Legal & GRC

A draft of the new "General Data Protection Regulation" has officially been published in January 2012. The draft Regulation intends greater harmonisation but will also bring a radical change to the existing legal framework and a significantly stricter data protection regime, requiring more action by companies with tough penalties of up to 2% of the annual worldwide turnover for the most serious data protection violations. In this session, you will receive an overview of the new rules and learn how the new rules will impact the way companies use and transfer personal data.

Like with all other immature and rapidly developing markets, there often is a significant difference between the expectations customers have when they contract a cloud computing service, and the reality of what they would get as one of many clients through some kind of standard contract. In this session, you will first and foremost learn, that most if not nearly all existing standard contracts from large cloud providers are crap, and how you easily can find out that they are crap, what your risks are if signing such a contract and how a fair deal would look like instead.

Connecting who we are in the physical world to our online identity is at the center of some of today’s most important technical, commercial and policy issues. Verifying who we are, whether on the Internet, phone or watching television touches what we care about most; our security, privacy and how we do business. This agenda “unpacks” identity by reviewing the status of key identity standards like SAML, OAuth 2,0, OpenID Connect and Account Chooser by focusing on the roles of key players: policy makers, attribute and identity providers, and the economics of relying parties.

The panel will cover how identity providers can involve users in the release of information to the relying party websites that users visit. We’ll go beyond standards and talk about new incentives for attribute providers, and discuss business models for how to charge relying parties for this information. There will also be discussions of new methods used to authenticate users whether via a password, one-time-code, mobile phone, or other techniques.

Modern public administration involves an inherent conflict between better responsiveness to citizens as clients and effective collaboration with them as partners, given the role of government as data caretakers. Service provisioning to citizens as customers requires flexibility, yet the usage of data to serve these customers has to meet with regulatory policy and good common sense on data privacy.

The changing nature of our relationship as citizens with our different levels of government is partly driven by the ability for us to interact with government digitally. Not only to give/receive information remotely, but to query, to collaborate and to be citizen information providers, such as potholes, malfunctioning traffic lights, reporting crime, and receiving updates as necessary. But one of the challenges in this evolving relationship is how the collaborating partners handle sensitive data, and how they respect each other’s requirements.

Classical IT-Security is centered around the assets governed by the IT organization, and therefore in reality information security and IT security are used to describe that same thing. Protecting the assets of the IT organization is good, but at the end the real value of security is to protect the assets that are important for the overall organization. This becomes obvious when IT services more and more move into the Cloud, and users more and more bring their own devices to work with. Who will stay in the security game thus needs to switch from protecting IT assets to protecting Information Assets which are critical to the organization.

This presentation will give an overview on how to move from IT and System Security to Information Security.

Today’s cloud architecture increases the risk of access to a company’s critical data, such as intellectual property, personal privacy information, cardholder data, health information, financial data, etc. As a result, companies are asking themselves how do they ensure that their organization's most critical information is in the hands of the right individuals and that they're doing the right things with it?

During this panel session, we’ll outline what organizations need to do to identify, quantify, and manage the risk of information access in the cloud environment. We’ll discuss how companies need to determine what information presents the greatest risk and what access issues are the source of this risk. Next, learn how to present this information to your business colleagues in terms they understand, so that they know how this impacts the business. They must be able to translate this risk into underlying security issues and deconstruct the elements to identify the source of the risk and determine how to manage it. Simply identifying and quantifying the risk is not enough if you can't explain how to remediate and manage the risk. We’ll also explore the access assurance steps and automation needed to increase access controls to prevent future occurrences.

After this session, attendees will be able to:

• define the practical steps needed to identify, quantify, and manage the risk associated with access in the cloud;
• identify cloud access policies, the detective controls to continuously monitor risk and its source, the ability to remediate problems, and the preventative controls to better control risk moving forward;
• analyze the elements of access risk and summarize why this should be among the top areas of concern for security professionals;
• discuss how to effectively communicate access risk to business without slowing the business drivers of cloud migration; and
• describe how to partner with business, audit, security, and cloud providers to create an effective cloud access assurance strategy.

Access Governance right now is a well-established technology, playing a central role in many Identity and Access Management environments. But despite to its increased use, it is still an emerging market, with a lot of innovation. There are five major trends in the market:

• adding provisioning technology or improving interfaces to provisioning systems and Enterprise Service Bus systems for connectivity to target systems
• improved analytical capabilities, using advanced business intelligence technology to go beyond traditional and limited reporting
• real-time capabilities allowing to not only to scheduled re-certifications but also to analyze real-time access
• cloud features
• business focus, valuating risks and mapping access issues to business controls for quick and focused answers to the questions of the business people

In this session, Prof. Dr. Sachar Paulus of KuppingerCole first will give a quick overview of the trends in the Access Governance market, leading to real-time, cloud-ready Access Governance and Intelligence. Following to Sachar´s introduction there will be a panel discussion between Access Governance vendors and technology users.