KEYWORDS: Privacy and security, cloud computing, formal institutions, informal institutions, security costs

Size: px
Start display at page:

Download "KEYWORDS: Privacy and security, cloud computing, formal institutions, informal institutions, security costs"

Transcription

1 PRIVACY AND SECURITY ISSUES IN CLOUD COMPUTING Nir Kshetri Associate Professor The University of North Carolina-Greensboro, USA ABSTRACT Cloud computing is a double-edged sword from the privacy and security standpoints. Despite its potential to provide a low cost security, organizations may increase risks by storing sensitive data in the cloud. In this paper, we analyze how the cloud s characteristics such as newness, nature of the architecture, and attractiveness and vulnerability as a cybercrime target are tightly linked to privacy and security. We also investigate how the contexts provided by formal and informal institutions affect privacy and security issues in the cloud. KEYWORDS: Privacy and security, cloud computing, formal institutions, informal institutions, security costs 1. INTRODUCTION Organizations are using cloud computing (hereinafter: the cloud) to perform increasingly strategic and mission critical functions. At the same time, companies are facing pressures and challenges to protect information assets belonging to their customers and other sensitive data McCafferty, 2010). Unsurprisingly security, privacy and availability are among the topmost concerns in their cloud adoption decisions rather than the total cost of ownership (Brodkin 2010). The cloud is a double-edged sword from the security standpoint. For organizations that lack technological and human resources to focus on security third parties in the cloud can provide low-cost security (Kshetri 2010a). Cloud computing users, on the other hand, face several separate but related security risks (Talbot 2010). The cloud poses various technological as well as institutional challenges. The cloudrelated legal system and enforcement mechanisms are evolving more slowly compared to the technology development. Privacy, security and ownership issues related to data stored on cloud currently fall into legally gray areas (Bradley 2010). Some argue that an organization, rather than the cloud provider, is likely legally responsible if customer data stored in the cloud are compromised (Zielinski 2009). A second criticism is that there has been arguably a disturbing lack of respect for essential privacy among major cloud providers (Larkin 2010, p. 44). For instance, in a complaint filed with the Federal Trade Commission (FTC), the Electronic Privacy Information Center (EPIC) argued that Google misrepresented the privacy and security of its users data (Wittow & Buller 2010). Cloud providers are also criticized on the ground that they do not conduct adequate background security investigations for their employees (Wilshusen 2010). This issue is rather important since significant proportions of cybercrimes are Page 1 of 23

2 associated with malicious insiders. Likewise, new bugs and vulnerabilities targeting the cloud are proliferating (Brynjolfsson et al. 2010). Faced with examples such as the above, analysts focusing on the cloud s security and privacy aspects have tended to divide into two camps. Proponents of the cloud argue that economies of scale allow third parties to provide a low cost security. This benefit is especially important for small and medium sized enterprises (SMEs), which lack resources to address human and technological issues related to security. A study of the European Network and Information Security Agency noted: The same amount of investment in security buys better protection [in the cloud] (ENSIA 2009, p. 7). Some argue that since security is not a core activity for most businesses, it makes sense to outsource this function to a third-party such as a cloud provider (Khalili 2010) 1. Critics have raised concerns about privacy and security associated with unauthorized access and use of information stored in the cloud for malicious purposes (McCreary 2008). A commonplace observation is that while cloud providers offer sophisticated services, their performances have been weak in policies and practices related to privacy and security (Wittow & Buller 2010; Greengard & Kshetri 2010). Businesses and consumers have expressed distrust in the cloud and are cautious in using it to store high-value data or sensitive information. Due to weak security, the cloud arguably remains a largely nascent technology (Stewart 2010) and critics have argued that its costs may outweigh the benefits (Tillery 2010) 2. According to an IDC report released by the research firm, International Data Corporation (IDC) in October 2008, security concern was the most serious barrier to cloud adoption for organizations 3. Organizations rightfully worry about hidden costs associated with security breaches or lawsuits tied to data privacy restrictions (Zielinski 2009). In this paper, we would argue that issues related to security and privacy in the cloud, while well documented, are only partially understood. Although researchers have acknowledged the role of privacy and security issues in cloud related investment decisions, they have paid relatively less attention to how institutional contexts such as structures of the markets, legal and political environment as well as inter-organizational and intra-organizational arrangements affect the ways in which such decisions are made. The purpose of our study is to fill this void. The factors related to privacy and security issues of the cloud focused in the paper can be described by considering a broad approach to institutions, which defines the concept in terms of a game s equilibrium. Three factors that determine an equilibrium include (i) technologically determined external constraints; (ii) humanly devised external constraints, and; (iii) constraints developed within the game through patterns of behavior and the creation of expectations (Snidal 1996, p. 128). For simplicity, however, technological factors are discussed separately in this paper instead of lumping with institutions. Before proceeding, we offer some clarifying definitions. Cloud computing involves hosting applications on servers and delivering software and services via the Internet. In the cloud computing model, companies can access computing power and resources on Page 2 of 23

3 the cloud and pay for services based on usage. Institutions are the rules of the game (North 1990) and include formal constraints (rules, laws, constitutions), informal constraints (norms of behavior, conventions, and self-imposed codes of conduct), and their enforcement characteristics (North 1996, p. 344). The paper is structured as follows. We proceed by first discussing the elements of our proposed model on institutional and technological environment facing the cloud. It is followed by a section on discussion and implications. The final section provides concluding comments. 2. TECHNOLOGICAL AND INSTITUTIONAL ENVIRONMENT FACING THE CLOUD Issues revolving around privacy, and ownership and access to data raise interesting questions in the cloud. As a visual aid, Figure 1 schematically represents how privacy and security issues in the cloud are tightly linked to the institutional and technological environments. We discuss the building blocks of the model in this section. Various characteristics of the cloud affect organizations perceptions of confidentiality, integrity, and availability of the cloud (Left part of Figure 1). Formal and informal institutions, on the other hand, affect perception of legitimacy and trustworthiness of the cloud (Right part of Figure 1). Assessment of institutional and technological facilitators and inhibitors affect organizations adoption decisions (Figure 1). Figure 1 about here Institutional actors responses lag behind the technological changes (Katyal 2001; Brenner 2004). Moreover, institutional actors vary in their timing of responses. For instance, whereas trade and professional associations and industry standard organizations are taking measures to respond to security and privacy issues in the cloud, government agencies have been slow to adopt necessary legislative, regulatory and other measures to monitor users and providers of the cloud TECHNOLOGICAL ENVIRONMENT THE CLOUD S NEWNESS AND UNIQUE VULNERABILITIES The cloud s newness and uniqueness present special problems. With the evolution and popularity of virtualization technology, new bugs, vulnerabilities and security issues are being found (Brynjolfsson et al. 2010). The cloud, however, is not a familiar terrain for most IT security companies. A lack of mechanisms to guarantee security and privacy has been an uncomfortable reality for many cloud providers. One problem found in network virtualization is that a user may be able to access to the provider s sensitive portions of infrastructure as well as resources of other users (Armbrust et al. 2010). In August 2010, the U.S. National Institute of Standards and Technology announced a vulnerability in which a cloud user can cross from one client environment to other client environments that are managed by the same cloud provider Page 3 of 23

4 (NIST 2009). Experts argue that such vulnerabilities could have more adverse impacts in the cloud than in an on-premise computing (Owens 2010). The cloud is also forensically challenging in the case of a data breach. For instance, some public cloud systems may store and process data in different jurisdictions, which vary in terms of laws related to security, privacy, data theft, data loss and intellectual property theft (McCafferty 2010). Some organizations may encrypt their data before storing in the cloud. These factors are likely to make forensic investigation complex and time consuming (Taylor et al. 2010) NATURE OF THE ARCHITECTURE Virtual and dynamic The virtual and dynamic nature of the cloud computing architecture deserves mention. For one thing, the shared and dynamic resources of the cloud such as CPU and networking reduce control for the user and tend to pose new security issues not faced by on-premise computing (Brynjolfsson et al. 2010). A related point is that these characteristics of the cloud allow data and information to distribute widely across many jurisdictions. The locations where data are stored may vary in laws regarding security, privacy, data theft, and protection of intellectual property (McCafferty 2010). Virtualization is the primary security mechanism in the cloud. Nonetheless, some resources are not virtualized. Virtual systems, despite their insulation from the customer, run on physical systems (Sturdevant 2010). Moreover, virtualization environments are not necessarily bug-free (Armbrust et al. 2010). Sophistication and complexity The cloud s security related problems can also be linked to its sophisticated and complex architecture. In April 2010, U.S. and Canada-based researchers published a report on a sophisticated cyber-espionage network, which they referred as Shadow network. The targets included the Indian Ministry of Defense, the United Nations, and the Office of the Dalai Lama. The report noted: Clouds provide criminals and espionage networks with convenient cover, tiered defences, redundancy, cheap hosting and conveniently distributed command and control architectures (IWMSF 2010). Another problem concerns the cloud s complexity 4. An important trend facilitated by the cloud is social media, which are arguably corporate security nightmare (BBW 2010). In the Shadow case noted above, the cyber-espionage network combined social networking and cloud platforms, including those of Google, Baidu, Yahoo!, Twitter, Blogspot and blog.com with traditional command and control servers (IWMSF 2010) ATTRACTIVENESS AND VULNERABILITIES OF THE CLOUD AS A CYBERCRIME TARGET Earlier we mentioned that the cloud can provide a low cost security due to economies of scales. However, an unintended downside of cheap services is more security issues 5. Page 4 of 23

