Cloud Security: Is It Safe To Go In Yet?

Transcription

1 Cloud Security: Is It Safe To Go In Yet? Execu1ve Breakfast Roundtable June 9, 2011 DC Chapter

2 Welcome, Introduc4ons AGENDA Legal Perspec4ve, Reed Smith Break Featured Speakers IBM, Ping Iden4ty, Oracle Break Closed Door Session, Members Only, Bryan Orme, Capital One Q&A, Wrap Up

3 INTRODUCTIONS Name Company Role What is primary security challenge of going to the cloud?

4 Bill s Key Thoughts The Cloud is.(insert adjec4ve here) Major hurdles seem to be: Where data resides (regulatory restric4ons, e- discovery concerns) IAM (trust) Lack of visibility into controls (loss of governance) We MUST help get there

5 LEGAL PERSPECTIVE Host: Reed Smith Amy Mushahwar

6 Cloud Service Agreements: Avoiding the Pitfalls of the Cloud as a Commodity Amy Mushahwar, Esq.

7 What s New? Not That Much. Some have their heads in the cloud we prefer to stay down in the weeds and know the details. Cloud Computing holds all of the risks of a typical web hosting shared services arrangement. The key is planning ahead and avoiding take-it-orleave-it agreements with standard, non-negotiable terms. If the cloud computing service provider is not willing to negotiate a contract, then the provider may not be worth the supposed cost savings.

8 Oy Veh! Where do I begin? Due Diligence Data Security Performance Terms of Service, Warranty and Indemnification Data Segregation Governmental and Third-Party Litigation Access Trade Secrets and Confidential Information Exit Plan

9 The Privacy/Data Security Analysis Alone Demands Caution Federal: Multiple sector-specific privacy laws: Education information FERPA Medical information HIPAA, the HITECH Act Financial data Gramm-Leach-Bliley ( GLBA ) Disclosure to law enforcement agencies USA Patriot Act Electronic communications ECPA E-Discovery Federal Rules of Civil Procedure ( FRCP ) State: Data-breach statutes, SSN laws, health privacy, financial privacy and the like. International: Personal data within EU The European Union Data Protection Directive; Data laws of non EU-States (i.e. Australia, Canada and now, Mexico) Contract: Payment Card Industry Standards and any other contractual privacy provisions.

10 Data Security: Much More than SAS 70 Certification Data Flows SAS 70 Certification Requirements for Physical and Logical Security Single Point or Multipoint Server Models Privacy Policy Review Data Migration (in and out of system) Data Backups & Recovery Audits? (PCI Compliance/Safe Harbor)

11 Performance / SLAs 24/7/365 uptime of cloud services is of critical importance. The inability to access data stored in the clouds can cause significant business interruption and lost revenue. Discuss Power Multiple Communications Links? Recent Service Level Payments? Recent Outages? Maintenance Windows and Access During Planned Outages? Data Restoration Timing?

12 Terms of Service, Warranty and Indemnification Vendors tend to provide vague terms of service, warranty nothing and make no indemnification promises. The worst clauses that I have seen are below: The unilateral right to limit, suspend, or terminate the service (with or without notice) (and for any reason) Disclaimer of liability relating to service quality and availability (instead, there should be clear initiation and ongoing service levels) Uptime and reliability percentage promises (where the vendor discerns the end points of uptime measurements)

13 Terms of Service, Warranty and Indemnification (continued) Disclaimer of all warranties, including the implied warranties of merchantability and of fitness for a particular purpose Disclaimer of liability for third-party action Remedy limitations, including total damages capped (such as a return of fees paid), and/or exclusion of consequential damages (such as loss of profits/revenue) Indemnification: does it look like a get-out-ofcourt/damages-free card? Has the provider so narrowly tailored the section to indemnify it against actions that are in fact not its responsibility

14 Data Segregation Currently, most cloud service providers offer their services on a shared server basis. Special care should be taken to ensure that your company's data is not inadvertently mingled with that of any other customer (especially, a competitor). The following questions should be asked to ascertain the provider s data segregation procedures: Ensure that no one other than your company has access to the data, even if the customer is hosted on a shared server? How frequently does the provider monitor its server to confirm that data is properly segregated?

