Call for Contributions on Cloud Computing



Download 121.34 Kb.
Date06.08.2017
Size121.34 Kb.
#27108






Call for Contributions on Cloud Computing

Consultation procedure open from 17 October to 17 November 2011




Information details on Contributor

(all data are optional)

Name of company:

Business sector:

Country of primary head office:

For Cloud Computing, you are:

A service Provider

A Client

 

Please forward the questionnaire below
- by e-mail to consultationcloud@cnil.fr
- via postal mail to:

Commission Nationale Informatique et Libertés

Service des affaires européennes et internationales

8 Rue Vivienne

75002 Paris, France.

Terminology / Abbreviations:

In the context of this request for contributions, the term “Provider” designates the companies offering Cloud Computing services, and the term “Client” designates the companies or public administrations who are the clients of Cloud Computing providers.

Definition of Cloud Computing

    1. CNIL’s assessment

Since the term of Cloud Computing is both recent and encompassing numerous concepts, there is still no consensus on any single specific definition.



    1. Proposed solution

We believe that the most appropriate approach to any definition should be based on the features specific to Cloud Computing.


Accordingly, the CNIL suggests considering the following set of features to characterise the existence of a Cloud Computing service:


  • simplicity of an on-demand service: any user may unilaterally, immediately and generally without any human intervention, have access to the IT resources they need (server computing time, storage capacity, etc.).




  • extreme flexibility: the resources made available have a high and fast adaptability to upgrading requests, and generally in a fully transparent way for the user.




  • light-client” access: access to the resources requires no specific hardware or proprietary software. Access is gained via readily (and sometimes free1) applications, generally from a simple Internet browser.




  • virtualisation of resources: the Provider’s IT resources are configured for use by a multitude of machines, and frequently distributed in various hosting centres (possibly in various locations across the world).




  • pay per use”: payment for Cloud Computing services may be made proportionately to actual use of the service.


    1. Question

In your opinion, does this set of features enable the proper characterisation of a Cloud Computing service? Should this set of features be complemented?




Reply




II. Qualification of stakeholders: towards an assumption of subcontracting?
A. Principle
Under Article 3 of the French Data Privacy Law of 1978, the Data Controller is defined as “a person, public authority, department or any other organisation who determines the purposes and means of the personal data processing”.

The Processor is defined as the subcontractor who processes the personal data on behalf of and according to the instructions of the Data Controller.


B. Proposed solution
      1. Client


The Client will always be responsible for the processing as Data Controller. By collecting data and deciding to outsource their processing to a service provider, the Client retains full responsibility for the data processing, since the Client also defines the purposes and means of data processing.


      1. Provider


In principle, the Provider acts on behalf of and according to the instructions of the Client acting as Data Controller.
Accordingly, it would appear reasonable to establish en assumption that the Service provider acts as Data Processor in the context of the relationship between the Client and the Provider.
Such an assumption will be particularly effective whenever the Client uses a private Cloud2 that involves extensive control over the execution of the Cloud Computing service.
Conversely, whenever the Client uses a public Cloud3, the respective roles of the Client and the Provider may prove difficult to determine, and will also depend on the type of services subscribed by the Client. In this case, the CNIL proposes that the above assumption be discarded in favour of a set of features that should enable the determination of the margin for manoeuvre available to the Provider to perform the service provision.



Criterion

Meaning

Instruction level

Assess to what extent the Provider is bound by the Client’s instructions.

Level of control over the performance of the service

Assess the level of constraint that the Client may dictate on the Provider.

Expertise of Provider

Assess the level of expertise of the Provider to find out to what extent he controls the data processing.

Level of transparency of the Data Controller in the service provision.

Find out to what extent the identity of the Provider is known by the stakeholders. If this identity is known by the stakeholders using the Client’s services, then the Provider may be presumed to act as a de facto Data Controller.

By applying this set of features, it will be possible among other to take into account the highly standardised nature of Cloud Computing offers generally resulting in an extensive control of the Provider over the service.



The following analysis is submitted by the CNIL for consultation:
- The Client is necessarily regarded as the Data Controller.

- The Provider is presumed to be a subcontracted Processor, unless the set of features leads to disregarding this assumption, thereby demonstrating that the Provider acts as the de facto Data Controller.