5 Value of data in the cloud Target attractiveness depends on offenders perceptions of victims. Prior research indicates that crime opportunity is a function of target attractiveness, which is measured in monetary or symbolic value and portability (Clarke 1995). Target attractiveness is also related to accessibility visibility, ease of physical access, and lack of surveillance (Bottoms & Wiles 2002). Large companies networks offer more targets to hackers. Cloud suppliers, which often are bigger than their clients, are attractive targets. The cloud thus offers a high surface area of attack (Talbot 2010). That is, information stored in clouds is a potential goldmine for cyber-criminals (Kshetri 2010a). In late 2009, Google explained that the company discovered a China-originated attack on its infrastructures. The company further noted that the attack was part of a larger operation, which infiltrated infrastructures of at least 20 other large companies. In the early 2010, Yale University postponed its plan to move its Webmail service to Google Apps tailored for students and faculty. Analysts argued that Google's size and visibility makes it more susceptible to cyber-attacks (eweek.com 2010). Criminal-controlled clouds The cloud is potentially most vulnerable, especially when viewed against the backdrop of criminal owned-clouds operating in parallel. Just like diamond is the only material hard enough to cut diamond effectively, criminal-owned clouds may be employed to effectively steal data stored in clouds. The cloud may provide many of the same benefits to criminals as for legitimate businesses. The well-known Conficker virus, which reportedly controls 7 million computer systems at 230 regional and country top-level domains and has a bandwidth capacity of 28 terabits/second is arguably the world s biggest cloud and probably the most visible example of a criminal-owned cloud. Just like legitimate clouds, Conficker is available for rent. Cybercriminals can choose a location they want to rent Conficker and pay according to the bandwidth they want and choose an operating system (Mullins 2010) INSTITUTIONAL ENVIRONMENT Institutional theory is described as a theory of legitimacy seeking (Dickson et al., 2004, p. 81). To gain legitimacy, organizations adopt behaviors irrespective of the effect on organizational efficiency (Campbell 2004). Institutional influence on adoption decisions related to the cloud becomes an admittedly complex process when providers and users of the cloud have to derive legitimacy from multiple sources such as employees, clients, client customers, professional and trade associations and governments. Scott (2001) proposed three institutional pillars: (i) regulative; (ii) normative and (iii) cognitive 7, 8. These pillars relate to legally sanctioned, morally governed and recognizable, taken-for-granted behaviors respectively (Scott et al. 2000, p. 238). The following examples further illustrate the three pillars from the standpoint of security and privacy in cloud computing. Page 5 of 23

6 European Union (EU) countries strong data privacy laws prevent the movement of identifiable individuals data to jurisdictions that do not provide the same levels of protection. Privacy regulations (regulative institutions) have arguably hindered the diffusion of the cloud in the EU countries (Bradner 2010). Edelman and Suchman (1997) note: the legal rules cause the organizational practices (or vice versa) is, at best, a gross simplification. Many cloud vendors emphasize their security credentials by communicating potential clients that they have completed a SAS 70 audit (normative institutions) (Brodkin 2010). An organization s cloud adoption decision also depend on its perception of a cloud provider s ability to protect the organization s data from a third party, make the data available whenever the organization needs them and a trust that the provider would not exploit its clients data (cognitive institutions) (Talbot 2010). The cloud industry is undergoing a major technological upheaval. In such situations, for various actors, the institutional context may not provide organizing templates, models for action, and sources of legitimacy (Greenwood & Hinings 1993). In most cases, such changes create confusion and uncertainty and produce an environment that lacks norms, templates, and models about appropriate strategies and structures (Newman 2000). Existing institutions are hopelessly inadequate and obsolete to deal with the security and privacy problems facing the cloud industry. For instance, cloud computing has challenged traditional institutional arrangements and notions about auditing and security (Messmer 2010) THE NATURE OF REGULATIVE INSTITUTIONS RELATED TO THE CLOUD INDUSTRY Regulative institutions 9 consist of explicit regulative processes: rule setting, monitoring, and sanctioning activities (Scott 1995, p. 35). In the context of this paper, regulative institutions consist of regulatory bodies (such as the US Department of Justice and the US Department of Homeland Security) and existing laws and rules (e.g., the Patriot Act, Sarbanes-Oxley (SOX) and Health and Human Services Health Insurance Portability and Accountability Act (HIPAA) in the U.S.) that influence individuals and organizations to behave in certain ways (Scott 1995). Individuals and organizations adhere to the rules so that they would not suffer the penalty for noncompliance (Hoffman 1999). Laws to deal with data on the cloud The importance of regulative institutions such as laws, contracts and courts in the cloud industry should be obvious if this industry is viewed against the backdrop of the current state of security standards. In the absence of radical improvements in security technology, such institutions become even more important (Armbrust et al. 2010). The cloud-related legal system and enforcement mechanisms are evolving more slowly compared to the cloud technology development. Compliance frameworks such as SOX, HIPAA and PCI-DSS (Payment Card Industry Data Security Standard) do not clearly define the guidelines and requirements for data stored on the cloud (Bradley 2010). Cloud computing thus poses various challenges and constraints for companies that have responsibilities to meet stringent compliance related to these frameworks and reporting requirements for their data (McCafferty 2010; NW 2010). Page 6 of 23

7 The cloud has several important new and unique features, which create problems in writing contracts. For instance, an analysis of the contracts between Google and Computer Sciences Corporation (CSC) with the City of Los Angeles indicated several problems related to data breach and indemnification of damages. Google was a CSC subcontractor in the arrangement. An attorney analyzing the case noted that some of the complexity in the case would have been avoided if the term "lost data" was defined more clearly in the contracts (NW 2010). While some experts understandably argue that it would not be practical to hold cloud providers liable for everything (TR 2010), current regulations are heavily biased in favor of cloud providers (and against the users). For instance, in the event of a data breach in the cloud, the client, not the vendor, may be legally responsible (Zielinski 2009). According to the Federal Information Security Management Act (FISMA), cloud providers are required to keep sensitive data belonging to a federal agency within the country. While Google Apps are FISMA certified for its government cloud, which is not necessarily the case for the private industry (Brodkin 2010). Regulatory overreach There have been concerns about possible overreach by law enforcement agencies. In the U.S., for instance, thanks to the 2001 Patriot Act, the federal government can ask service providers to provide details of an Internet user s online activities without telling the Internet user about it. The FBI's audits indicated the possibility of overreach by the agency in accessing Internet users information (Zittrain 2009). For some analysts, the biggest concern has been the government s increased ability to access business and consumer data and censor and a lack of constitutional protections against these actions (Talbot 2010). The cloud is likely to make it easier for governments to spy on citizens. Governments worldwide, however, differ in their approach to and scale of web censorship and surveillance. Especially, the cloud is likely to provide authoritarian regimes a fertile ground for cyber-control activities 10. The cloud as the ultimate spying machine: There are stories of espionage activities successful transition to cyber-espionage2.0. National and international security issues arise from the cloud s potential to be the ultimate spying machine. A Google's report released in April 2010 is especially timely and enlightening. The company described how government authorities around the world request the company for private information and to censor its applications THE NATURE OF NORMATIVE INSTITUTIONS RELATED TO THE CLOUD INDUSTRY Normative components introduce a prescriptive, evaluative, and obligatory dimension into social life (Scott 1995, p. 37). This component focuses on the values and norms held by individuals and organizations that influence the functioning of the cloud industry 11. Practices that are consistent with and take into account the different assumptions and value systems are likely to be successful (Schneider 1999). Normative institutions also include trade associations, professional associations (e.g., The Page 7 of 23

8 American Institute of Certified Public Accountants), or non-profit organizations (e.g., Electronic Privacy Information Center) that can use social obligation requirements (e.g., ethical codes of conduct) to induce certain behaviors in the cloud industry. Professional associations measures Compared to established industrial sectors, in nascent and formative sectors such as cloud computing, there is no developed network of regulatory agencies (Powell, 1993). For instance, there are few, if any, national or international legal precedents for the cloud industry (McCafferty 2010). As a consequence, there is no stipulated template for organizing, and thus pressures for conformity are less pronounced (Greenwood & Hinings 1996). In such settings, professional and trade associations may emerge to play unique and important roles in shaping the industry (Kshetri & Dholakia 2009). These associations norms, informal rules, and codes of behavior can create order, without the law s coercive power, by relying on a decentralized enforcement process where noncompliance is penalized with social and economic sanctions (North 1990). Various professional and trade associations are also constantly emerging and influencing security and privacy issues in the cloud in new ways as a result of their expertise and interests in this issue. A visible example is the Cloud Security Alliance (CSA) (www.cloudsecurityalliance.org), a group of information security professionals. The CSA is is working on a set of best practices as well as information security standards for cloud providers (Crosman 2010). To take another example, the American Institute of Certified Public Accountants is making efforts to accelerate cloud adoption among its 350,000 members 12. AICPA s endorsements are based on an extensive due diligence on the security practices of the vendors (McCann 2010). Industry standards and certification programs Some argue that industry standards organizations may address most of the user concerns related to privacy and security in the cloud industry (Object Management Group 2009). Organizations such as Object Management Group (OMG), the Distributed Management Task Force (DMTF), the Open Grid Forum (OGF), and the Storage Networking Industry Association (SNIA) have made efforts to address security and privacy concerns in the cloud industry (Wittow & Buller 2010). There are no formal processes for auditing cloud platforms (Vizard 2010). Analysts argue that auditing standards to assess a service provider s control over data (e.g., SAS 70) or other information security specifications (e.g., the International Organization for Standardization s ISO 27001) are insufficient to deal with and address the unique security issues facing the cloud (Brodkin 2010). Note that these standards and specifications were not developed specifically for the cloud computing THE NATURE OF COGNITIVE INSTITUTIONS RELATED TO THE CLOUD INDUSTRY Cognitive institutions are closely associated with culture (Jepperson, 1991). These components represent culturally supported habits that influence cloud providers and Page 8 of 23

