State regulation of information protection in the cloud - international and Kazakhstani experience
0 likes48 views
This document discusses state regulation of cloud computing and data protection from international and Kazakhstani perspectives. It provides an overview of key regulations like GDPR, outlines responsibilities of data controllers and processors, and examines regulatory concerns around personal data protection and critical infrastructure. The document advises building an ISO 27001-compliant information security management system, informing regulators of security measures, and obtaining their input before migrating applications to the cloud. Success requires understanding applicable laws, implementing risk-based security controls, and having respectful conversations with regulators to address their concerns.
State regulation of information protection in the cloud - international and Kazakhstani experience
- 1. State regulation of information protection in the cloud: international and Kazakhstani experience Vsevolod Shabad +7 777 726 4790 [email protected]
- 2. Briefly about me: the international octopus IT Cybersecurity Cloud Technologies Risk Management Compliance Data Science & ML Project Management Culture Changes Fraud Prevention 🇷🇺 🇰🇿 🇷🇸 🇧🇬 🇸🇬 🇹🇷
- 3. Introduce YOURSELF and share YOUR expectations!
- 4. Due Care is the bridge between “paper” and “real” cybersecurity shores • Incident Management* • Detection • Response • Mitigation • Reporting • Recovery • Remediation • Lessons learned • Vulnerability Management • … * These phase names got from the CISSP CBK Reference (6th Edition) You are guilty by default! (unless you show the documents and real security measures)
- 5. All things should be balanced Three sorts of cloud regulations • Personal data • Critical infrastructure • Specific industry regulations (banks, …) Three sides of regulations • Company • Government • Customers Formal compliance with law The real concerns of regulators * * Kazakhstan also required the host the resources in .KZ and .ҚAZ domain zones on the territory of Kazakhstan
- 6. Why the personal data protection matters here? • Privacy is one of the fundamental human rights • Article 8 of the European Convention on Human Rights (47 countries) • Article 18 of the Constitution of the Republic of Kazakhstan • Fines for personal data protection rules violations can be very severe (hundreds of millions of euros) • It is relatively easy to prove violations of personal data protection rules • Even if the cloud provider is guilty of violations, the company still have primary responsibility for them
- 7. Key terms of GDPR • ‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law • ‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller This means that, in the vast majority of cases, the company itself as a Data Controller is accountable for personal data protection violations unless it proves that the cloud provider committed violations by going beyond the company instructions (i. e. by turning from a Data Processor to a Data Controller role)
- 8. Why does critical infrastructure matter here?* • In some cases, national laws on the protection of critical infrastructure may apply to web applications • EU directive 2022/2555 (NIS2) scope includes the following companies (Paragraph 6 of Annex II “Other Critical Sectors): • Providers of online marketplaces • Providers of online search engines • Providers of social networking services platforms Small or medium-sized enterprises are mostly out of the scope of the NIS2 directive * In Kazakhstan, the government defines a specific list of critical entities; in Europe – only the sectors of the economy
- 9. What are regulators concerned about? • Violation of the rights and freedoms of citizens as a "weak side" in relation to companies (service providers) • A large-scale threat to the life and health of citizens – for example, if an adversary attacks the city's water purification system • A threat to the entire industry – for example, a general banking panic with a large-scale cyber incident in a leading bank, if the information gets publicised in the press State protection of citizens' rights and freedoms is key to gaining public trust and, consequently, fostering economic development! To ensure productive discussions with regulators, it's crucial to debate not only various prohibitions but also the impact of these restrictions on the industry and the country's overall economy!
- 10. What are regulators concerned about? Typical examples of situations when a regulator should intervene: • Unlawful disclosure of personal data • Unlawful collection of personal data • Unlawful cross-border transfer of personal data • Inaccessibility of critical information infrastructure • Unlawful disclosure of banking secrecy • … The regulator intervenes not only when an incident occurs, or a complaint is received! The regulator closely monitors and may initiate an investigation by its own initiative if the company is a dominant market participant or if the regulator considers its activities to be excessively risky
- 11. Personal data (Luxembourg, EU) • Legislation – GDPR (2016) • (Non-obvious) Scope of application – any company monitoring subjects’ behaviour within the EU territory (Anti-DDoS? Cookie?) • Legal fines – from €10M / 2% worldwide annual turnover up to €20M / 4% worldwide annual turnover • Maximum actual fine – Amazon, 2021 (€746M) Ex-CEO @ Amazon Jeff Bezos
- 12. Personal data (UK) • Legislation – UK Data Protection Act (1998), the predecessor of GDPR • Case: large-scale data leak at the US credit bureau Equifax (2017) • The number of affected personal data subjects is 146 million, including 15.7 million Britons • A fine of £ 500’000 in the UK (in addition to the $575M in the US) • The CEO was resigned Ex-CEO @ Equifax Richard Smith
- 13. Personal data (Singapore) • Legislation – Personal Data Protection Act 2012 • (Non-obvious) Scope of application - any company monitoring subjects’ behaviour within the Singapore territory (Anti-DDoS? Cookie?) • Legal fines – up to 10% of Singapore’s annual turnover • Possibility of up to 3 years in prison for individuals • Maximum actual fine – 250K SGD ($188K) for the SingHealth and 750K SGD ($564K) for the IHiS CEO @ IHiS Bruce Liang
- 14. Personal data (Kazakhstan) • Legislation – Kazakhstan Law № 94-V "On Personal Data and Their Protection” • Scope of application – the territory of Kazakhstan • Legal fines – up to 1000x minimal salary (about $7600) • Maximum actual fine – 100x minimal salary, and 500x minimal salary in case of non-compliance after the law order to eliminate violations
- 15. Critical infrastructure and industry regulations • Germany (EU) – the German Federal Network Agency (Bundesnetzagentur) imposed a €10M fine in 2018 on energy company Energieversorgung Offenbach (EVO) for insufficient cybersecurity measures • USA – The Federal Energy Regulatory Commission (FERC) imposed a $10M fine on Duke Energy in 2018 for insufficient cybersecurity measures • Kazakhstan (the maximum actual fine is 100x minimal salary): • for 2022 – 48 officials were held liable for the amount of 1’172’475 KZT and 17 legal entities for the amount of 3’492’535 KZT • for 1Q 2023 – 74 officials were held liable for the amount of 2’026’875 KZT and 8 legal entities for the amount of 672’750 KZT
- 16. Who can cause the most damage in the case of cybersecurity negligence? Government!
