Navigating through the Cloud. Software as a Service. Professor Jon M. Garon NKU Chase College of Law Law & Informatics Institute

Transcription

1 Navigating through the Cloud Legal and Regulatory Management for Software as a Service Professor Jon M. Garon NKU Chase College of Law Law & Informatics Institute

2 Navigating through the Cloud [A]llthis vagueness and variation arise from the fact that the whole thing began in fancy and in dreaming; and that there are no rules of architecture for a castle in the clouds. - G.K. CHESTERTON, THE EVERLASTING MAN 64 (1925) Professor Jon M. Garon NKU Chase College of Law Law & Informatics Institute

3 The cloud is everywhere For consumers and business: ios5 Apple s new iphonecloud service Kindle Fire cloud and manipulation of third party data Google Docs, Gmail, Maps, etc. Amazon -Dropbox 3

4 The cloud is everywhere Business to Business Amazon -Amazon Web Services Elastic Compute Cloud(EC2) Simple Storage Service(S3) Google AT&T Verizon Iron Mountain Sunguard Microsoft Azure Service Platform Microsoft -Cloud Computing Rackspace Salesforce.com Sun Open Cloud Platform Workday VMware Joyent 4

5 What is cloud computing Cloud computing is a model for enabling convenient, ondemand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction enabling available, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) These resources can be rapidly provisioned and released with minimal management effort or service provider interaction 5

6 Essential elements 1. on-demand, self-serve access; 2. broad network access that agnostically accepts all devices including computers, laptops, smart phones, game consoles and other network- enabled devises; 3. resource pooling; 4. rapid elasticity or scalability; and 5. measured service optimization so that usage can be monitored, controlled, and reported, providing transparency for both the provider and consumer of the utilized service. 6

7 Understanding the levels of service Software as a Service SaaS Platform as a Service Paas Infrastructure as a Service IaaS 7

8 Understanding the levels Infrastructure as a Service -Traditional computing resources such as servers, storage, and other forms of low level network and hardware resources offered in a virtual, on demand fashion over the Internet. Platform as a Service -An execution environment and computing platform available over the Internet with the sole purpose of acting as a host to application software. Generally, PaaSfocuses on enabling SaaSapplications, so many well-expected core concepts, such as abstracting away multi-tenancy issues, are expected of any reasonable PaaSoffering. Software as a Service Specialized software functionality delivered over the Internet to users who intend to use the set of delivered functionality to augment or replace real world processes. Sinclair Schuller, Demystifying The Cloud: Where Do SaaS, PaaSand Other Acronyms Fit In? 8

9 Levels of service 9

10 Cross-Platform Services These vertical functional areas illustrate the management and business capabilities needed to wraparound the core components to enable business processes with Cloud Computing. For example, Reporting and Analytics offer the ability to perform key reporting and business intelligence analytics and therefore are not core Cloud Computing components; Analytics offer significant business capabilities that can harness the power of the data that will reside within the Cloud Computing environment. 10

11 Taxonomy of cloud systems Private cloud. The cloud infrastructure is operated solely for an organization. It may be managed by the organization or a third party and may exist on premise or off premise. Community cloud. The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be managed by the organizations or a third party and may exist on premise or off premise. Public cloud. The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services. Hybrid cloud. The cloud infrastructure is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds). 11

12 Is the cloud really different? No Vendor hosting of servers Vendor management of data Third party processors of records Offsite backup and storage 12

13 Is the cloud really different? Yes Potentially comingled data Servers could be located anywhere in the world Analytics may be available for both your data and the aggregated data of you and all competitors The vendor may be a middleman Storage is subcontracted to a third party Software is subcontracted to different a party Analytics is subcontracted to yet another party 13

14 The data is with the cloud But the liability remains with the client Every due diligence step, contract provision and safeguard is designed to limit the exposure created by moving data off site The responsibility does not follow the data it remains with the initial contracting party But banks are safer than mattresses; the key is to know where the data is and how it is protected 14