9 users behaviors. In most cases, they are based on subconsciously accepted rules and customs as well as some taken-for-granted cultural account of cloud use (Berger & Luckmann 1967). Scott (1995, p. 40) suggests that cognitive elements constitute the nature of reality and the frames through which meaning is made. Cognitive programs are built on the mental maps of individual cloud users and and thus function primarily at the individual level (Huff 1990) 13. Compliance in cognitive legitimacy concerns is due to habits. Organizations and individuals may not even be aware that they are complying. Perception of vendor s integrity and capability Of particular concern is the users dependency on cloud vendors security assurances and practices. Cloud providers must guard against theft or denial-of-service attacks by users. Users need to be protected from one another (Armbrust et al. 2010). Surveys have shown that potential cloud adopters are concerned about the possibility that service provider s security might have ineffective or noncompliant controls, which may lead to vulnerabilities affecting the confidentiality, integrity, and availability of data (Wilshusen 2010). Organizations are also concerned that cloud providers may use insecure ways to delete data once services have been provided (Wilshusen 2010) 14. Admittedly, data theft, denial-of-service attacks by users, threats from other users, and bugs are not the only-and not the biggest-problem associated with the cloud. There is also a high degree of temptation for the cloud providers or their employees to engage in opportunistic behavior (Armbrust et al. 2010). The cloud thus may also increase exposure to organizational vulnerabilities to insider risks. Indeed, malicious insider risks are among the most important risks that the cyberspace faces. According to a report released by the FBI in 2006, over 40% of attacks originate inside an organization (Regan 2006). Some have raised concerns that service providers do not conduct adequate background security investigations of their employees (Wilshusen 2010). One fear has been that intellectual property and other sensitive information stored in the cloud could be stolen. Worse still, cloud providers may not notify their clients about security breaches. Evidence indicates that many businesses tend to underreport cybercrimes due to embarrassment, concerns related to credibility and reputation damages and fears of stock price drops. A report of the Idaho National Engineering and Environmental Laboratory (http://www.us-cert.gov/control_systems/pdf/oil_gas1104.pdf) noted: Many of the cyber attacks go unnoticed or may go unnoticed for long periods of time (p. 2). An organization s data in the cloud may be stolen but it may not ever be aware that such incidents had happened. A final point concerns the outage problems, which would worsen the economics of cloud computing. For instance, popular clouds such as Google's Gmail, Amazon S3, and those of Salesforce.com and Microsoft have suffered outages. Cloud users inertia effects It is quite possible that organizational inertia 15 may affect the lens through which users view security and privacy issues in the cloud. Organizational inertia may constraint a firm's ability to exploit emerging opportunities such as cloud computing (Dean & Mayer Page 9 of 23

10 1996). An inertia effect (resistance to change) is likely to adversely influence an organization s assessment of the cloud from the security and privacy standpoints. Reduction in control is an obvious concern. Cloud users don t have access to the hardware and other resources that store and process their data. There is no physical control over data and information in the cloud (Wilshusen, 2010). The shared and dynamic resources in the cloud environment reduce control (Brynjolfsson et al. 2010). Moreover, while the client has no control over the data managed by the cloud provider, cloud services contracts often stipulate that data protection is the former s responsibility (Crosman 2009). A case in point is Google. The company provides security and privacy assurances to its Google Docs users unless the users publish them online or invite collaborators. However, Google service agreements explicitly make it clear that the company provides no warranty or bears no liability for harm in case of Google s negligence to protect the privacy and security (Wittow & Buller 2010). Just as important is preference for localness. From the standpoint of security, most users prefer computing to be local (Brynjolfsson et al. 2010). Organizations arguably ask: who would trust their essential data out there somewhere? (Armbrust et al. 2010). 3. DISCUSSION It is important to emphasize that the model presented by figure 1 is dynamic in nature. We anticipate that the salience of each component of institutional and technological factors will vary across organizations as well as over time. For instance, barriers associated with newness and inertia effects are likely to decline over time. On the other hand, as the penetration level, width and depth of cloud increases, it is likely to be a more attractive cybercrime target. One implication of the dynamic aspects of the model is that institutions change over time in the cloud industry. The idea of institutional field can be helpful in understanding this dynamic. A field is formed around the issues that become important to the interests and objectives of specific collectives of organizations (Hoffman 1999, p. 352) 16. For a field formed around privacy and security in the cloud, these organizations include regulatory authorities (e.g., the FTC), providers and users of the cloud as well as professional and trade association. The content, rhetoric, and dialogue among these constituents influence the nature of field formed around the security and privacy issues associated with the cloud (Hoffman 1999, p. 355). An understanding of arbiters would provide important insight into the sources of institutional change in the cloud industry. Wiesenfeld et al. (2008) have identified three categories of arbiters social, legal, and economic 17. Much of the early evidence indicates that institutions in the cloud industry should rebalance towards a higher power of the users. Experts argue that courts (legal arbiters) are likely to take a middle ground and make providers liable for breach (TR 2010). The Electronic Privacy Information Center (EPIC) (a social arbiter) filed a complaint with the Federal Trade Commission (FTC) against Google s cloud services. EPIC made the point that Google Page 10 of 23

11 does not adequately safeguard users confidential information. It requested the FTC to open an investigation into Google s Cloud services 18 (Wittow & Buller 2010). Likewise, experts argue that market forces and consumer demands (economic arbiters) are likely to drive a lot of privacy changes in cloud computing (TR 2010) MANAGERIAL AND POLICY IMPLICATIONS The model presented in this paper also has implications for management practice and public policy. Most cloud providers services come with no assurance or promise of a given level of security and privacy. Cloud providers lack policies and practices related to privacy and security. Nor is that their only problem. Cloud providers have also demonstrated a tendency to reduce their liability by proposing contracts with the service provided as is with no warranty (McCafferty 2010). Perception of ineffectiveness or noncompliance of cloud providers may thus act as a roadblock to organizations cloud adoption decisions. In this regard, above analysis indicates that security and privacy measures designed to reduce perceived risk as well as transparency and clear communication processes would create a competitive advantage for cloud providers. The newness and uniqueness of the cloud often mean that clients would not know what to ask for in investment decisions. An understanding of model would also help organizations take technological, behavioral and perceptual/attitudinal measures. The users of the cloud are functioning on the assumption that cloud providers take privacy and security issues seriously (Wittow & Buller 2010). However, against the backdrop of the institutional contexts, this may well be a convenient but possibly false assumption. The model also leads to useful questions that need to be asked before making cloud related investments. Given the institutional and technological environment, potential adopters should ask tough questions to the vendor regarding certification from auditing and professional organizations (e.g., AICPA), locations of the vendor s data centers, and background check of the vendor s employees, etc. The above analysis suggest that a one size fits all' approach to the cloud cannot work. The model presented in Figure 1 would also help in making strategic decisions. For instance, organizations may have to make decisions concerning combinations of public and private clouds 19. For instance, the public cloud is effective for an organization handling high-transaction/low-security or low data value (e.g., sales force automation). Private cloud model, on the other hand, may be appropriate for enterprises that face significant risk from information exposure such as financial institutions and health care provider or federal agency. For instance, for medical-practice companies dealing with sensitive patient data, which are required to comply with the HIPAA rules, private cloud may be appropriate. In general, legal systems take long time to change (Dempsey 2008). Regulative institutions related to liability and other issues in the cloud are not well developed. Cloud providers may feel pressures to obtain endorsements from professional societies. Page 11 of 23

12 AICPA s endorsements have driven the diffusion of cloud applications among some CPA firms. Today, accurately or not, businesses are concerned about issues such as privacy, availability, data loss (e.g., shutting down of online storage sites), data mobility and ownership (e.g., availability of data in usable form if the user discontinues the services) (Martin 2010). Cloud providers are criticized on the ground that they do not answer questions and fail to give enough evidence to trust them (Brodkin 2010) 20,21. In this regard, many of the user concerns can be addressed by becoming more transparent. Since geographic dispersion of data is an important factor associated with cost and performance of the cloud, an issue that deserves mention relates to regulatory arbitrage. Experts expect that countries update their laws individually rather than to act in a multilateral fashion (TR 2010). Economies worldwide vary greatly in terms of the legal systems related to the cloud. Due to the newness, jurisdictional arbitrage is higher for the cloud compared to the IT industry in general. In this regard critics are concerned that cloud providers may store sensitive information in jurisdictions that have weak laws related to privacy, protection and availability of data (Edwards 2009). Anecdotal evidence suggests that due to increasingly important roles in national security, many high technology sectors are characterized by a high degree of protectionism. The atmosphere of suspicion and distrust among states can lead to such protectionism. To capture the feelings that accompany intergovernmental distrust, consider the U.S.-China trade and investment policy relationship. Chinese leaders are suspicious about possible cyber-attacks from the U.S. There has been a deep rooted perception among Chinese policy-makers that Microsoft and the U.S. government spy on Chinese computer users through secret back doors in Microsoft products 22 (Adams 2001). Chinese leaders thus may be uncomfortable with the idea of storing data on clouds provided by foreign multinationals. U.S. policy makers are equally concerned about Chinese technology firms internationalization 23. The above analysis indicates that such concerns are likely to be even more prominent in cloud computing. Cyber-espionage has been an obvious application of the cloud. If there is any lesson that recent major cyber-espionage activities teach, it is that countries with strong cyberspying and cyber-warfare capabilities such as China will be in a good position to exploit the cloud s weaknesses for such activities. In view of the technological capabilities of extra-legal and illegal organizations, one area that deserves attention is the escalation of economic and industrial espionage activities such as intellectual property theft. There have been reports that U.S. government agencies such as the Defense Department as well as private companies have been targets and victims of such activities 24. It is thus reasonable to expect that the cloud may enable an upgrade of these activities to industrial espionage2.0. Cloud security and developing countries Page 12 of 23

