Assessment Methodologies for Protection of Personal Data
byH. T. Besik
 
Impact of CCTV on 'Right to Privacy'
bySSoujanya
 
Integrated Privacy Impact Assessment
byJeremy Hilton
 
Privacy preserving detection of sensitive data exposure
byredpel dot com
 
From Privacy Impact Assessment to Social Impact Assessment: Preserving TRrus...
byLilian Edwards
 
Brussels Privacy Hub: SATORI and iTRACK
byTrilateral Research
 
Trackment
bymeaannn
 
StuartMillar_13616005_PIA
byStuart Millar
 
Impact of ict on privacy and personal data
bymohd kamal
 
Data Privacy & Security Update 2012
byJason Haislmaier
 
走出IT人才荒 研討會
byCharles Mok
 
opncc_certificate
byDilshan Ranasinghe
 
WRC Newsletter Feb 2013
byLarell Scardelli
 

Similar to The Impact of Cloud: Cloud Computing Security and Privacy

PPTX
I am sharing 'Unit-2' with youuuuuu.PPTX
bypadhaipadhai639
 
PPTX
Myppt1.pptx on ics subject for 6th semester
byMayuraD1
 
PPTX
Transforming cloud security into an advantage
byMoshe Ferber
 
PPTX
The Cloud Computing Contract Playbook: Contracting for Cloud Services
byThis account is closed
 
PPTX
Practical Security for the Cloud
byChirag Joshi, CISA, CISM, CRISC
 
ODP
Securing The Cloud
bygeorge.james
 
PPTX
What the auditor need to know about cloud computing
byMoshe Ferber
 
PDF
The Cloud Computing Contract Playbook - Contracting for Cloud Services, Sept. 30
byThis account is closed
 
PDF
Cloud Security
byPyingkodi Maran
 
PDF
Cloud Security Protecting Data in the Cloud Era
byyams12611
 
PDF
EuroCACS 2016 There are giants in the sky
byCarlos Chalico
 
PPT
Cloud Computing Legal Risks And Best Practices
bylisaabe
 
PPTX
HKCS CCSIG Cloud Executive Forum keynote
byCharles Mok
 
PPTX
Cloud and security 6 jul2013 v2
byCharles Mok
 
PPTX
Cloud security for banks - the central bank of Israel regulations for cloud s...
byMoshe Ferber
 
PPTX
What is Cloud Security, and Can I Have Some?
byJohn Kinsella
 
PDF
Cloud primer
byZeno Idzerda
 
PDF
Security Issues for Cloud Applications
byGuillermo Remache
 
PPTX
Extending security in the cloud network box - v4
byValencell, Inc.
 
PDF
Cloud Webinar Neiditz Weitz Mitchell Goodman
byjonneiditz
 
I am sharing 'Unit-2' with youuuuuu.PPTX
bypadhaipadhai639
 
Myppt1.pptx on ics subject for 6th semester
byMayuraD1
 
Transforming cloud security into an advantage
byMoshe Ferber
 
The Cloud Computing Contract Playbook: Contracting for Cloud Services
byThis account is closed
 
Practical Security for the Cloud
byChirag Joshi, CISA, CISM, CRISC
 
Securing The Cloud
bygeorge.james
 
What the auditor need to know about cloud computing
byMoshe Ferber
 
The Cloud Computing Contract Playbook - Contracting for Cloud Services, Sept. 30
byThis account is closed
 
Cloud Security
byPyingkodi Maran
 
Cloud Security Protecting Data in the Cloud Era
byyams12611
 
EuroCACS 2016 There are giants in the sky
byCarlos Chalico
 
Cloud Computing Legal Risks And Best Practices
bylisaabe
 
HKCS CCSIG Cloud Executive Forum keynote
byCharles Mok
 
Cloud and security 6 jul2013 v2
byCharles Mok
 
Cloud security for banks - the central bank of Israel regulations for cloud s...
byMoshe Ferber
 
What is Cloud Security, and Can I Have Some?
byJohn Kinsella
 
Cloud primer
byZeno Idzerda
 
Security Issues for Cloud Applications
byGuillermo Remache
 
Extending security in the cloud network box - v4
byValencell, Inc.
 