15 Different data has different demands PHI COPPA, GLBA Confidential, PCI Unregulated data 15

16 Requirements for HIPAA hosting Security -The Final Security Rule governs the processes that should be used to protect PHI. It requires that covered entities have appropriate Administrative Procedures, Physical Safeguards, and Technical Safeguards to protect access to PHI. The HITECH Act expanded liability for compliance with certain provisions of the Privacy and Security Rules to business associates of covered entities and placed enforcement into the Office of Civil Rights. Rulemaking is presently underway. Examples of appropriate safeguards include: Establishment of clear access control policies, procedures, and technology to restrict who has authorized access to PHI. Establishment of restricted and locked areas where PHI is stored. Establishment of appropriate data backup, disaster recovery, and emergency operation planning. Establishment of technical security mechanisms such as encryption to protect data that is transmitted via a network. 16

17 Requirements for HIPAA Hosting A VPN Access Server needs to be installed so VPN clients can access the remote network from any location. To conform to HIPAA, double or twofactor authentication is required. Providing public access to a web- enabled application with access to PHI data requires additional security. Physical security is required:hosted servers are located in a Secure Facility with man-traps, biometric readers and card scanners; visitors must be escorted. Connections are made with an Encrypted Protocol such as SSL or IPSEC 17

18 Requirements for HIPAA Hosting Software and/or hardware firewallprovide a first line of defense. Web Application Firewall-web attack prevention such as SQL injection and malware Host Intrusion Detection Systemsmonitor activity of server including root kit detection Port Scan Attack Detectionmonitors and prevents potential hackers from surveying the network. Brute Force Attack Detectionprevents repetitive break-in attempts from the same source. Enterprise Monitoringwith automated notification for network health. Active Patch and Update Managementkeeps OS and application layer programs up-to-date. Server Event Management analyzes and reports unusual patterns. As with all well secured public servers, human monitoring and log file investigation is an ongoing task. Sources: VM racks; Symform 18

19 Working back from HIPAA Non-PHI protection becomes a cost/risk/benefit analysis Benefits Two-part encryption is harder to use Significantly reduces ability to provide customer password help Slows time for initial engagement Cost Monthly fees associated with the service Loss of some flexibility and scalability Risks Breaches of data Goodwill damage associated with both actual breaches of data and public disclosure of known vulnerabilities to systems 19

20 Reminders for lawyers as users Consumer products are not secure Google Docs, gmail, etc. give Google non-exclusive rights in the content Since 1999, the ABA recognized that legal protections of unencrypted are sufficient to permit its use, unless there is a heightened particular risk 2008 NY ethics opinion found the computer-mediated review of did not destroy confidentiality, but it raises questions Dropboxis great for non-confidential documents, but does not encrypt in transfer so a targeted company may be vulnerable The appropriate standards are flexible, based on the size of the practice, the nature of the practice and known risks Once full encryption is available, is it reasonable to still use unencrypted document storage or even communications? Check the service level agreement Google Apps for Business doesn t give away rights Only Premier edition of Google Apps for Business has commercial level security 20

21 Ethics 20/20 recommendations Proposed new ABA Model Rule 1.6(c) 1.6 (c) A lawyer shall make reasonable efforts to prevent the unintended disclosure of, or unauthorized access to, information relating to the representation of a client. Proposed new Model Rule 1.6(c) would make clear that a lawyer has an ethical duty to take reasonable measures to protect a client s confidential information from unintended disclosure and unauthorized access. This duty is already implicit in Model Rule 1.6 and is described in several existing Comments Comments being accepted until Nov. 30th Changes to Model Rule 1.0 require the ability to technologically screen an attorney in the firm from access to files that would trigger the conflict of interest. This includes the technical ability to do so 21

22 Rule 1.6 implications Reasonable efforts to prevent the unintended disclosure of, or unauthorized access to, information relating to the representation of a client an ongoing duty Factors to be considered in determining the reasonableness of the lawyer s efforts include the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use). A client may require the lawyer to implement special security measures not required by this Rule or may give informed consent to forego security measures that would otherwise be required by this Rule. Whether a lawyer may be required to take additional steps to safeguard a client s information in order to comply with other law, such as state and federal laws that govern data privacy or that impose notification requirements upon the loss of, or unauthorized access to, electronic information, is beyond the scope of these Rules. 22