13 Some analysts suggest that developing countries will be attractive markets for cloud services and predict that this technology will soon make healthcare 2.0, banking 2.0, and education 2.0 realities in these countries (Economist 2008). At the same time, however, criminal practices on the Internet have upgraded to cybercrime2.0 (Kshetri 2010a). Nonetheless, security and privacy issues in the developing world need to be viewed in the context of weak defense mechanisms of organizations. Information technology s hollow diffusion concept can be helpful in understanding a weak defense. Many companies in developing countries lack technological and human resources to focus on security. Hollow diffusion can be human-related (lack of skill and experience) or technology-related (inability and failure to use security products) (Otis & Evans 2003) 25. Especially for developing-based organizations that do not deal with highvalue and sensitive data the cloud may provide low-cost security to address some of the security-related human (e.g. installing/maintaining software) and technological issues. Providers and users of the cloud face additional challenges in developing economies. Various aspects of the institutional environment may weaken the cloud s value proposition and discourage investors. In many developing countries, factors such as corruption, the lack of transparency, and a weak legal system can exacerbate security risks. The high-profile attacks on Google cloud allegedly by China-based hackers in 2009 were an eye opener for the cloud industry 26. A final issue that deserves mention relates to the impacts of clouds controlled by the developing world players on security issues of industrialized countries. It is tempting for global cloud players to use cheaper hosting services in developing countries. Cybercriminals, however, find it more attractive to target rich economies. For instance, the U.S. is the No. 1 target for cyber-attacks. Since many developing countries are top cybercrime sources (Kshetri 2010b), security risks associated with the diffusion of clouds in these countries may spread to industrialized countries. Security concerns as a source of a negative country-of-origin effect Developing world-based cloud providers are internationalizing (Kshetri 2010a). They may face barriers due to the pervasive perceptions of weak security. One concern is that institutional environment in these countries is insufficient to guarantee security and privacy of client data. The prospect of civil and criminal prosecution is weak when security breaches and privacy violations take place in a country with a weak rule of law. Observers, for instance, have noted that Indian cybercrime law and privacy enforcement are weak. A related point is that European or U.S. data protection laws cannot be enforced in India. Likewise, partly due to real and/or perceived government control, China-based cloud providers may be perceived less trustworthy and need to combat the effects of negative country of origin images and stereotypes FUTURE RESEARCH Before concluding, we suggest several potentially fruitful avenues for future research. Cloud-related institutions are currently thin and dysfunctional. For instance, as noted Page 13 of 23

14 above, privacy and security issues of data stored on the cloud currently fall into a legally gray area. Future research might examine how political, ethical, social and cultural factors are associated with security issues in cloud computing. Prior research conducted in other sectors (e.g., chemical industry) indicates that institutional evolution entails transitions among the three institutional pillars regulative, normative, and cognitive. Building a regulative/law pillar system is the first stage of field formation. It is followed by a formation of normative institutions and then cognitive institutions (Hoffman 1999). A comparison of institutional evolution in the cloud industry with that in other economic sectors might be worthwhile target of study. Second, an empirical examination of core premises and propositions of the model presented by Figure 1 would be useful to advance the model's utility as a viable framework for studying the technological and institutional drivers of the cloud industry. Such a study would shed light on the relative importance of various components of the model in organizations cloud adoption decision. Finally, future research might also explore antecedents of organizations cloud computing decisions in terms of various technological dimensions identified in the prior literature. One avenue would be to test how the cloud performs in terms of major dimensions proposed by Rogers (1995) such as relative advantage, compatibility, complexity, observability and trialability. 4. CONCLUDING COMMENTS Virtualized resources in the cloud lower upfront investment and product development costs. However, the low cost comes with a trade-off. The above analysis suggests that it is too simplistic to view the cloud as a low-cost security. Legitimate as well as illegitimate organizations and entities are gaining access to data on the cloud through illegal, extralegal, and quasi-legal means. The cloud s diffusion and that of social media have superimposed onto organizations rapid digitization in a complex manner that allows cyber-criminals and cyber-espionage networks to exploit the cloud s weaknesses. The above analysis thus indicates that ensuring that both technological and behavioral/perceptual factors are given equal consideration in the design and implementation of a cloud network is thus crucial. Existing institutions are subject to powerful environmental selection mechanisms (Gilson 2001). Existing institutions are likely to be exposed and restructured to support a new set of beliefs and actions and the rules are likely to be revised. New institutions and the redesign of existing institutions are needed to confront emerging security and privacy problems in the cloud industry. There is an indication that existing institutions related to the cloud are thickening. In this regard, the war for the future of security and privacy issues in the cloud is just beginning. Tough analysts of cloud security are gaining new credibility. For instance, a new way of auditing specifically designed for the cloud industry is evolving. Overall, it is fair to say that privacy and security issues related to the cloud industry are undergoing political, social, and psychological metamorphosis. Page 14 of 23

15 REFERENCES Adams, J. Virtual defense, Foreign Affairs vol. 80, no. 3, 2001, Armbrust, M., Fox, A., Griffith, R., Joseph, A. D., Katz, R., Konwinski, A., Lee, G., Patterson, D., Rabkin, A., Stoica, I., & Zaharia, M. (2010). A View of Cloud Computing. Communications of the ACM, 53(4), Barnett, W. P., & Carroll, G. R. (1993). How institutional constraints affected the organization of early US telephonies. Journal of Law, Economics and Organization, 9, Berger, P. L., & Luckmann, T. (1967). The social construction of reality: A treatise in the sociology of knowledge. New York: Doubleday. BBW (Bloomberg Businessweek). (2010). Salesforce.com Channels Facebook. August 30-September 5, Bottoms, A. E., &Wiles, P. (2002). Environmental criminology. Oxford Handbook of Criminology, Bradley, T. (2010). Build Your Own Private Azure Cloud with New Microsoft Appliance. PC World, July 13, 2010, available at e_clouc_with_new_microsoft_appliance.html?tk=hp_blg. Accessed September 20, Bradner, S. (2010). Internet privacy conflicts. Network World, September 27, 2010, 27(18), Brenner, S. W. (2004). Toward a criminal law for cyberspace: A new model of law enforcement? Rutgers Computer and Technology Law Journal, 30 (2004), 1-9. Brodkin, J. (2010). 5 problems with SaaS security. Network World, 27(18), Brynjolfsson, E., Hofmann, P., & Jordan, J. (2010). Cloud Computing and Electricity: Beyond the Utility Model. Communications of the ACM, May 2010, 53(5), Campbell, J. L. (2004). Institutional Change and Globalization. Princeton, NJ: Princeton University Press. Clarke, R. V. (1995). Situational crime prevention. In M. Tonry & D. P. Farrington (Eds.), Building a safer society. Strategic approaches to crime (pp ). University of Chicago Press. Crosman, P. (2009). Securing The Clouds, Wall Street & Technology, December 1, pp.23. Dean, T. J., & Meyer, G. D. (1996). Industry Environments and New Venture Formations in U.S. Manufacturing: a Conceptual and Empirical Analysis of Demand Determinations. Journal of Business Venturing, 11, Del Nibletto, P. (2010). The seven deadly sins of cloud computing, March 19, 2010, available at Accessed July 24, Dempsey, P. J. (2008). Unprepared to fight worldwide cyber crime, available at _msgid=154774#msg_ Accessed October 27, Page 15 of 23

16 Dickson, M., BeShers, R., & Gupta, V. (2004). The impact of societal culture and industry on organizational culture: Theoretical explanations. In J. H. Robert, J. H. Paul, J. Mansour, W. D Peter, & and G. Vipin (eds). Culture, leadership, and organizations: the GLOBE study of 62 societies. Thousand Oaks, Calif: Sage Publications. Economist, (2008). The Long Nimbus, 25 October, special section, pp Edelman, L. B., & Suchman, M. C. (1997). The legal environments of organizations. Annual Review of Sociology, 23, Edwards, J. (2009). Cutting Through the Fog of Cloud Security. Computerworld, 43(8), ENSIA. (2009). Cloud Computing: Benefits, risks and recommendations for information security. European Network and Information Security Agency, November, available at Accessed July 21, eweek.com. (2010). Did Yale Postpone Move to Google Apps over China Flap?, March 31, 2010, available at oogle_apps_over_china_flap.html. Accessed July 24, Gilson, R.J. (2001). Globalizing corporate governance: convergence of form or function. The American Journal of Comparative Law, 49(2001), Greengard, S., & Kshetri, N. (2010). Cloud Computing and Developing Nations. Communications of the ACM, 53(5), Greenwood, R., & Hinings, C. R. (1993). Understanding strategic change: The contribution of archetypes. Academy of Management Journal, 36(1993), Greenwood, R., & Hinings, C. R. (1996). Understanding radical organizational change: Bringing together the old and the new institutionalism. Academy of Management Review, 21, Guille n, M. F. & Sua rez, S. L. (2005). Explaining the Global Digital Divide: Economic, Political and Sociological Drivers of Cross-National Internet Use, Social Forces, 84(2): Hoffman, A. J. (1999). Institutional evolution and change: Environmentalism and the US chemical industry. Academy of Management Journal, 42(4), Huff, A. S. (1990). Mapping strategic thought. In A. S. Huff (eds.). Mapping strategic thought (pp.11 49). Chichester, England: Wiley. IWMSF (Information Warfare Monitor/Shadowserver Foundation), Shadows In The Cloud: Investigating Cyber Espionage 2.0, Joint Report: Information Warfare Monitor Shadowserver Foundation, JR , April 6, 2010, available at Accessed July 24, Jepperson, R. (1991). Institutions, institutional effects, and institutionalism. In W. W. Powell & P. J. DiMaggio (eds.). The new institutionalism in organizational analysis (pp ). Chicago: University of Chicago Press. Page 16 of 23

17 Katyal, N. K. (2001). Criminal law in cyberspace. University of Pennsylvania Law Review, 149(4), Kelman, S. (1987). Making public policy: A hopeful view of American government. New York: Basic Books. Khalili, S. S. (2010). Clearing the air on cloud computing. New Straits Times (Malaysia), June 21, 9. Kshetri, N. (2007). The Adoption of E-Business by Organizations in China: An Institutional Perspective, Electronic Markets, 17(2), Kshetri, N. (2010a). Cloud Computing in Developing Economies. IEEE Computer, October, 43(10), Kshetri, N. (2010b). The Global Cyber-crime Industry: Economic, Institutional and Strategic Perspectives. New York, Berlin and Heidelberg: Springer-Verlag. Kshetri, N., & Dholakia, N. (2009). Professional and Trade Associations in a Nascent and Formative Sector of a Developing Economy: A Case Study of the NASSCOM Effect on the Indian Offshoring Industry. Journal of International Management, 15(2), Larkin, E. (2010). Will Cloud Computing Kill Privacy?. PC World, Mar 2010, 28(3), Larsen, E., & Lomi, A. (2002). Representing change: A system Model of organizational inertia and capabilities as dynamic accumulation processes. Simulation Model Practice and Theory, 10(5), Martin, J. A. (2010). Should You Move Your Business to the Cloud?. PC World, Apr 2010, 28(4), Martínez-Cabrera, A. (2010). Security in the computing cloud a top concern, March 6, 2010, available at 06/business/ _1_cyber-security-czar-howard-schmidt-qualys-rsa. Accessed July 24, McCafferty, D. (2010). Cloudy Skies: Public Versus Private Option Still Up In The Air. Baseline, Mar/Apr2010, 103, McCann, D. (2010). Posted in: Accountants Head to the Cloud, CFO.com, March 24, 2010, available at Accessed July 24, McCreary, L. (2008). What Was Privacy? Harvard Business Review, 86(10), Messmer, E. (2010). Cloud computing providers working in secret. Network World, July 12, 2010, 27(13), Messmer, E. (2010). Secrecy of cloud computing providers raises IT security risks, available at Accessed July 24, Mullins, R. (2010). The biggest cloud on the planet is owned by... the crooks: Security expert says the biggest cloud providers are botnets, March 22, 2010, available at Accessed July 24, Page 17 of 23

