Anatomy of a Cloud Computing Data Breach

Similar documents
HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

Security Issues in Cloud Computing

Information Technology: This Year s Hot Issue - Cloud Computing

Cloud Computing: Legal Risks and Best Practices

<Choose> Addendum Windows Azure Data Processing Agreement Amendment ID M129

The Keys to the Cloud: The Essentials of Cloud Contracting

Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab

Protecting Official Records as Evidence in the Cloud Environment. Anne Thurston

Cloud Computing: What needs to Be Validated and Qualified. Ivan Soto

Lessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd

Cloud Security and Managing Use Risks

Is it Time to Trust the Cloud? Unpacking the Notorious Nine

Annex 1. Contract Checklist for Cloud-Based Genomic Research Version 1.0, 21 July 2015

Residual risk. 3 Compliance challenges (i.e. right to examine, exit clause, privacy acy etc.)

Managing Cloud Computing Risk

Cloud Computing Governance & Security. Security Risks in the Cloud

LEGAL ISSUES IN CLOUD COMPUTING

Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES

Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10

Standard: Information Security Incident Management

Data Security Incident Response Plan. [Insert Organization Name]

Attachment A. Identification of Risks/Cybersecurity Governance

Supplier Information Security Addendum for GE Restricted Data

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

IDENTIFYING AND RESPONDING TO DATA BREACHES

Protecting Sensitive Data Reducing Risk with Oracle Database Security

Office 365 Data Processing Agreement with Model Clauses

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

HIPAA Security Alert

VMware vcloud Air HIPAA Matrix

Top Ten Technology Risks Facing Colleges and Universities

ADDENDUM TO STATE OF MARYLAND PURCHASES ISSUED UNDER STATE CONTRACT NO. 060B

Data Protection: From PKI to Virtualization & Cloud

CLOUD STORAGE SECURITY INTRODUCTION. Gordon Arnold, IBM

SECURITY THREATS TO CLOUD COMPUTING

Panel Title: Data Breaches: Industry and Law Enforcement Perspectives on Best Practices

Ethical Considerations for Lawyers Using the Cloud

Newcastle University Information Security Procedures Version 3

State Agency Cyber Security Survey v October State Agency Cybersecurity Survey v 3.4

Hengtian Information Security White Paper

Securing and Auditing Cloud Computing. Jason Alexander Chief Information Security Officer

Southern Law Center Law Center Policy #IT0014. Title: Privacy Expectations for SULC Computing Resources

DATA SECURITY AGREEMENT. Addendum # to Contract #

OCIE CYBERSECURITY INITIATIVE

Cloud Computing Security Issues

Data Privacy, Security, and Risk Management in the Cloud

PCI Compliance for Cloud Applications

INFORMATION TECHNOLOGY SECURITY STANDARDS

FINAL May Guideline on Security Systems for Safeguarding Customer Information

Cyber Security Pr o t e c t i n g y o u r b a n k a g a i n s t d a t a b r e a c h e s

CLOUD COMPUTING ISSUES FOR SCHOOL DISTRICTS. Presented to the 2013 BRADLEY F. KIDDER LAW CONFERENCE. October 2, 2013

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

AHLA. JJ. Keeping Your Cloud Services Provider from Raining on Your Parade. Jean Hess Manager HORNE LLP Ridgeland, MS

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Data Breaches and Trade Secrets: What to Do When Your Client Gets Hacked

Cloud Security Implications for Financial Institutions By Scott Galyk Director of Software Development FIMAC Solutions, LLC

Preventing And Dealing With Cyber Attacks And Data Breaches. Arnold & Porter LLP Lockheed Martin WMACCA February 12, 2014

Cybersecurity: Protecting Your Business. March 11, 2015

Cloud Computing In a Post Snowden World. Guy Wiggins, Kelley Drye & Warren LLP Alicia Lowery Rosenbaum, Microsoft Legal and Corporate Affairs