23 Lawyers have other confidential data Increasingly, ethics opinions (AZ, NJ, NY, PA) are supporting lawyers moves to cloud computing Lawyers must stay abreast of technology Lawyers must protect files from destruction (so off-site store is a must, at a minimum) [Lawyers] must take reasonable affirmative steps to guard against the risk of inadvertent disclosure by others who are working under the attorney s supervision Lawyers must always act reasonably in choosing to use for confidential communications Arizona: lawyer may provide clients with an online file storage and retrieval system that clients may access, provided lawyer takes reasonable precautions to protect security and confidentiality and lawyer periodically reviews security measures as technology advances over time to ensure that the confidentiality of client information remains reasonably protected. State laws cover social security numbers, drivers licenses, and other sensitive data Demands of encryption, physical safeguards, and technical safeguards all apply 23

24 ABA etechnologysurvey (by Aviva Cuyler) Total Attorneys: This is a full-service practice management system that offers direct client portal functionality, with easy communication, document transmission, and collaboration functions for lawyers and their clients and anyone associated with the matter. Permissions for authorized access can be set for each. Currently, it is still in beta as an upgrade from its original platform, VLOTech. DirectLaw: The platform is built around their ClientSpaceapplication,enabling attorney-client interaction and delivery of legal services online via a secure client portal. Clio: Clio s communication component is called Clio Connect, a secure web-based client portal, allowing Clio users to share information and collaborate with clients through an online interface employing bank-grade security. Advologiz: A practice management system built on a Force.com platform, it enables you to send from AdvologixPM, log from any system using your own tracking key, or fully and completely integrate with Microsoft Outlook, Google Apps, and Gmail, bringing all sources within its security parameters. MyCase: Titling itself social practice management, MyCasehas the ability to create a group, comprised of attorneys, clients, necessary staff, and any others involved in the case (i.e., expert witnesses), for the matter. The platform enables anyone in the group to communicate each and every action in the case to other applicable group members, all residing on Amazon s E2 platform and utilizing bank-grade data security. PBWorks: PBWorks has created a legal edition that includes a legal client extranet in which you set up a shared workspace for each client to collaborate on legal strategy, scheduling, and document sharing. 24

25 New audit standards available The SAS 70 report may have created a false sense of security because it did not set minimum standards or establish best practices. The American Institute of CPAs (AICPA) has replaced the SAS70 with the SSAE 16, effective June 15, Under SSAE 16, SOC 2 and SOC 3 reports provide much more stringent audit requirements with a stronger set of controls and requirements specifically designed around data center service organizations. Security: The system is protected against unauthorized access (both physical and logistical). Availability: The system is available for operation and use as committed or agreed. Processing integrity: System processing is complete, accurate, timely and authorized. Confidentiality: Information designated as confidential is protected as committed or agreed. Privacy: Personal information is collected, used, retained, disclosed and disposed of in conformity with the commitments in the entity's privacy notice, and AIPCA s Generally Accepted Privacy Principles. 25

26 New audit standards available Type 1 report assesses the compliance of the vendor s efforts to meet the standards that vendor selected. If the vendor selected minimal standards, then the report will only reflect that those minimum standards were or were not met. A Type 2 report provides the auditors opinion as to the accuracy and completeness, the suitability of the design of controls, and the operating effectiveness of the controls throughout a declared time period, generally between six months and one year. While there is always room for interpretation and variations among auditors, the Type 2 report has considerably more assessment value than the Type 1 report. A variation of the Type 2 report can be disclosed as a Type 3 report, which basically strips certain internal reporting information from the Type 2 report so that the report can be made available to potential customers and the general public. The Type 3 report includes a certification or seal of approval that can be used by the reporting company to show its compliance with the SSAE 16 standards. 26