18 NW (Network World). (2010). Inside the cloud security risk, 27(13), p. 11. Newman, K. L. (2000). Organizational transformation during institutional upheaval. The Academy of Management Review, 25(3), NIST (2009). Vulnerability Summary for CVE , 08/21/2010, The US National Institute of Standards and Technology, available at Accessed September 20, North, D. C. (1990). Institutions, institutional change and economic performance. Cambridge, UK: Cambridge University Press. North, D. C. (1996). Epilogue: Economic performance through time. In L. J. Alston, T. Eggertsson & D. C. North (eds.). Empirical studies in institutional change (pp ). Cambridge, PA: Cambridge University Press. Object Management Group. (2009). Cloud-Standards.org, Major Standards Development Organizations Collaborate to Further Adoption of Cloud Standards, available at Accessed October 14, Otis, C. & Evans, P. (2003). The Internet and Asia-Pacific Security: Old Conflicts and New Behavior, Pacific Rev.16,(4), Owens, D. (2010). Securing Elasticity in the Cloud. Communications of the ACM, Jun 2010, 53(6), Powell, W. W. (1993). The Social Construction of an Organizational Field: The Case of Biotechnology. Paper presented at the Warwick-Venice Workshop on perspectives on strategic change, University of Warwick. Regan, K. (2006). FBI: Cybercrime Causes Financial Pain for Many Businesses, technewsworld, available at Accessed October 1, Rogers, E. M. (1995). Diffusion of innovations. Fourth edition. New York: Free Press. Schneider, A. (1999). US neo-conservatism: Cohort and cross-cultural perspective. The International Journal of Sociology and Social Policy, 19(12), Scott, R. (1995). Institutions and organizations. Thousand Oaks, CA: Sage. Scott, R. (2001). Institutions and organizations. Thousand Oaks, CA: Sage. Scott, W. R., Ruef, M., Mendel, P. J., & Caronna, C. A. (2000). Institutional change and healthcare organizations: From professional dominance to managed care. Chicago, IL: University of Chicago Press. Snidal, D. (1996). Political economy and international institutions. International Review of Law and Economics, 16(1), Stewart, B. (2010). Apple Keeps itunes Out of the Cloud. Information Today, Oct 2010, 27(9), Sturdevant, C. (2010). Seeding security into the cloud. eweek, March 15, 2010, 27(6), Talbot, D. (2010). Security in the Ether. Technology Review, 113(1), Page 18 of 23

19 Taylor, M., Haggerty, J., Gresty, D., & Hegarty, R. (2010). Digital evidence in cloud computing systems. Computer Law & Security Review, May 2010, 26(3), TR (Telecommunications Reports). (2010). Microsoft Urges Policymakers To Help Secure Cloud Computing, 76(3), Tillery, S. (2010). How Safe Is the Cloud?, available at Accessed July 24, Vardi, N. (2005). Chinese takeout. Forbes, July 25, p. 54. Vizard, M. (2010). Assessing the Risks of Cloud Computing, Oct 11, 2010, available at Accessed July 24, Wiesenfeld, B. M., Wurthmann, K. A., & Hambrick, D. C. (2008). The stigmatization and devaluation of elites associated with corporate failures: A process model. Academy of Management Review, 33(1), Wilshusen, G. C. (2010). Information Security Federal Guidance Needed to Address Control Issues with Implementing Cloud Computing. GAO Reports, July 1, 2010, preceding pp Wittow, M. H., & Buller, D. J. (2010). Cloud Computing: Emerging Legal Issues for Access to Data, Anywhere, Anytime. Journal of Internet Law, Jul 2010, 14(1), Zielinski, D. (2009). Be Clear on Cloud Computing Contracts. HRMagazine, Nov, 54(11), Zittrain, J. (2009). Lost in the Cloud. The New York Times, Late Edition Final, Section A, (July 2009), 19. Page 19 of 23

20 Figure 1: A framework for understanding security and privacy issues facing the cloud Institutional and technological environment facing the cloud Technological environment Institutional environment Newness Nature of the architecture Attractiveness and vulnerability as a cybercrime target Regulative institutions Normative institutions Cognitive institutions New and unique vulnerabilities Virtual and dynamic Sophistication and complexity Criminal controlled clouds Value of data in the cloud Laws to deal with data on the cloud Regulatory overreach Professional associations measures Industry standards and certification programs Cloud users Inertia effects Perception of vendor s integrity and capability to protect from third party and other risks Perception of confidentiality, integrity, and availability of the cloud Perception of legitimacy and trustworthiness of the cloud Assessment of institutional and technological facilitators and inhibitors Cloud adoption decision Page 20 of 23

SECURITY THREATS TO CLOUD COMPUTING

SECURITY THREATS TO CLOUD COMPUTING IMPACT: International Journal of Research in Engineering & Technology (IMPACT: IJRET) ISSN(E): 2321-8843; ISSN(P): 2347-4599 Vol. 2, Issue 3, Mar 2014, 101-106 Impact Journals SECURITY THREATS TO CLOUD

More information

The cloud - ULTIMATE GAME CHANGER ===========================================

The cloud - ULTIMATE GAME CHANGER =========================================== The cloud - ULTIMATE GAME CHANGER =========================================== When it comes to emerging technologies, there is one word that has drawn more controversy than others: The Cloud. With cloud

More information

VENDOR MANAGEMENT. General Overview

VENDOR MANAGEMENT. General Overview VENDOR MANAGEMENT General Overview With many organizations outsourcing services to other third-party entities, the issue of vendor management has become a noted topic in today s business world. Vendor

More information

Cybercrime: risks, penalties and prevention

Cybercrime: risks, penalties and prevention Cybercrime: risks, penalties and prevention Cyber attacks have been appearing in the news with increased frequency and recent victims of cybercrime have included well-known companies such as Sony, LinkedIn,

More information

Just Net Coalition statement on Internet governance

Just Net Coalition statement on Internet governance Just Net Coalition statement on Internet governance (Just Net Coalition is a global coalition of civil society actors working on Internet governance issues) All states should work together to provide a

More information

FREQUENTLY ASKED QUESTIONS on C Y B E R S E C U R I T Y. By IEEE USA s Committee on Communications Policy

FREQUENTLY ASKED QUESTIONS on C Y B E R S E C U R I T Y. By IEEE USA s Committee on Communications Policy FREQUENTLY ASKED QUESTIONS on C Y B E R S E C U R I T Y By IEEE USA s Committee on Communications Policy December 2011 This Frequently Asked Questions (FAQs) was prepared by IEEE-USA s Committee on Communications

More information

Privacy and Security Issues in Cloud Computing: The Role of Institutions and Institutional Evolution

Privacy and Security Issues in Cloud Computing: The Role of Institutions and Institutional Evolution Privacy and Security Issues in Cloud Computing: The Role of Institutions and Institutional Evolution By: Nir Kshetri Kshetri, Nir (May June 2013). Privacy and Security Issues in Cloud Computing: The Role

More information

Cyber Security: Exploring the Human Element

Cyber Security: Exploring the Human Element Cyber Security: Exploring the Human Element Summary of Proceedings Cyber Security: Exploring the Human Element Institute of Homeland Security Solutions March 8, 2011 National Press Club Introduction A

More information

Securing Critical Information Assets: A Business Case for Managed Security Services

Securing Critical Information Assets: A Business Case for Managed Security Services White Paper Securing Critical Information Assets: A Business Case for Managed Security Services Business solutions through information technology Entire contents 2004 by CGI Group Inc. All rights reserved.

More information

Data Security Breaches: Learn more about two new regulations and how to help reduce your risks

Data Security Breaches: Learn more about two new regulations and how to help reduce your risks Data Security Breaches: Learn more about two new regulations and how to help reduce your risks By Susan Salpeter, Vice President, Zurich Healthcare Risk Management News stories about data security breaches

More information

ACE European Risk Briefing 2012

ACE European Risk Briefing 2012 #5 ACE European Risk Briefing 2012 IT and cyber risk respondent profiles The research was carried out between 13 April and 3 May 2012. The sample comprised 606 European risk managers, CROs, CFOs, COOs

More information

In an age where so many businesses and systems are reliant on computer systems,

In an age where so many businesses and systems are reliant on computer systems, Cyber Security Laws and Policy Implications of these Laws In an age where so many businesses and systems are reliant on computer systems, there is a large incentive for maintaining the security of their

More information

Research Topics in the National Cyber Security Research Agenda

Research Topics in the National Cyber Security Research Agenda Research Topics in the National Cyber Security Research Agenda Trust and Security for our Digital Life About this document: This document summarizes the research topics as identified in the National Cyber

More information

2015 VORMETRIC INSIDER THREAT REPORT

2015 VORMETRIC INSIDER THREAT REPORT Research Conducted by 2015 VORMETRIC INSIDER THREAT REPORT Trends and Future Directions in Data Security FINANCIAL SERVICES EDITION #2015InsiderThreat RESEARCH BRIEF US FINANCIAL SERVICES SPOTLIGHT ABOUT

More information

HEALTH CARE AND CYBER SECURITY:

HEALTH CARE AND CYBER SECURITY: HEALTH CARE AND CYBER SECURITY: Increasing Threats Require Increased Capabilities kpmg.com 1 HEALTH CARE AND CYBER SECURITY EXECUTIVE SUMMARY Four-fifths of executives at healthcare providers and payers

More information

An Analysis of Data Security Threats and Solutions in Cloud Computing Environment

An Analysis of Data Security Threats and Solutions in Cloud Computing Environment An Analysis of Data Security Threats and Solutions in Cloud Computing Environment Rajbir Singh 1, Vivek Sharma 2 1, 2 Assistant Professor, Rayat Institute of Engineering and Information Technology Ropar,

More information

Security & privacy in the cloud; an easy road?