F G F O A A N N U A L C O N F E R E N C E

John Essner, CISO Office of Information Technology State of New Jersey

KEY STEPS FOLLOWING A DATA BREACH

Sample Employee Agreement for Business Use of Employee-Owned Personal Computing Devices (Including Wearables 1 )

Risk Assessment Guide

Welcome & Introductions

Cloud Security:Threats & Mitgations

Cloud Computing. Cloud Computing An insight in the Governance & Security aspects

Introduction to Data Security Breach Preparedness with Model Data Security Breach Preparedness Guide

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Identity & Access Management The Cloud Perspective. Andrea Themistou 08 October 2015

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Data Management Policies. Sage ERP Online

Data Processing Agreement for Oracle Cloud Services

White Paper on Financial Institution Vendor Management

External Supplier Control Requirements

Office of Inspector General

ISO Controls and Objectives

Belmont Savings Bank. Are there Hackers at the gate? 2013 Wolf & Company, P.C.

Cloud Security Introduction and Overview

INITIAL APPROVAL DATE INITIAL EFFECTIVE DATE

Legal Issues Associated with Cloud Computing. Laurin H. Mills May 13, 2009

C. Author(s): David Millar (ISC Information Security) and Lauren Steinfeld (Chief Privacy Officer)

University of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Information Security Program Management Standard

Every Cloud Has A Silver Lining. Protecting Privilege Data In A Hosted World

Network & Information Security Policy

What Every User Needs To Know Before Moving To The Cloud. LawyerDoneDeal Corp.

TODAY S AGENDA. Trends/Victimology. Incident Response. Remediation. Disclosures

Information Resources Security Guidelines

TELEFÓNICA UK LTD. Introduction to Security Policy

How To Ensure Your Supplier Is Secure

DATA SECURITY BREACH: THE NEW THIRD CERTAINTY OF LIFE

IT Audit in the Cloud

ISO COMPLIANCE WITH OBSERVEIT

Best Practices in Incident Response. SF ISACA April 1 st Kieran Norton, Senior Manager Deloitte & Touch LLP

Transcription:

Anatomy of a Cloud Computing Data Breach Sheryl Falk Mike Olive ACC Houston Chapter ITPEC Practice Group September 18, 2014 1

Agenda Ø Cloud 101 Welcome to Cloud Computing Ø Cloud Agreement Considerations Ø Responding to a Cloud Data Security Incident Ø Cloud- Data Security Tips

Cloud 101 Welcome to Cloud Computing 2013 Winston & Strawn LLP

The Cloud & Cloud Computing Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models - NIST Special Publication 800-145, September 2011

The Cloud & Cloud Computing Cloud Computing = Internet accessing of applications and data stored or running on remote servers controlled by third parties. Common Features: Broad Network Access Pooled Resources Rapid Provisioning Pay as You Go

Cloud Service and Deployment Models Private / Public / Hybrid / Community Software as a Service Platform as a Service Infrastructure as a Service Provider Supplies: Applications Database Middleware OS Hardware/Networking Provider Supplies: Middleware Development Tools OS Hardware/Networking Customer provides the rest Provider Supplies Hardware/Networking Customer provides the rest

Advantages of Cloud Computing

Key Considerations Cloud Contracts/Negotiations 2013 Winston & Strawn LLP

Before Customers Start! Ø Why do we want to utilize cloud? Ø What applications/data are involved? Assess Criticality. What regulatory/contractual requirements apply? How are we going to move data in/out of the cloud? Ø What is our risk tolerance?

1. Data Issues Ø Ownership Ø Availability Ø Security Ø Location/Movement/Access Ø Compliance with Regulatory Requirements

1.A Data Ownership Ø Specify customer ownership of customerprovided data and data processed/generated in the cloud Specify how Supplier may use the data and any permitted third parties disclosures Ø Provider will want ownership of database structures they provide Be careful with this at exit

1.B Data Availability Ø Include defined service levels for data access and availability. Ø Are company data retention requirements specified, including for litigation holds and audit trails? Ø Are the parties disaster recovery and business continuity obligations and performance goals clearly allocated and stated? Ø Specify data backup requirements?