Cloud Webinar Neiditz Weitz Mitchell Goodman
byjonneiditz
 

More from Charles Mok

PDF
Lessons from DeepSeek: Democratizing AI and Open Source
byCharles Mok
 
PDF
The Future of Artificial Intelligence Governance
byCharles Mok
 
PDF
Computer Crime Law in Hong Kong
byCharles Mok
 
PDF
2020-21年財政預算案——創科項目重點
byCharles Mok
 
PDF
Have you AI'ed today? A Reality Check
byCharles Mok
 
PDF
The Geopolitics of Undersea Cable Resilience
byCharles Mok
 
PDF
Technology, Data and Ethics
byCharles Mok
 
PDF
From Crypto to Trust and Identity
byCharles Mok
 
PDF
Global Technologies and Risks Trends
byCharles Mok
 
PDF
Why open and interoperable Internet infrastructure is key to the Internet's c...
byCharles Mok
 
PDF
Access to information consultation (19 2 2019)
byCharles Mok
 
PDF
APAC Data Center Infrastructure Observations
byCharles Mok
 
PDF
Driving Hong Kong Forward in the Age of 5G and Innovation
byCharles Mok
 
PDF
台灣數位經濟及區塊鏈的機遇與挑戰.pdf
byCharles Mok
 
PDF
Mistrust vs Misinformation: Fake News, AI and Privacy -- The Next Frontiers i...
byCharles Mok
 
PDF
香港科技罪行法例改革:何去何從?
byCharles Mok
 
PDF
The Trouble with "Fake News" Laws
byCharles Mok
 
PDF
190223 charles mok hku mpa (1) (1)
byCharles Mok
 
PDF
2020-21 Budget -- New measures on I&T
byCharles Mok
 
PDF
在數碼時代阻止假新聞與捍衛言論自由
byCharles Mok
 
Lessons from DeepSeek: Democratizing AI and Open Source
byCharles Mok
 
The Future of Artificial Intelligence Governance
byCharles Mok
 
Computer Crime Law in Hong Kong
byCharles Mok
 
2020-21年財政預算案——創科項目重點
byCharles Mok
 
Have you AI'ed today? A Reality Check
byCharles Mok
 
The Geopolitics of Undersea Cable Resilience
byCharles Mok
 
Technology, Data and Ethics
byCharles Mok
 
From Crypto to Trust and Identity
byCharles Mok
 
Global Technologies and Risks Trends
byCharles Mok
 
Why open and interoperable Internet infrastructure is key to the Internet's c...
byCharles Mok
 
Access to information consultation (19 2 2019)
byCharles Mok
 
APAC Data Center Infrastructure Observations
byCharles Mok
 
Driving Hong Kong Forward in the Age of 5G and Innovation
byCharles Mok
 
台灣數位經濟及區塊鏈的機遇與挑戰.pdf
byCharles Mok
 
Mistrust vs Misinformation: Fake News, AI and Privacy -- The Next Frontiers i...
byCharles Mok
 
香港科技罪行法例改革:何去何從?
byCharles Mok
 
The Trouble with "Fake News" Laws
byCharles Mok
 
190223 charles mok hku mpa (1) (1)
byCharles Mok
 
2020-21 Budget -- New measures on I&T
byCharles Mok
 
在數碼時代阻止假新聞與捍衛言論自由
byCharles Mok
 

Recently uploaded

PDF
Cybersecurity in ASEAN and Singapore Columbia SIPA 2025.pdf
byBenjamin Ang
 
PDF
Q3'25 Financial Results and Earnings Presentation
byDropbox
 
PDF
The Complete Crypto Airdrop Playbook: Strategies, Scams & Success Stories | 3...
by3verseTV
 
PDF
ENTSO-E's Response to the European Commission Call for Evidence on the Strate...
byReynir Orn Bachmann Gudmundsson
 
PDF
Revolutionizing SQL Database Design for the Modern Era.pdf
bySQL DBM
 
PPTX
Odoo_by_Infinys_All_in_One_Business_Solution_for_Small_Companies.pptx
byAgusto Sipahutar
 