15 Governmental and Third-Party Litigation Access Cloud Computing and the right to governmental access is an issue before the Supreme Court in Ontario v. Quon. Given the present ambiguity in the state of the law, the outsourcing agreement should contemplate the following: For instance: Is the provider required to notify the user if the provider receives a subpoena, search warrant, or other lawful request for user information? (Note, that there are some subpoenas, where the government forbids customer notification). Will the cloud provider seek a protective order to prevent and/or limit disclosure of company data? In the event of litigation, how are litigation holds enforced? What are the procedures to make sure user data is segregated and retained? How are e-discovery requests handled? How would metadata be protected? And how is information searched for and retrieved? Which party bears the costs associated with processing data for discovery purposes?

16 Trade Secrets and Confidential Information Even with good contractual provisions storage of a company s trade secrets with a cloud provider carries significant risk. Under the Uniform Trade Secrets Act, for a company s proprietary information to be accorded trade secret status, the trade secret must be, at a minimum, the subject of efforts that are reasonable under the circumstances to maintain its secrecy. Whether a transfer of trade secrets to a cloud provider extinguishes the trade secret has yet to be ruled upon. A company s trade secrets may lose their status as such even in circumstances where the cloud provider commits to keeping confidential any information it receives. Certainly, where the cloud provider s terms of service allows the provider to see, use, or disclose information, this may degrade the user s claim that the information is a trade secret.

17 Exit Plan An exit plan defining each party s obligations in the event of a termination of services should also be clearly set forth in the agreement, consider the following: Reasons for Termination Timing for Termination (allowing for a transition plan?) Risk of Provider Lock-in Data Return / Data Backup Transition Assistance / Data Format / Data Transfer Data Disposal Encryption Complications

18 A Few Words from Our Tax Lawyers Cloud computing, including cloud services, is one of the most notable, recent targets in the federal and state governments search for revenue. Federal legislation was introduced in July 2010 that would impose sales tax on digital commerce, including possibly some cloud services, and many states have begun to expand their state tax laws to reach cloud products and services. The primary tax issues involved in cloud computing and cloud services are: Nexus Contacts with the Jurisdiction (e.g., income, gross receipts, sales and use)? Taxability Service Characterization Dictates Treatment (e.g. a good, service, data processing, infrastructure, platform, and software services). Sourcing revenue sourced to destination, origination, ugh! 18

19 Encryption: Avoiding Information Transfers vis-à-vis Encryption Emerging view regarding encryption is if the service provider does not have the encryption key, then information has technically not been transferred If data is encrypted in the cloud, the service provider has not been given access to the data. However, a company may have reasons to provide the service provider with an encryption key. What if the key is lost or there is employee turnover? An encryption key may be held in trust by a third-party so that the key is not held by the service provider. A key held in trust is then kept safe and available if needed later

20 Attorney- Client Privilege Expectations When Transferring to the Cloud Normally, when one transfers information to a third-party, confidentiality and attorney-client privilege is moot. There can be no expectation of privacy when information has been transferred to a party that has no obligation to keep the information confidential. So, is the cloud considered a third-party?? Common law view is that the cloud IS a third party and there is no expectation of privacy Emerging modern view taken by some states ethics panels is that if the service provider does its due diligence and keeps the information confidential and secure, when an attorney puts information in the could, privilege DOES NOT dissolve.

21 Department of Commerce Information Security Report Released yesterday. Increases the visibility of cybersecurity and effectuates President Obama s cyber security mandate. Expect cybersecurity/cloud security legislative movement in the next year.