Security & privacy in the cloud; an easy road? Security & privacy in the cloud; an easy road? A journey to the trusted cloud Martin Vliem CISSP, CISA National Security Officer Microsoft The Netherlands mvliem@microsoft.com THE SHIFT O L D W O R L D

More information

INFORMATION SECURITY GUIDE. Cloud Computing Outsourcing. Information Security Unit. Information Technology Services (ITS) July 2013

INFORMATION SECURITY GUIDE. Cloud Computing Outsourcing. Information Security Unit. Information Technology Services (ITS) July 2013 INFORMATION SECURITY GUIDE Cloud Computing Outsourcing Information Security Unit Information Technology Services (ITS) July 2013 CONTENTS 1. Background...2 2. Legislative and Policy Requirements...3 3.

More information

A COMPLETE GUIDE HOW TO CHOOSE A CLOUD-TO-CLOUD BACKUP PROVIDER FOR THE ENTERPRISE

A COMPLETE GUIDE HOW TO CHOOSE A CLOUD-TO-CLOUD BACKUP PROVIDER FOR THE ENTERPRISE A COMPLETE GUIDE HOW TO CHOOSE A CLOUD-TO-CLOUD BACKUP PROVIDER FOR THE ENTERPRISE Contents How to Buy Cloud-to-Cloud Backup...................... 4 Wait What is Cloud-to-Cloud Backup?.....................

More information

THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS

THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS Read the Marsh Risk Management Research Briefing: Cyber Risks Extend Beyond Data and Privacy Exposures To access the report, visit www.marsh.com.

More information

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES. www.kaspersky.com

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES. www.kaspersky.com KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES www.kaspersky.com EXPERT SERVICES Expert Services from Kaspersky Lab are exactly that the services of our in-house experts, many of them global

More information

White Paper on CLOUD COMPUTING

White Paper on CLOUD COMPUTING White Paper on CLOUD COMPUTING INDEX 1. Introduction 2. Features of Cloud Computing 3. Benefits of Cloud computing 4. Service models of Cloud Computing 5. Deployment models of Cloud Computing 6. Examples

More information

Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab Qing.Liu@chi.frb.org

Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab Qing.Liu@chi.frb.org Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab Qing.Liu@chi.frb.org 1 Disclaimers This presentation provides education on Cloud Computing and its security

More information

The FBI Cyber Program. Bauer Advising Symposium //UNCLASSIFIED

The FBI Cyber Program. Bauer Advising Symposium //UNCLASSIFIED The FBI Cyber Program Bauer Advising Symposium October 11, 2012 Today s Agenda What is the threat? Who are the adversaries? How are they attacking you? What can the FBI do to help? What can you do to stop

More information

Top 10 Risks in the Cloud

Top 10 Risks in the Cloud A COALFIRE PERSPECTIVE Top 10 Risks in the Cloud by Balaji Palanisamy, VCP, QSA, Coalfire March 2012 DALLAS DENVER LOS ANGELES NEW YORK SEATTLE Introduction Business leaders today face a complex risk question

More information

CLOSING THE DOOR TO CYBER ATTACKS HOW ENTERPRISES CAN IMPLEMENT COMPREHENSIVE INFORMATION SECURITY

CLOSING THE DOOR TO CYBER ATTACKS HOW ENTERPRISES CAN IMPLEMENT COMPREHENSIVE INFORMATION SECURITY CLOSING THE DOOR TO CYBER ATTACKS HOW ENTERPRISES CAN IMPLEMENT COMPREHENSIVE INFORMATION SECURITY CLOSING THE DOOR TO CYBER ATTACKS Cybersecurity and information security have become key challenges for

More information

Testimony of Matthew Rhoades Director Cyberspace & Security Program Truman National Security Project & Center for National Policy

Testimony of Matthew Rhoades Director Cyberspace & Security Program Truman National Security Project & Center for National Policy Testimony of Matthew Rhoades Director Cyberspace & Security Program Truman National Security Project & Center for National Policy House Committee on Homeland Security Subcommittee on Cybersecurity, Infrastructure

More information

Cybersecurity-related international institutions: An assessment and a framework for nations strategic policy choices

Cybersecurity-related international institutions: An assessment and a framework for nations strategic policy choices Cybersecurity-related international institutions: An assessment and a framework for nations strategic policy choices Abstract Area: ROADMAP FOR THE FURTHER EVOLUTION OF THE INTERNET GOVERNANCE ECOSYSTEM

More information

Mitigating and managing cyber risk: ten issues to consider

Mitigating and managing cyber risk: ten issues to consider Mitigating and managing cyber risk: ten issues to consider The board of directors is responsible for managing and mitigating risk exposure. A recent study conducted by the Ponemon Institute 1 revealed

More information

Information Auditing and Governance of Cloud Computing IT Capstone 4444 - Spring 2013 Sona Aryal Laura Webb Cameron University.

Information Auditing and Governance of Cloud Computing IT Capstone 4444 - Spring 2013 Sona Aryal Laura Webb Cameron University. Information Auditing and Governance of Cloud Computing IT Capstone 4444 - Spring 2013 Sona Aryal Laura Webb Cameron University P a g e 1 P a g e 2 Table of Contents Abstract... 3 Introduction... 3 Previous

More information

Cyber Security Recommendations October 29, 2002

Cyber Security Recommendations October 29, 2002 Cyber Security Recommendations October 29, 2002 Leading Co-Chair (Asia/Oceania) Co-Chair (Americas) Co-Chair (Europe/Africa) Dr. Hiroki Arakawa Executive Vice President NTT Data Corporation Richard Brown

More information

The Danish Cyber and Information Security Strategy

The Danish Cyber and Information Security Strategy February 2015 The Danish Cyber and Information Security Strategy 1. Introduction In December 2014 the Government presented a National Cyber and Information Security Strategy containing 27 government initiatives

More information

CyberSecurity Solutions. Delivering

CyberSecurity Solutions. Delivering CyberSecurity Solutions Delivering Confidence Staying One Step Ahead Cyber attacks pose a real and growing threat to nations, corporations and individuals globally. As a trusted leader in cyber solutions

More information

Fostering Incident Response and Digital Forensics Research

Fostering Incident Response and Digital Forensics Research Fostering Incident Response and Digital Forensics Research Bruce J. Nikkel bruce.nikkel@ubs.com September 8, 2014 Abstract This article highlights different incident response topics with a focus on digital

More information

A Flexible and Comprehensive Approach to a Cloud Compliance Program

A Flexible and Comprehensive Approach to a Cloud Compliance Program A Flexible and Comprehensive Approach to a Cloud Compliance Program Stuart Aston Microsoft UK Session ID: SPO-201 Session Classification: General Interest Compliance in the cloud Transparency Responsibility

More information

Gold study sponsor: Is cyber security now too hard for enterprises? Cyber security trends in the UK. Executive Summary

Gold study sponsor: Is cyber security now too hard for enterprises? Cyber security trends in the UK. Executive Summary Gold study sponsor: Is cyber security now too hard for enterprises? Cyber security trends in the UK Executive Summary Core statements I. Cyber security is now too hard for enterprises The threat is increasing

More information

CYBER-ATLAS A COMPLETE CYBER RISK MANAGEMENT SOLUTION

CYBER-ATLAS A COMPLETE CYBER RISK MANAGEMENT SOLUTION CYBER-ATLAS A COMPLETE CYBER RISK MANAGEMENT SOLUTION CYBER-ATLAS A COMPLETE CYBER RISK MANAGEMENT SOLUTION In the ever-evolving technological landscape which we all inhabit, our lives are dominated by

More information

WRITTEN TESTIMONY OF

WRITTEN TESTIMONY OF WRITTEN TESTIMONY OF KEVIN MANDIA CHIEF EXECUTIVE OFFICER MANDIANT CORPORATION BEFORE THE SUBCOMMITTEE ON CRIME AND TERRORISM JUDICIARY COMMITTEE UNITED STATES SENATE May 8, 2013 Introduction Thank you

More information

Anatomy of a Healthcare Data Breach

Anatomy of a Healthcare Data Breach BUSINESS WHITE PAPER Anatomy of a Healthcare Data Breach Prevention and remediation strategies Anatomy of a Healthcare Data Breach Table of Contents 2 Increased risk 3 Mitigation costs 3 An Industry unprepared

More information

Applying LT Auditor+ to Address Regulatory Compliance Issues

Applying LT Auditor+ to Address Regulatory Compliance Issues Applying LT Auditor+ to Address Regulatory Compliance Issues An Executive White Paper By BLUE LANCE, Inc. BLUE LANCE INC. www.bluelance.com 713.255.4800 info@bluelance.com In today s business environments,

More information

Honourable members of the National Parliaments of the EU member states and candidate countries,

Honourable members of the National Parliaments of the EU member states and candidate countries, Speech by Mr Rudolf Peter ROY, Head of division for Security Policy and Sanctions of the European External Action Service, at the L COSAC Meeting 29 October 2013, Vilnius Honourable members of the National

More information

Security and Compliance Play Critical Roles in Protecting IT Assets of Law Firms and Their Clients

Security and Compliance Play Critical Roles in Protecting IT Assets of Law Firms and Their Clients Security and Compliance Play Critical Roles in Protecting IT Assets of Law Firms and Their Clients Executive Overview Within the legal sector, IT system security and compliance have changed dramatically

More information

Risks and Challenges

Risks and Challenges Cloud and Mobile Security: Risks and Challenges Chong Sau Wei (CISM) chong@scan associates.net General Manager Managed Security Services SCAN Associates Berhad Seminar e Kerajaan Negeri Pulau Pinang 14

More information

Microsoft s cybersecurity commitment

Microsoft s cybersecurity commitment Microsoft s cybersecurity commitment Published January 2015 At Microsoft, we take the security and privacy of our customers data seriously. This focus has been core to our culture for more than a decade

More information

Internet Gaming: The New Face of Cyber Liability. Presented by John M. Link, CPCU Cottingham & Butler

Internet Gaming: The New Face of Cyber Liability. Presented by John M. Link, CPCU Cottingham & Butler Internet Gaming: The New Face of Cyber Liability Presented by John M. Link, CPCU Cottingham & Butler 1 Presenter John M. Link, Vice President jlink@cottinghambutler.com 2 What s at Risk? $300 billion in

More information

Cyber Security - What Would a Breach Really Mean for your Business?