In the context of the revision of the EU Directive on data protection, it would be of interest to look at the possible creation of a legal status for the subcontracted Processor, in order to assign a number of specific requirements to said Processor.


  1. Question


In your opinion, does the above analysis reflect the specific features of Cloud Computing? Why?



Reply

What is your opinion on a specific legal status for service providers?





Reply


Applicable law

Since Cloud Computing is based on the use of multiple servers located in various places in the world, there are obvious difficulties to determine the applicable law, since the flexibility and fluidity of data transfers mean that as many laws as there are countries where data processing servers are located, are potentially applicable.
Yet, it is essential to identify which law is applicable, in particular to determine which legal obligations are enforceable on the Data Controller.

    1. Principle

Under Article 5 of the French Data Privacy Law of 6 January 1978 as amended, the French law applies if the Data Controller:




  • is established on French territory”,




  • or, “uses means of processing located on French territory” (although not established on the territory of any other EU Member State) 

Avenues of investigation


While the CNIL is in favour of extending the concept of “processing means”, it nevertheless wishes to mitigate any excessive consequences of an abusively broad interpretation of “processing means” and any potentially systematic application of French law.

Question:

In your opinion, which criteria would enable the determination of applicable law to Cloud stakeholders?




Reply



Regulating framework for data transfers
    1. Principle

Under Article 68 of the French Data Privacy Law of 1978, personal data may only be transferred to recipients in countries located outside the EU if that State provides an adequate level of data and privacy protection. Article 69 of the Law expressly specifies the instruments required to regulate such transfers: standard contract clauses, internal corporate regulations (or BCRs), Safe Harbor, or exceptions.


Resorting to such instruments implies knowledge of the country(ies) where the data are to be transferred, which is essential to complete the required declaration/authorisation formalities with the CNIL and to inform the data subjects of such transfers to these countries.
However, Cloud Computing is most frequently based on a complete lack of any stable location of the data. The Client is therefore rarely in a position to be able to know in real time where the data are located or stored or transferred.
In this context, the legal instruments providing a framework to regulate data transfers to non-EU third countries failing to provide any adequate protection, have shown their limits.
In addition, there are exceptions to the principle of banned transfers.

    1. Proposed solutions



(i) From a legal standpoint

The increasingly multiple locations of data storage make it difficult to enforce any legal instrument that would guarantee adequate protection levels.


The CNIL therefore proposes that 1) service providers should incorporate standard contractual clauses into the service provision contracts, and 2) the feasibility of Binding Corporate Rules (BCRs) for subcontracted Processors should be investigated.
Such BCR for processors would enable the Provider’s client to entrust their personal data to this subcontracted Processor while being assured that the data transferred within the Provider’s business scope would receive an adequate protection level.
(ii) From a technical standpoint
Regulatory control over data transfers could also depend on the technical solutions used. For instance, some Providers mention the use of “metadata”4 to define or describe another data item, regardless of its media (print or electronic), or homomorphic encryption solutions5.
Resorting to encryption would also be regarded as a satisfactory solution to guarantee the transfer of data to predetermined countries only.
In such cases, the Client could then truly endorse its role as Data Controller by defining the data recipient countries, even before the service is performed.

In practice:


  • The Cloud Computing Provider, whether Data Controller or Processor, will have to obtain an approval of its BCRs from European data protection authorities, based on the current procedure.

  • The Client will submit its request for data transfer authorisation to the data protection authorities, based on the previously approved BCRs of the Provider.



    1. Questions

      1. Which of the existing instruments do you think are most suitable for Cloud Computing?





Reply

      1. How are you regulating the data transfers carried out in the context of the Cloud Computing service you provide or to which you have subscribed?





Reply

      1. Do you think that BCRs for the subcontracting Processor are an interesting solution? What type of mechanism would you consider for these BCRs?





Reply

      1. Have you already thought about technical solutions that would enable you to better identify and control data flows in the context of Cloud Computing services?