22 Conclusion Sometimes the seemingly amazing cost savings of a commodity provider fails to reveal the hidden regulatory costs that could emerge down the line. We recommend cautiously exploring each solution with full network documentation, before entering into a cloud outsourcing arrangement.

23 BREAK

24 BREAK

25 MEMBER ONLY SESSION Sponsors Depart Featuring Member Bryan Orme, Capital One

26 Cloud Computing June 9,

27 What is Cloud Computing? Cloud Computing Defined In the purest sense, Cloud Computing is a style of computing in which dynamically scalable and often virtualized resources are provided as a service over the Internet. Five Attributes of Cloud Computing It is service-based It is scalable and elastic you can add and remove infrastructure as needed It uses shared infrastructure to build economies of scale It is metered and users pay according to usage It uses Internet technologies for delivery 27

28 Risks of The Cloud Security Weakness Concerns What happens when the Internet fails in a crisis? Will our data and other information be compromised? Lack of Monitoring Capability How will we know if our data is compromised? Monitoring metrics are insufficient Vendors are reluctant to reveal performance statistics Inability to guarantee secure connectivity on the Internet 28

29 Risks of The Cloud Based on Type of Use Software as a Service Authentication and authorization capabilities are developed to be easy to manage and available for a large audience so they may have shortcomings in how they audit and log capabilities or access. Platform as a Service Development risks exist because development staff rarely includes application security professionals. Infrastructure as a Service The infrastructure is designed for a large number of users with different needs, which can lead to unpredictable issues and vulnerabilities based on how it is used, what it is used for, and the provider s security practices. 29

30 Up in the Clouds Public, Managed, Private, Hybrid 30

31 Private Clouds and Virtualization Virtualization Defined Broad term that refers to the abstraction of computer resources. Virtualization is disassociating the tight bond between software and hardware. Types of Virtualization Server Virtualization Blades centers, Superdome, VMware, UCS, Z9 Application Virtualization Java, Websphere, Weblogic Desktop Virtualization PC on a stick, virtual desktop imaging Network Virtualization MPLS, VPN, VPN SSL Storage Virtualization Tiers, pooled storage, geographic deployment 31

32 Many Financial Institutions are building an Internal Cloud, that easily adapts to future technology capabilities Characteristics Associated Capabilities Dynamic and Virtualized Shared, Elastic and Scalable Infrastructure Data center infrastructure virtualization Application abstraction Automated discovery and provisioning Integrated infrastructure stack Standardized services with fewer technology stacks Stateless computing Pervasive application workload/state mobility High availability One unified network with embedded in depth security Efficient and Ondemand Dynamic provisioning (minutes vs. days) Improved utilization and efficiency Tiered storage and optimized backup Green and efficient data center Efficient network with embedded infrastructure services SLAs based off resource units Streamlined Operations Standard processes and tools Real time monitoring of business availability Proactive infrastructure monitoring Global availability center Cost transparency Enhanced security Enhanced Business Continuity High availability across datacenters Standardized business continuity tiers Seamless fail back to production Failover applications on-demand 32

33 So where do we stand and how do we get a new state???? Traditional Data Center Thousands of disparate servers, disjoint networking and storage Cloud Based Data Center Control Domain Control Domain Wintel Stack Linux Stack Unix Stack MF Stack Biz Appls Base App Svcs Biz Appls Base App Svcs Biz Appls Base App Svcs Biz Appls Base App Svcs Security Security Security Security Network Storage Network Storage Network Storage Network Storage Platform Platform Platform Platform M P L S V P N Thousands of disparate servers, disjoint networking and storage Common Storage Farm Control Domain Common Network Infrastructure Control Domain C L O U D 33

34 CHAPTER BUSINESS Next Chapter Mee1ng: July 14, Mobile Device Security Need a member to lead discussion Seeking sponsor vendors

35 Q&A & Wrap Up

36 THANKS Return Badges See you July 14