- 17. Five key obligations of the company • Process customer information in accordance with the stated purposes • Respond to legitimate customer requests (for example, providing a copy of collected PII) • Notify the regulator and customers about incidents on time • Provide localisation of personal data • Have a functioning ISMS • sometimes regulators make very detailed requirements +
- 18. What does cloud migration give? • Ability to delegate many security functions to a cloud provider • Ability to quickly and cheaply automate many security processes • Ability to quickly and cheaply provide scalability & redundancy for the online services • Necessity to delegate many security functions to a cloud provider • Risk of violation of some legal requirements (for example, localisation of PII) • Risk of misuse of data by a cloud provider (especially, SaaS)
- 19. Some examples – ISO 27001:2022, Annex A • 8.5 “Secure authentication technologies and procedures shall be implemented based on information access restrictions and the topic-specific policy on access control” • 8.11 “Data masking shall be used in accordance with the organization’s topic-specific policy on access control and other related topic-specific policies, and business requirements, taking applicable legislation into consideration” • 8.16 “Networks, systems and applications shall be monitored for anomalous behaviour and appropriate actions taken to evaluate potential information security incidents”
- 20. Another example – PCI DSS compliance checking
- 21. The infrastructure is separated, but the cybersecurity processes are end-to-end! Through 2025, 99% of cloud security failures will be the customer’s fault (https://www.gartner.com/smarterwithgartner/is-the-cloud-secure) AWS Shared Responsibility Model For instance: Incident Management is an end-to-end process, and the orchestration of components and tools (AWS GuardDuty, SNS, Lambda Functions, ...) is always the company's responsibility!
- 22. What can we do? Choose the cloud provider wisely •Pay attention to the SOC2 or ISO 27017 certification of the cloud provider Build and certify end-to-end ISMS •Build a reasonable threat model and ISMS on this basement Ensure formal compliance of the ISMS with the legal requirements •Remember – there are many regulators, and often their requirements are challenging to conform same time Informally reconcile the threat model and ISMS with regulators •The key is to listen to concerns and answer them convincingly Test the end-to-end processes of the ISMS •The test results, including unsuccessful ones, are convincing evidence of the effectiveness of the ISMS for both regulators and customers Stage migrate applications and data to the cloud
- 23. Example • The Kazakhstani bank plans to host some applications in a foreign well-known public cloud • Inventory of applicable legislations and regulators • Shortlisting suitable cloud providers • Development of a threat model (STRIDE) and planning of security controls (Preventive, Detective, Reactive) with the involvement of cloud provider architects • Approving the threat model and security controls with your lawyers and regulators • Implementing security controls and staged migration of applications and data to the cloud ?
- 24. Example: what should we concern about? • Cross-border transfer of personal data (Legislation – Article 16 of Kazakhstan Law № 94-V "On Personal Data and Their Protection”, GDPR Chapter V): • The explicit client consent (with the opportunity for withdrawal at any time) • The possibility of restricting access to client’s data (when consent is withdrawn) in case the data cannot be deleted • The presence of the country where the data centre of the selected cloud provider region is located in the list of approved countries (European Commission Adequacy Decision - https://commission.europa.eu/law/law-topic/data- protection/international-dimension-data-protection/adequacy- decisions_en) • The explicit explanation of why the selected country ensures the proper protection of personal data (Article 16.22 of Kazakhstan Law № 94-V) • Local storage of personal data (Article 12 of Kazakhstan Law № 94-V) 1
- 25. Example: what should we concern about? • The necessity to encrypt data in the cloud with a key on the bank's side (National Bank Rules # 48, Article 60.2) • Use only cloud services that support KMS (such as AWS DynamoDB or Azure SQL) • Use KMS with keys generated in On-Premise HSM (for example, Azure Key Vault Managed HSM and AWS KMS custom key store allows this) 2
- 26. Brief Summary: success factors for migration to the public cloud • An apparent reason why to do it (mission, values, risks) • Understanding applicable legislations • Risk-driven ISMS with end-to-end processes • Respectful, risk-based conversations with regulators • The competent team supported by management
- 27. I'll be happy to help in any way I can! +7 777 726 4790 [email protected] https://linkedin.com/in/vshabad