Reply




Data security
The issues of security and confidentiality of data outsourced to the Cloud, as covered under Article 34 of the French “Informatique et libertés” Law, are generally one of the top concerns for users6.
In the case of an organisation subscribing to a Cloud Computing service, the management of data security is largely delegated to the service Provider, from whom it is often difficult to obtain guarantees on the actual security level. In application of Article 35 of the French law, the subcontracted Processor “shall offer adequate guarantees to ensure the implementation of the security and confidentiality measures mentioned in Article 347, while the Data Controller has the “obligation to supervise the observance of such measures [of security and confidentiality]”7.
In addition, the same Article provides that “The contract between the Processor and the Data Controller shall specify the obligations incumbent upon the Processor as regards the protection of the security and confidentiality of the data and provide that the Processor may act only upon the instruction of the Data Controller”.
It is therefore necessary for these security requirements to be materialised in a contract. In particular, it is essential that the roles and responsibilities of the parties be clearly defined in advance, in order to ensure efficient processing of any incident that might lead to a loss or disclosure of personal data.

Question
What are your views on the contractual relations between the Client and the Provider regarding security measures and compliance with Articles 34 and 35 of the French Data Privacy Law (“Informatique et libertés”)?



Reply



Risks specific to Cloud Computing
A risk assessment8 is recommended prior to drafting any data security policy, in particular for large-size IT systems. This recommendation was previously formulated by ENISA9 in its report published in November 2009 entitled “Cloud Computing: benefits, risks and recommendations for information security10 and by ANSSI in its more general report on “Outsourcing of IT systems – Risk management” published on 19 March 201011.
This risk assessment should in particular factor in the nature of the organisation using the Cloud Computing service and the type of data processed in the Cloud.
The CNIL therefore believes that a risk analysis approach to assess the impact of switching over to Cloud Computing, should be adopted by all Data Controllers wishing to use Cloud Computing for some of their personal data processing operations.

Question:
What are your views on the recommendation to conduct a risk assessment before switching over to Cloud Computing?


Reply

Assessments and proposals on data security

        1. Security aspects to be boosted


When using Cloud Computing services, the CNIL recommends that some aspects of data security should be looked at carefully:

  • external protection of the network (firewalls, proxy server with content analysis, intrusion detection, etc.)

  • protection of the terminal  (PC, laptop, PDA, cell phone): antivirus, operating system and software regularly updated, firewall12.

  • encryption of links13 to ensure the confidentiality of data exchanges

  • traceability: keep a record of connections and operations performed14 on the data (in many service offers, including for large companies, “administration”-type events, such as creation or deletion of accounts or authorised access to data, are not recorded).

For Providers offering services to private companies or public administrations, the following could be added:



  • management of authorisations, e.g. the account of an employee who left the organisation must be immediately deactivated, since they could still have access to the IT systems even though they no longer have access to the physical premises.

  • authentication: similarly, the authentication process must be reinforced. A high-level authentication process is indispensable whenever the accessed data are sensitive and/or extensive in volume.


Questions:
What are your views on this analysis? In your opinion, which security measures should the CNIL highlight to draw the attention of Data Controllers?



Reply




        1. Access by administrators and encryption

In the absence of any encryption at the data storage level, which is very frequently the case, the IT administrators15 of the Provider have full access to the data of their Clients16.


One way to secure at least partial protection against such risks is to ensure that the Provider’s administrators have a confidentiality clause in their employment contract or have signed a specific non-disclosure agreement. In addition, it is recommended to record the traceability of the administrators’ actions in logs that are not accessible to them.
However, for the Data Controller Client, encryption of the data stored in the Cloud constitutes the only way to prevent the Provider’s IT administrators17 from accessing the data entrusted to them.

Question
What are your views about encryption in the Cloud?



Reply




        1. Data destruction and reversibility

Once the service provision expires (account closed, contract termination, etc.), it is important for the Client to ensure that the data previously entrusted to the Provider will no longer be accessible to the Provider. Depending on the sensitivity of the data, the followed measures may be required:



  • conventional deletion of data

  • “secured” deletion18 of data

  • return of storage media to the Client (hard disks, backup tapes) or physical destruction in the case of hardware dedicated to the Client (e.g. case of private Clouds); in such cases, it is important to plan for such measures from the onset in the contractual clauses19.

In addition, the issue of data reversibility should also be taken into account by the Client prior to subscribing to a Cloud Computing service. The Client may wish to retain the data entrusted to the Provider, and in such case, the Provider should plan to return the data in a standardised format that will enable the Client to reuse these data with another service provider or using a conventional software program.



Question:
What are your views about the return of data and reversibility?