PDF
AWS re:Invent 2025 Event Presentation Slides
byZilliz
 
PDF
Dr. Robert Krug - Specializes In Predictive Modeling
byDr. Robert Krug
 
PPTX
Sephora UAE API Service Real-Time Product & Price Data Access.pptx
bycreativeclicks1733
 
PDF
Unleash AI power with the Dell Pro 14 Plus - Interactive PDF
byPrincipled Technologies
 
PDF
Control Access to Files - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
Configure and Secure SSH - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
Manage Local Users and Groups - RHCSA (RH124)
byLinuxCert Guru
 
PDF
Create, View and Edit Text Files - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
Do more with the HP Z2 Mini G1a
byPrincipled Technologies
 
PDF
Sylvester Konadu Worcester MA - An Accomplished IT Analyst
bySylvester Konadu Worcester
 
PDF
Open Source SecurityCon 2025 in Atlanta - Transparency Exchange API: Where To...
byPavel Shukhman
 
PDF
Install and Update Software - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
Exclusive Hands-On Workshop: Agentic Automation with UiPath (First Edition)
byanabulhac
 
PPTX
Bulwark Pokemon League Top 8 graphic archive
byGc Howard
 
Cybersecurity in ASEAN and Singapore Columbia SIPA 2025.pdf
byBenjamin Ang
 
Q3'25 Financial Results and Earnings Presentation
byDropbox
 
The Complete Crypto Airdrop Playbook: Strategies, Scams & Success Stories | 3...
by3verseTV
 
ENTSO-E's Response to the European Commission Call for Evidence on the Strate...
byReynir Orn Bachmann Gudmundsson
 
Revolutionizing SQL Database Design for the Modern Era.pdf
bySQL DBM
 
Odoo_by_Infinys_All_in_One_Business_Solution_for_Small_Companies.pptx
byAgusto Sipahutar
 
AWS re:Invent 2025 Event Presentation Slides
byZilliz
 
Dr. Robert Krug - Specializes In Predictive Modeling
byDr. Robert Krug
 
Sephora UAE API Service Real-Time Product & Price Data Access.pptx
bycreativeclicks1733
 
Unleash AI power with the Dell Pro 14 Plus - Interactive PDF
byPrincipled Technologies
 
Control Access to Files - RHCSA (RH124).pdf
byLinuxCert Guru
 
Configure and Secure SSH - RHCSA (RH124).pdf
byLinuxCert Guru
 
Manage Local Users and Groups - RHCSA (RH124)
byLinuxCert Guru
 
Create, View and Edit Text Files - RHCSA (RH124).pdf
byLinuxCert Guru
 
Do more with the HP Z2 Mini G1a
byPrincipled Technologies
 
Sylvester Konadu Worcester MA - An Accomplished IT Analyst
bySylvester Konadu Worcester
 
Open Source SecurityCon 2025 in Atlanta - Transparency Exchange API: Where To...
byPavel Shukhman
 
Install and Update Software - RHCSA (RH124).pdf
byLinuxCert Guru
 
Exclusive Hands-On Workshop: Agentic Automation with UiPath (First Edition)
byanabulhac
 