Cyber Security - What Would a Breach Really Mean for your Business? Cyber Security - What Would a Breach Really Mean for your Business? August 2014 v1.0 As the internet has become increasingly important across every aspect of business, the risks posed by breaches to cyber

More information

14 No. 5 GLCYLAW 1 Page 1 14 NO. 5 Cyberspace Law. 1 (Publication page references are not available for this document.)

14 No. 5 GLCYLAW 1 Page 1 14 NO. 5 Cyberspace Law. 1 (Publication page references are not available for this document.) 14 No. 5 GLCYLAW 1 Page 1 Cyberspace Lawyer June, 2009 CLOUD COMPUTING: THE INTERSECTION OF MASSIVE SCALABILITY, DATA SECURITY AND PRIVACY (PART I) Barry Reingold, Ryan Mrazik [FNa1] Copyright 2009 LegalWorks,

More information

An Overview of Cybersecurity and Cybercrime in Taiwan

An Overview of Cybersecurity and Cybercrime in Taiwan An Overview of Cybersecurity and Cybercrime in Taiwan I. Introduction To strengthen Taiwan's capability to deal with information and communication security issues, the National Information and Communication

More information

NATIONAL CYBER SECURITY AWARENESS MONTH

NATIONAL CYBER SECURITY AWARENESS MONTH NATIONAL CYBER SECURITY AWARENESS MONTH Tip 1: Security is everyone s responsibility. Develop an awareness framework that challenges, educates and empowers your customers and employees to be part of the

More information

Mobile Application Security. Helping Organizations Develop a Secure and Effective Mobile Application Security Program

Mobile Application Security. Helping Organizations Develop a Secure and Effective Mobile Application Security Program Mobile Application Security Helping Organizations Develop a Secure and Effective Mobile Application Security Program by James Fox fox_james@bah.com Shahzad Zafar zafar_shahzad@bah.com Mobile applications

More information

PACB One-Day Cybersecurity Workshop

PACB One-Day Cybersecurity Workshop PACB One-Day Cybersecurity Workshop WHAT IS CYBERSECURITY? PRESENTED BY: JON WALDMAN, SBS CISA, CRISC 1 Contact Information Jon Waldman Partner, Senior IS Consultant CISA, CRISC Masters of Info Assurance

More information

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst ESG Brief Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst Abstract: APTs first came on the scene in 2010, creating a wave

More information

Anatomy of a Hotel Breach

Anatomy of a Hotel Breach Page 1 of 6 Anatomy of a Hotel Breach Written by Sandy B. Garfinkel Monday, 09 June 2014 15:22 Like 0 Tweet 0 0 Data breach incidents have dominated the news in 2014, and they are only becoming more frequent

More information

C DIG COMMITTED TO EXCELLENCE IN CYBER DEFENCE. ONE MISSION. ONE GROUP. CSCSS / DEFENCE INTELLIGENCE GROUP

C DIG COMMITTED TO EXCELLENCE IN CYBER DEFENCE. ONE MISSION. ONE GROUP. CSCSS / DEFENCE INTELLIGENCE GROUP C DIG CSCSS / DEFENCE INTELLIGENCE GROUP COMMITTED TO EXCELLENCE IN CYBER DEFENCE. ONE MISSION. ONE GROUP. CENTRE FOR STRATEGIC CSCSS CYBERSPACE + SECURITY SCIENCE C DIG CSCSS / DEFENCE INTELLIGENCE GROUP

More information

Secure Cloud Computing through IT Auditing

Secure Cloud Computing through IT Auditing Secure Cloud Computing through IT Auditing 75 Navita Agarwal Department of CSIT Moradabad Institute of Technology, Moradabad, U.P., INDIA Email: nvgrwl06@gmail.com ABSTRACT In this paper we discuss the

More information

Specific observations and recommendations that were discussed with campus management are presented in detail below.

Specific observations and recommendations that were discussed with campus management are presented in detail below. CSU The California State University Office of Audit and Advisory Services INFORMATION SECURITY California State University, San Bernardino Audit Report 14-55 March 18, 2015 EXECUTIVE SUMMARY OBJECTIVE

More information

Cloud Security Implications for Financial Institutions By Scott Galyk Director of Software Development FIMAC Solutions, LLC

Cloud Security Implications for Financial Institutions By Scott Galyk Director of Software Development FIMAC Solutions, LLC Cloud Security Implications for Financial Institutions By Scott Galyk Director of Software Development FIMAC Solutions, LLC www.fmsinc.org 1 2015 Financial Managers Society, Inc. Cloud Security Implications

More information

Law & Ethics, Policies & Guidelines, and Security Awareness

Law & Ethics, Policies & Guidelines, and Security Awareness Law & Ethics, Policies & Guidelines, and Security Awareness Modifications by Prof. Dong Xuan and Adam C. Champion Principles of Information Security, 5th Edition 1 Learning Objectives Upon completion of

More information

Factors Influencing an Organisation's Intention to Adopt Cloud Computing in Saudi Arabia

Factors Influencing an Organisation's Intention to Adopt Cloud Computing in Saudi Arabia 2014 IEEE 6th International Conference on Cloud Computing Technology and Science Factors Influencing an Organisation's Intention to Adopt Cloud Computing in Saudi Arabia Nouf Alkhater Gary Wills Robert

More information

A Detailed Strategy for Managing Corporation Cyber War Security

A Detailed Strategy for Managing Corporation Cyber War Security A Detailed Strategy for Managing Corporation Cyber War Security Walid Al-Ahmad Department of Computer Science, Gulf University for Science & Technology Kuwait alahmed.w@gust.edu.kw ABSTRACT Modern corporations

More information

Corporate Perspectives On Cybersecurity: A Survey Of Execs

Corporate Perspectives On Cybersecurity: A Survey Of Execs Portfolio Media. Inc. 860 Broadway, 6th Floor New York, NY 10003 www.law360.com Phone: +1 646 783 7100 Fax: +1 646 783 7161 customerservice@law360.com Corporate Perspectives On Cybersecurity: A Survey

More information

How-To Guide: Cyber Security. Content Provided by

How-To Guide: Cyber Security. Content Provided by How-To Guide: Cyber Security Content Provided by Who needs cyber security? Businesses that have, use, or support computers, smartphones, email, websites, social media, or cloudbased services. Businesses

More information

Cyber Risk: Global Warning? by Cinzia Altomare, Gen Re

Cyber Risk: Global Warning? by Cinzia Altomare, Gen Re Cyber Risk: Global Warning? by Cinzia Altomare, Gen Re Global Warning It is a matter of time before there is a major cyber attackon the global financial system and the public needs to invest heavily in

More information

W H I T E P A P E R I m p a c t o f C y b e r s e c u r i t y A t t a c k s a n d N e w - A g e S e c u r i t y S t r a t e g i e s

W H I T E P A P E R I m p a c t o f C y b e r s e c u r i t y A t t a c k s a n d N e w - A g e S e c u r i t y S t r a t e g i e s W H I T E P A P E R I m p a c t o f C y b e r s e c u r i t y A t t a c k s a n d N e w - A g e S e c u r i t y S t r a t e g i e s IDC Middle East, Africa, and Turkey, Al Thuraya Tower 1, Level 15, Dubai

More information

Is cyber security now too hard for enterprises? Cyber security trends in the UK. Executive Summary

Is cyber security now too hard for enterprises? Cyber security trends in the UK. Executive Summary Is cyber security now too hard for enterprises? Executive Summary Sponsors The creation and distribution of this study was supported by CGI, cybx and Fujitsu/Symantec. Premium sponsors: Gold sponsor: 2

More information

Evolving Threats and Attacks: A Cloud Service Provider s viewpoint. John Howie Senior Director Online Services Security and Compliance

Evolving Threats and Attacks: A Cloud Service Provider s viewpoint. John Howie Senior Director Online Services Security and Compliance Evolving Threats and Attacks: A Cloud Service Provider s viewpoint John Howie Senior Director Online Services Security and Compliance Introduction Microsoft s Cloud Infrastructure Evolution of Threats

More information

The NREN cloud strategy should be aligned with the European and national policies, but also with the strategies of the member institutions.

The NREN cloud strategy should be aligned with the European and national policies, but also with the strategies of the member institutions. 4 External influences PESTLE Analysis A PESTLE analysis is a useful tool to support the investigation and decision process relating to cloud services. PESTLE in general covers Political, Economic, Social,

More information

White Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK. By James Christiansen, VP, Information Risk Management

White Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK. By James Christiansen, VP, Information Risk Management White Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK By James Christiansen, VP, Information Management Executive Summary The Common Story of a Third-Party Data Breach It begins with a story in the newspaper.