27 FTC Safeguards Rule for GLBA compliance The Safeguards Rule requires companies to develop a written information security plan that describes their program to protect customer information The plan must be appropriate to the company s size and complexity, the nature and scope of its activities, and the sensitivity of the customer information it handles As part of its plan, each company must: designate one or more employees to coordinate its information security program identify and assess the risks to customer information in each relevant area of the company s operation, and evaluate the effectiveness of the current safeguards for controlling these risks; design and implement a safeguards program, and regularly monitor and test it select service providers that can maintain appropriate safeguards, make sure your contract requires them to maintain safeguards, and oversee their handling of customer information evaluate and adjust the program in light of relevant circumstances, including changes in the firm s business or operations, or the results of security testing and monitoring These requirements provide a comprehensive set of obligations employee selection supervision and training physical security of data encryption and authentication protocols notification steps 27

28 Approach to the cloud service agreement The duty to meet applicable regulatory guidelines as a covered entity or third party recipient of data. The duty to utilize best practices to assure data privacy, security and integrity. The duty to report any data security breach and meet applicable state and federal notification obligations. The duty and practices to manage vendor personnel in a manner that restricts access to stored information from non-essential personnel, to train its personnel to meet data privacy and security practices, and to immediately cut-off access to former employees. The obligations to physically secure the information, by controlling physical access to computers, servers and equipment. Meaningful indemnification provisions and the financial ability to meet such obligations. Restrictions on exploitation of aggregate data analysis and metadata analysis. The aggregation of services by large vendors creates opportunities to track and study the data flow. Even if done on an aggregate basis, however, the use of health care or customer financial data may not be authorized and should be contractually restricted. 28

29 PCI compliance requirements Build and Maintain a Secure Network Protect Cardholder Data 1. Install and maintain a firewall configuration to protect data 2. Do not use vendor-supplied defaults for system passwords and other security parameters 3. Protect stored data 4. Encrypt transmission of cardholder data and sensitive information across public networks Maintain a Vulnerability 5. Use and regularly update anti-virus software Management Program 6. Develop and maintain secure systems and applications Implement Strong Access Control Measures 7. Restrict access to data by business need-to-know 8. Assign a unique ID to each person with computer access Regularly Monitor and Test Networks Maintain an Information Security Policy 9. Restrict physical access to cardholder data 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security 29

30 The details: Service Level Agreement checklist Security and Specification of the minimum regulations governing the parties Wrap in ongoing changes to state law, federal law and regulations, and applicable industry standards Specify location of data; physical security Privacy & Confidential information Broader than regulated data Be specific; don t call it all confidential if it isn t Service documentation Specify the types and timing of reports SOCS2, operating procedures and supporting documentation covering contingency plans, Disaster Recovery and Pandemic Plan Executive summaries of all vulnerability assessments and penetration tests actually conducted by Company and Company response plan. Service levels Uptime/downtime guarantees Operational guarantees Reps and Warranties Property of the parties Data owned by client APIs and software owned by vendor Change Events Acquisition, merger, de-acquisition, bankruptcy of each party Movement of data outside U.S. Change to laws and regulations Limitations by Vendor Third party equipment and services Exclusions of every representation and warranty Liability caps Cross Indemnification Events of Default Expected technical responses Remedies regarding inability to provide technical response Failure to pay; conflict over response Termination Triggers Post-termination obligation before closure Post-termination obligations 30

31 The details: Service Level Agreement checklist These issues are likely client concerns rather than legal concerns Data Sources Log data, Configuration data, Performance data such as network traffic, data flow and CPU utilization Vulnerability data across network devices and hosts and network traffic pattern data Compliance Support End-to-end encryption may not be sufficient (We re blind so we re compliant may not be sufficient) Doesn t provide reporting or other tools and cannot work in SaaS Analytics Business should learn from the data: who is using the platform, where are the client s customers dropping out, what trends are available Dashboards, network reports, etc. Reporting Data Management Compression, encryption, archival services Scalability Architecture Performance 31

32 Navigating through the Cloud Legal and Regulatory Management for Software as a Service Thank you Professor Jon M. Garon NKU Chase College of Law Law & Informatics Institute