Reply




        1. Standardisation: a potential solution?

All of the above-discussed issues could be partially addressed by bolstering the transparency from Cloud Computing providers about their security policies. It would be possible to boost the trust of clients and data protection authorities by adopting measures designed to certify the data centres, taking into account personal data protection without inducing any additional risks20. However, there are currently no existing security standards adapted to Cloud Computing that would fully factor in the issue of personal data protection.


The CNIL recommends that security standards incorporating the issue of personal data protection in the Cloud be defined and promoted by the industry in order to strengthen transparency for the clients.

Questions:

  • Do you approve of the CNIL’s analysis regarding the lack of any standards or certifications regarding personal data protection in Cloud Computing?




  • What proposals would you have on this subject regarding standardisation or certification?



Replies




1 A free application/software is covered by a license that allows anyone (without any compensation) to use, study, modify, duplicate and distribute said application/software program. A number of free operating systems also exist, such as LINUX.

2 In a private Cloud, IT resources (infrastructure, applications, etc.) are available to and operated solely for a single organisation. The resources may be owned, managed and administered by the organisation itself, or by a third party. In all cases, the organisation generally has control over the related infrastructure and location of the data. Whenever the infrastructure is shared by several organisations supporting a specific community with shared concerns, the term of “Community Cloud” is used.

3 In a public Cloud, IT resources are operated by third parties and the tasks assigned by a large number of clients co-exist on the same servers, storage systems or other infrastructure component. The end user generally has no way to know which other users are present on the server, network or hard disk where the tasks are performed.

4 Method enabling a linkage of information specific to the data, and the determination of the geographic scope over which the data may be transferred.

5 Method of encryption enabling the Provider to aggregate messages even though they are encrypted and without possibility of reading their contents.

6 In a survey conducted by IDC Enterprise Panel (USA) in response to the question “Rate challenges/issues ascribed to the ‘Cloud’/on-demand model”, data security was rated at the top of concerns, with 74.6% respondents (source: NIST presentation on Cloud Computing and Security, available at: http://csrc.nist.gov/groups/SNS/Cloud-computing/Cloud-computing-v26.ppt).

7 Article 35 of the French “Informatique et libertés” Law.

8 The risk assessment method most frequently used in France was developed by the Agence Nationale de la Sécurité des Systèmes d’Information (ANSSI, formerly DCSSI), called “EBIOS” (see more on http://www.ssi.gouv.fr/site_article45.html).

9 European Network and Information Security Agency

10 This report identifies 35 risks specific to Cloud Computing. ENISA specifies the assessment to be conducted prior to the use of Cloud Computing by public administrations in a second report published in January 2011 entitled “Security & Resilience in the Governmental Clouds”, where ENISA provides an analytical guide for public administrations and generally recommends the use of private Clouds for which the risk/benefit ratio seems to be positive.

11 In particular, risks linked to location and pooled hosting.

12 Firewall used to filter incoming and outgoing connections. In this case, the firewall would take the form of a software program, or failing that, a functionality supplied by the operating system of the terminal.

13 E.g. by using https format (HyperText Transfer Protocol Secure) to secure browsing.

14 In the case of an IaaS type offer, it will be important to activate the logs in the OS (security, system, application), and in the hardware infrastructure contributing to the network security (firewall, IDS). If SaaS type services are also provided, then a log of events must be kept (account creation, exports, read/write access) in the database and/or the related software application. In addition, access to the logs must be write-protected and limited to a minimum number of persons. Although generally managed by the Cloud Computing service provider, the logs should be accessible to the client (possibly on request).

15 Network/operating system, data base and application

16 Which may represent a very large volume of data, i.e. thousands of ADP clients, or millions of Google clients.

17 And therefore the Cloud Computing company itself.

18 Data deleted with the delete function of the OS can be easily retrieved, even after emptying the bin or reformatting the system. Many software programs exist on the market (some of which free, such a Recuva), providing the possibility of retrieving data after deletion or reformatting. This is why secured deletion software has been developed, based on rewriting of random bits over deleted data.

19 Buyback of the media is sometimes possible but generally billed at a high cost.

20 Conversely, if each client had the ability of conducting audits of the data centre, such ongoing audits would induce new risks on the data security of the centre.

Cloud Computing




Download 121.34 Kb.

Share with your friends:




The database is protected by copyright ©ininet.org 2024
send message

    Main page