Bulwark Pokemon League Top 8 graphic archive
byGc Howard
 

The Impact of Cloud: Cloud Computing Security and Privacy

  • 2.
    “Technological advances, combinedwith the ubiquity of the Internet, have spawned a near-infinite range of potentially grave security threats to governments, commercial entities and individuals.” Paul Rosenzweig
  • 4.
    Can we stilltrust the „cloud‟? What are the local laws that govern data being collected, transferred and stored?
  • 5.
    BIGGEST INHIBITOR TOTHE ADOPTION OF CLOUD COMPUTING Data Security
  • 6.
    SENSITIVE DATA INTHE CLOUD More data, more storage Personally identifiable information examples • Credit card information • Medical records • Tax records • Customer account records • Human resources information • Banking and insurance records • Browsing history, emails and other communication
  • 7.
    CLOUD SECURITY -STAKEHOLDERS Data collector/owner Cloud service providers •Outsourcing: How to select a cloud vendor? •How to maintain direct control to safeguard data integrity? •How to satisfy data residency and privacy requirements •How to remain flexible and provide costeffective service? Regulator •Formulation of relevant standards and practices •How to ensure adoption and compliance? •Would sensitive data end up overseas? Customers/endusers •Are my data safe in the cloud? •Would I know if there is security or privacy breach?
  • 8.
    ISSUES ON CLOUDSECURITY Security Residency Privacy Is the data protected from theft, leakage, spying or attacks? Where is the data stored? geographically disbursed? Who can see personally identifiable information (PII)? What is the level of control and protection? What to do with data in transit & outside territory? Storing, transferring, locating and protecting PII
  • 9.
    Info on 3rd partyservice and distributed infrastructure Deliver resiliency, availability and flexibility of cloud services Maintaining ownership and control of data Challenges of cloud and security
  • 10.
    COMPLIANCE REQUIREMENTS • Somecountries have laws restricting storage of data outside their physical country borders: India, Switzerland, Germany, Australia, South Africa and Canada • EU: Data Protection Directive; Safe Harbor Principles – no sending PII outside European Economic area unless protections guaranteed • USA: US Patriot Act, 40+ states have breach notification laws (25 states have exemption for encrypted personal data) • Canada: Freedom of Information and Protection of Privacy Act
  • 11.
    HONG KONG • Section33(2)(f) of Personal Data (Privacy) Ordinance, • Forming standards through HK/Guangdong Expert Committee on Cloud Computing Services and Standards • Guidelines and information via infocloud.gov.hk
  • 12.
    INTERCEPTION OF COMMUNICATIONS: REGULATIONSIN HK • Article 30 of the Basic Law: freedom and privacy of communication of Hong Kong residents shall be protected by law • Law enforcement agencies: Interception of Communications and Surveillance Ordinance (Cap 589) • Non-public officers and non-governmental bodies: Telecommunications Ordinance (s24, s27, s29), Personal Data (Privacy) Ordinance, s161 of Crimes Ordinance
  • 13.
    TWO ISSUES TOTHINK ABOUT - Data residency: Transfer of personal information or moving data storage device outside of local jurisdiction - Data encryption: Data should be encrypted before being sent to the cloud, and that data owner retains the encryption keys
  • 14.
    KEY QUESTIONS TOASK • What do we need? What is our goal? • Where are the risks? • What are the systems, processes, policies and practices we need to mitigate risks? • How to protect our data assets and keep cloud platform secure? • How to ensure transparency and compliance? • How to evaluate potential cloud service providers?
  • 15.
    CRITICAL AREAS Governance Operation Governance andEnterprise Risk Management Traditional Security, Business Continuity and Disaster Recovery Legal and Electronic Discovery Data Center Operations Compliance and Audit Incident Response, Notification and Remediation Information Lifecycle Management Application Security Portability and Interoperability Encryption and Key Management Identity and Access Management Virtualization
  • 16.
    PLANNING AHEAD: STRATEGIC APPROACH •Service models: SaaS, PaaS, IaaS? • Multiple layers: Physical security (facilities) Network security (infrastructure) System security (IT systems) Application and data security
  • 17.
    IDENTIFY, LOCATE ANDDEFINE THE RISKS Identification and valuation of assets Identification and analysis of threats and vulnerabilities Risk and incident scenarios Analysis of the likelihoods of scenarios, risk acceptance levels and criteria risk treatment plans with multiple options (control, avoid, transfer, accept)
  • 18.
    CONSISTENCY BETWEEN YOU ANDYOUR PROVIDER • Alignment of impact analysis criteria and definition of likelihood • Specify assessment and risk management requirement e.g. vulnerability assessment, audit logs, activity monitoring • Detailed in Service Level Agreements, contract requirements, and provider documentation
  • 19.
    OPERATION: KEY AREAS •Disaster Recovery and Business Continuity • Breach notification and data residency • Data management at rest • Data protection in motion • Encryption key management • Identification and Access controls • Long-term resiliency of the encryption system
  • 20.
    Charles Mok Legislative Councillor(Information Technology) [email protected] www.charlesmok.hk Facebook: Charles Mok B Twitter: @charlesmok