1.C Data Security Ø Identify data security requirements in the contract Appropriate for type of data involved Compliant with applicable legal requirements Leverage applicable data security standards (e.g. ISO) Physical and digital security requirements Ø Include remedies for data loss, unavailability and/or corruption Service credits Costs to restore or recreate Ø Data segregation requirements

1.D Data Location, Movement, Access Ø The cloud computing model is inherently cross-border Ø Specify data location(s) Ø Customer contractual right to control new locations Are compliant data transfer mechanisms in place (e.g., model contracts, Safe Harbor certification, BCRs, other)? Are flow-down terms required for approved sub-processors? Potential for compelled disclosure to government authorities Ø What are the provider s standard practices for responding to subpoenas or other government process? Litigation holds?

1.E Compliance with Regulatory Requirements Ø Have customer s data-related legal compliance requirements been included or referenced in the contract? Ø Allocation of responsibility for complying with law changes Ø Defined triggers: security breach, security incident, other? Ø Detailed incident response plan, including: Incident verification and notice to customer Customer retains control over notice obligations and communications Ø Allocate financial responsibility for breach-related costs

2. Exit Management What happens upon expiration or termination of agreement? Specify the exit plan and period. No liens or other provider right to withhold data Specifications for return of data and format requirements Does Customer need use of Provider s database structures in short/long term Provider obligation to destroy data securely, at customer s option Provider cooperation with successor

3. The Usual Suspects Ø Indemnification Ø Liability Caps Ø Exclusion of consequential damages Ø Provider insurance coverage

4. Other Considerations Ø Audit/Subcontracting Ø Can either party modify the terms unilaterally? Ø Is the customer permitted under law (e.g. export or data privacy) or its other agreements to move data/applications to the cloud and give access to the cloud provider(s) Ø Bankruptcy issues Ø Consider typical software license issues, particularly for SaaS

Cloud Data Security How Safe is your data in the cloud? 2013 Winston & Strawn LLP

Cloud Data Breaches

Cloud Computing Top Threats in 2013 hdp://farm5.staoc.flickr.com/4044/4250895150_dd7d515848_o ① DATA BREACH ② DATA LOSS ③ ACCOUNT OR SERVICE TRAFFIC HIGHJACKING ④ INSECURE INTERFACES AND APIs ⑤ DENIAL OF SERVICE ⑥ MALICIOUS INSIDERS ⑦ ABUSE OF CLOUD SERVICES ⑧ INSUFFICIENT DUE DILLIGENCE ⑨ SHARED TECHNOLOGY VULNERABILITIES

The Latest Information on Data Breaches v Incident: A security event that compromises the integrity, confidentiality of availability of data 63,437 v Breach: An incident that result on the disclosure or potential disclosure of information 1,367

8 Most Common Causes of Data Breaches 1. Weak and Stolen Credentials 2. Back Doors, Application Vulnerabilities 3. Malware 4. Social Engineering 5. Too Many Permissions 6. Insider Threats 7. Physical Attacks 8. Improper User Configuration, User Error Informa(on Week: The 8 Most Common Causes of Data Breaches

Cloud Data at Greater Risk of Breach? Ø Data in the cloud is 3 Omes more likely to be breached Ø 62% believe that cloud services are not thoroughly veded Ø 69 % believe that their organizaoon is not proacove in assessing informaoon that is too sensiove to be stored in the cloud. Data Breach: The Cloud MulOplier Effect May 2014

Data Breach Detection Ø Less than 2% of breaches are detected in the first 24 hours Ø Less than 46% of breaches are detected in the first 30 days Ø Over 92% of breaches are discovered by a third party Ø 60% of breaches have data exfiltrated in first 24 hours - - Verizon Data Breach Report 28