More information

(U) Appendix E: Case for Developing an International Cybersecurity Policy Framework

(U) Appendix E: Case for Developing an International Cybersecurity Policy Framework (U) Appendix E: Case for Developing an International Cybersecurity Policy Framework (U//FOUO) The United States lacks a comprehensive strategic international policy framework and coordinated engagement

More information

2/9/2012. The Third International Conference on Technical and Legal Aspects of the e-society CYBERLAWS 2012

2/9/2012. The Third International Conference on Technical and Legal Aspects of the e-society CYBERLAWS 2012 The Third International Conference on Technical and Legal Aspects of the e-society CYBERLAWS 2012 Legal Issues Involved in Creating Security Compliance Plans W. David Snead Attorney + Counselor Washington,

More information

CYBER-ATTACKS THE GLOBAL RESPONSE

CYBER-ATTACKS THE GLOBAL RESPONSE R E P R I N T CYBER-ATTACKS THE GLOBAL RESPONSE REPRINTED FROM: Risk, Governance & Compliance for Financial Institutions 2015 RISK GOVERNANCE & COMPLIANCE for F I N A N C I A L INSTITUTIONS 2 0 1 5 Visit

More information

Enhancing Cybersecurity with Big Data: Challenges & Opportunities

Enhancing Cybersecurity with Big Data: Challenges & Opportunities Enhancing Cybersecurity with Big Data: Challenges & Opportunities Independently Conducted by Ponemon Institute LLC Sponsored by Microsoft Corporation November 2014 CONTENTS 2 3 6 9 10 Introduction The

More information

Cybersecurity for Meaningful Use. 2013 FRHA Annual Summit "Setting the Health Care Table: Politics, Economics, Health" November 20-22, 2013

Cybersecurity for Meaningful Use. 2013 FRHA Annual Summit Setting the Health Care Table: Politics, Economics, Health November 20-22, 2013 Cybersecurity for Meaningful Use 2013 FRHA Annual Summit "Setting the Health Care Table: Politics, Economics, Health" November 20-22, 2013 Healthcare Sector Vulnerable to Hackers By Robert O Harrow Jr.,

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

Security Basics: A Whitepaper

Security Basics: A Whitepaper Security Basics: A Whitepaper Todd Feinman, David Goldman, Ricky Wong and Neil Cooper PricewaterhouseCoopers LLP Resource Protection Services Introduction This paper will provide the reader with an overview

More information

2015 NETWORK SECURITY & CYBER RISK MANAGEMENT: THE FOURTH ANNUAL SURVEY OF ENTERPRISE-WIDE CYBER RISK MANAGEMENT PRACTICES IN EUROPE

2015 NETWORK SECURITY & CYBER RISK MANAGEMENT: THE FOURTH ANNUAL SURVEY OF ENTERPRISE-WIDE CYBER RISK MANAGEMENT PRACTICES IN EUROPE 2015 NETWORK SECURITY & CYBER RISK MANAGEMENT: THE FOURTH ANNUAL SURVEY OF ENTERPRISE-WIDE CYBER RISK MANAGEMENT PRACTICES IN EUROPE February 2015 2015 Network Security & Cyber Risk Management: The FOURTH

More information

Law Firms and Cyber Security

Law Firms and Cyber Security Helping clients build operational capability in cyber security. A DELTA RISK VIEWPOINT Law Firms and Cyber Security A hacker s dream and a lawyer s nightmare About Delta Risk is a global provider of strategic

More information

1) Outsourcing ERP systems helps to lower the cost of software ownership and maintenance. Answer: TRUE Diff: 1 Page Ref: 268

1) Outsourcing ERP systems helps to lower the cost of software ownership and maintenance. Answer: TRUE Diff: 1 Page Ref: 268 Enterprise Systems for Management, 2e (Motiwalla/Thompson) Chapter 10 Global, Ethics, and Security Management 1) Outsourcing ERP systems helps to lower the cost of software ownership and maintenance. Diff:

More information

Securing the Cloud Infrastructure

Securing the Cloud Infrastructure EXECUTIVE STRATEGY BRIEF Microsoft recognizes that security and privacy protections are essential to building the necessary customer trust for cloud computing to reach its full potential. This strategy

More information

CONTROLLING DATA IN THE CLOUD: OUTSOURCING COMPUTATION WITHOUT OUTSOURCING CONTROL

CONTROLLING DATA IN THE CLOUD: OUTSOURCING COMPUTATION WITHOUT OUTSOURCING CONTROL CONTROLLING DATA IN THE CLOUD: OUTSOURCING COMPUTATION WITHOUT OUTSOURCING CONTROL Paper By: Chow, R; Golle, P; Jakobsson, M; Shai, E; Staddon, J From PARC & Masuoka, R And Mollina From Fujitsu Laboratories

More information

Negotiating Contracts That Will Keep our Clouds Afloat: You re going to put THAT in a cloud? Meteorologist: Daniel T. Graham

Negotiating Contracts That Will Keep our Clouds Afloat: You re going to put THAT in a cloud? Meteorologist: Daniel T. Graham Negotiating Contracts That Will Keep our Clouds Afloat: You re going to put THAT in a cloud? Meteorologist: Daniel T. Graham The dynamic provisioning of IT capabilities, whether hardware, software, or

More information

Business Communications for Healthcare

Business Communications for Healthcare Business Communications for Healthcare Today, many powerful business communication challenges face everyone in the healthcare chain including clinics, hospitals, insurance providers and any other organization

More information

Cybersecurity in SMEs: Evaluating the Risks and Possible Solutions. BANCHE E SICUREZZA 2015 Rome, Italy 5 June 2015 Arthur Brocato, UNICRI

Cybersecurity in SMEs: Evaluating the Risks and Possible Solutions. BANCHE E SICUREZZA 2015 Rome, Italy 5 June 2015 Arthur Brocato, UNICRI Cybersecurity in SMEs: Evaluating the Risks and Possible Solutions BANCHE E SICUREZZA 2015 Rome, Italy 5 June 2015 Arthur Brocato, UNICRI UNICRI s Main Goals The United Nations Interregional Crime and

More information

Cloud Computing Requires National Policy Leadership

Cloud Computing Requires National Policy Leadership Cloud Computing Requires National Policy Leadership BY DANIEL CASTRO AUGUST 2010 Policymakers should work both to ensure that the right policies are in place to enable widespread use of cloud computing

More information

GUIDANCE FOR MANAGING THIRD-PARTY RISK

GUIDANCE FOR MANAGING THIRD-PARTY RISK GUIDANCE FOR MANAGING THIRD-PARTY RISK Introduction An institution s board of directors and senior management are ultimately responsible for managing activities conducted through third-party relationships,

More information

The Cloud Balancing Act for IT: Between Promise and Peril

The Cloud Balancing Act for IT: Between Promise and Peril The Cloud Balancing Act for IT: Between Promise and Peril Table of Contents EXECUTIVE SUMMARY...2 ONBOARDING CLOUD SERVICES...3 SYSTEMS OF RECORD: THE NEXT WAVE OF CLOUD ADOPTION...6 A CULTURE OF COMPLIANCE

More information

CYBERCRIME AND THE HEALTHCARE INDUSTRY

CYBERCRIME AND THE HEALTHCARE INDUSTRY CYBERCRIME AND THE HEALTHCARE INDUSTRY Access to data and information is fast becoming a target of scrutiny and risk. Healthcare professionals are in a tight spot. As administrative technologies like electronic

More information

Our security philosophy. Our team of experts

Our security philosophy. Our team of experts Security at Work Our security philosophy A critical part of our mission to make the world more open and connected is providing a secure community for everyone who uses Facebook. Ensuring the security of

More information

Legal Issues in the Cloud: A Case Study. Jason Epstein

Legal Issues in the Cloud: A Case Study. Jason Epstein Legal Issues in the Cloud: A Case Study Jason Epstein Outline Overview of Cloud Computing Service Models (SaaS, PaaS, IaaS) Deployment Models (Private, Community, Public, Hybrid) Adoption Different types

More information

White Paper on Financial Industry Regulatory Climate

White Paper on Financial Industry Regulatory Climate White Paper on Financial Industry Regulatory Climate According to a 2014 report on threats to the financial services sector, 45% of financial services organizations polled had suffered economic crime during

More information

CSIS/DOJ Active Cyber Defense Experts Roundtable March 10, 2015

CSIS/DOJ Active Cyber Defense Experts Roundtable March 10, 2015 CSIS/DOJ Active Cyber Defense Experts Roundtable March 10, 2015 On March 10, 2015 the Center for Strategic and International Studies, in conjunction with the Cybersecurity Unit of the U.S. Department of

More information

Cyber Threats: Exposures and Breach Costs

Cyber Threats: Exposures and Breach Costs Issue No. 2 THREAT LANDSCAPE Technological developments do not only enhance capabilities for legitimate business they are also tools that may be utilized by those with malicious intent. Cyber-criminals

More information

DISCOVER, MONITOR AND PROTECT YOUR SENSITIVE INFORMATION Symantec Data Loss Prevention. symantec.com

DISCOVER, MONITOR AND PROTECT YOUR SENSITIVE INFORMATION Symantec Data Loss Prevention. symantec.com DISCOVER, MONITOR AND PROTECT YOUR SENSITIVE INFORMATION Symantec Data Loss Prevention symantec.com One of the interesting things we ve found is that a lot of the activity you d expect to be malicious

More information

Employing Best Practices for Mainframe Tape Encryption

Employing Best Practices for Mainframe Tape Encryption WHITE PAPER: DATA ENCRYPTION BEST PRACTICES FOR MAINFRAME TAPE Employing Best Practices for Mainframe Tape Encryption JUNE 2008 Stefan Kochishan CA MAINFRAME PRODUCT MARKETING John Hill CA MAINFRAME PRODUCT

More information

New York State Department of Financial Services. Report on Cyber Security in the Insurance Sector

New York State Department of Financial Services. Report on Cyber Security in the Insurance Sector New York State Department of Financial Services Report on Cyber Security in the Insurance Sector February 2015 Report on Cyber Security in the Insurance Sector I. Introduction Cyber attacks against financial

More information

Promoting Cross Border Data Flows Priorities for the Business Community

Promoting Cross Border Data Flows Priorities for the Business Community Promoting Cross Border Data Flows Priorities for the Business Community The movement of electronic information across borders is critical to businesses around the world, but the international rules governing

More information

Corporate Spying An Overview

Corporate Spying An Overview Corporate Spying An Overview With the boom in informational and technological advancements in recent years, there comes the good and the bad the bad being more susceptibility to the theft of confidential

More information

White Paper #6. Privacy and Security

White Paper #6. Privacy and Security The Complexity of America s Health Care Industry White Paper #6 Privacy and Security www.nextwavehealthadvisors.com 2015 Next Wave Health Advisors and Lynn Harold Vogel, Ph.D. The Complexity of America

More information