Responding to a Cloud Data Security Incident 2013 Winston & Strawn LLP

Follow your Data Breach Response Ø Develop a written Plan Ø Assemble your Team Ø Identify your Vendor partners Ø Test your Plan 30

- Investigation The Importance of a Privileged Investigation Privileged Investigation Ø Engage Counsel at outset Ø Direct the forensic/security vendors through counsel Ø Working with your cloud partner on the investigation Ø Educate your whole team about Privilege Ø Be careful what you put in writing

The Data Security Investigation Secure the data Preserve evidence Analyze forensic data Interview key witnesses Lessons Learned/Remediation

Challenges in a Cloud Investigation Control over the Data Timely Access to the Data Cost of getting the Data Access to the Vendor witnesses Understanding the Vendor data structure and Security Controls Privilege Considerations

Getting to the Heart of the Matter Ø What type of Information was Involved? Personal information involved? Payment Card Information Health Information Confidential, trade secret data involved? Ø How was the information protected? (Encryption) Ø Was the data actually compromised?

What are your obligations? Ø Federal or State Laws may require action Depends type of information at issue Depends on threshold numbers affected SEC Report Requirement if material breach Ø Impacted individuals Applicable law is where individual resides Legal implications of failing to properly notify 35

Texas Data Breach Statute 521.053 Texas Bus. & Com. Code A person who conducts business in this state and owns or licenses computerized data that includes sensitive personal information shall disclose any breach to any individual whose sensitive personal information believed to have been acquired by an unauthorized person. Ø Ø Extraterritorial Application Civil penalty up to $250,000 per breach

47 State Notification Laws Ø The trigger for notification Ø Who to notify Ø Timing of notification Ø Contents of notice Ø Methods for providing notice

If Laws Impacted, Notice Will Be Needed Impacted individuals Government AuthoriOes Credit reporong agencies Contractual Partners Press

What Notices Look Like Describe incident Categories of informaoon Consequences of breach/nature of risk ProtecOon measures put in place Advice about how to protect self

Does the Company Have a PR Strategy Ready? Ø What happened? Ø When did it happen? Ø What information was compromised? Ø Was my information compromised? Ø How many people s information was impacted? Ø Was the information encrypted? Ø Was my social security number compromised? Ø Did anyone misuse this information? Ø What should I do? Ø What are you doing to protect me? Ø Will this happen again? Ø Who should I contact if I have more questions?

Responding to the AG/Regulators Ø Maintain your credibility Ø Negotiate terms of requests Ø Circulate a hold for document destruction Ø Advocate your story 41

After Action Event Review Ø How did the team respond? Ø What can be improved in response/investigation? Ø What security issues can be tightened up? Ø Modify your plan/procedures if necessary

Cloud Data Security Measures 2013 Winston & Strawn LLP

Conduct Effective Due Diligence Ø Right to Audit Ø Obtain Data Security Controls data Ø Industry certifications, third party assessments, audits Ø Shared environment security Ø Logging and monitoring capabilities Ø Use of subcontractors for data-related processes Ø Data transfer/transition policies Ø Data recoverability and data destruction practices

Tips for Securing your data in the Cloud 1. Classify what data needs to be protected 2. Protect your most sensiove data Encrypt your sensiove data TokenizaOon Data loss prevenoon systems 3. Consider mulo- factor authenocaoon 4. Enforce lock out policies 5. Keep good logs and have a process to review 6. Pro- acovely invesogate suspicious acovity

Get Serious About Password Management Ø Educating users about how to select passwords Ø Minimum Password Length 13 Characters or more Ø Complexity Requirements Ø Enforce Password History Ø Use Maximum Password Age Ø Be Careful about shared-use Process or Admin passwords.

Course No. 901295791 Questions? 2013 Winston & Strawn LLP

Sheryl Falk 713.651.2615 sfalk@winston.com Mike Olive Managing Counsel BP Legal

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information