Information Technology: This Year s Hot Issue - Cloud Computing

Similar documents
Clouds on the Horizon Cloud Security in Today s DoD Environment. Bill Musson Security Analyst

LEGAL ISSUES IN CLOUD COMPUTING

Strategic Compliance & Securing the Cloud. Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security

Cloud Security and Managing Use Risks

Anatomy of a Cloud Computing Data Breach

Securing and Auditing Cloud Computing. Jason Alexander Chief Information Security Officer

How To Manage Cloud Data Safely

Key Considerations of Regulatory Compliance in the Public Cloud

OWASP Chapter Meeting June Presented by: Brayton Rider, SecureState Chief Architect

Security & Trust in the Cloud

Security Issues in Cloud Computing

East African Information Conference th August, 2013, Kampala, Uganda. Security and Privacy: Can we trust the cloud?

Cloud Computing In a Post Snowden World. Guy Wiggins, Kelley Drye & Warren LLP Alicia Lowery Rosenbaum, Microsoft Legal and Corporate Affairs

Clinical Trials in the Cloud: A New Paradigm?

Cloud Service Agreements: Avoiding the Pitfalls of the Cloud as a Commodity. Amy Mushahwar, Esq.

Data Privacy, Security, and Risk Management in the Cloud

CLOUD COMPUTING ISSUES FOR SCHOOL DISTRICTS. Presented to the 2013 BRADLEY F. KIDDER LAW CONFERENCE. October 2, 2013

Cloud Computing Governance & Security. Security Risks in the Cloud

Cloud Security. DLT Solutions LLC June #DLTCloud

CLOUD STORAGE SECURITY INTRODUCTION. Gordon Arnold, IBM

The Cloud Computing Revolution: Beyond the Hype

Orchestrating the New Paradigm Cloud Assurance

PCI Compliance for Cloud Applications

IT Risk and Security Cloud Computing Mike Thomas Erie Insurance May 2011

Daren Kinser Auditor, UCSD Jennifer McDonald Auditor, UCSD

Protecting Official Records as Evidence in the Cloud Environment. Anne Thurston

Adopting Cloud Computing with a RISK Mitigation Strategy

Cloud Computing Risks & Reality. Sandra Liepkalns, CRISC sandra.liepkalns@netrus.com

Overview of Cloud Computing and Cloud Computing s Use in Government Justin Heyman CGCIO, Information Technology Specialist, Township of Franklin

STORAGE SECURITY TUTORIAL With a focus on Cloud Storage. Gordon Arnold, IBM

Client Security Risk Assessment Questionnaire

Managing Cloud Computing Risk

Every Cloud Has A Silver Lining. Protecting Privilege Data In A Hosted World

Top 10 Cloud Risks That Will Keep You Awake at Night

How To Protect Your Cloud Computing Resources From Attack

IBM Cloud Security Draft for Discussion September 12, IBM Corporation

Cloud Computing: What needs to Be Validated and Qualified. Ivan Soto

STATE MODEL CLOUD COMPUTING SERVICES SPECIAL PROVISIONS (Software as a Service)

John Essner, CISO Office of Information Technology State of New Jersey

Cloud Services Overview

Securing The Cloud With Confidence. Opinion Piece

6 Cloud computing overview

A COALFIRE PERSPECTIVE. Moving to the Cloud. NCHELP Spring Convention Panel May 2012

Cloud Computing: Contracting and Compliance Issues for In-House Counsel

Cloud Computing: Legal Risks and Best Practices

Using AWS in the context of Australian Privacy Considerations October 2015

Securing The Cloud. Foundational Best Practices For Securing Cloud Computing. Scott Clark. Insert presenter logo here on slide master

Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab

Top 10 Tips and Tools for Meeting Regulatory Requirements and Managing Cloud Computing Providers in the United States and Around the World

The Legal Pitfalls of Failing to Develop Secure Cloud Services

Legal Issues Associated with Cloud Computing. Laurin H. Mills May 13, 2009

Compliance and the Cloud: What You Can and What You Can t Outsource

Validation of a Cloud-Based ERP system, in practice. Regulatory Affairs Conference Raleigh. 8Th September 2014

Identity & Access Management The Cloud Perspective. Andrea Themistou 08 October 2015

Addressing Cloud Computing Security Considerations

(a) the kind of data and the harm that could result if any of those things should occur;

Cloud Computing Security Issues

Evolving Technology Issues: Cloud Computing

HIPAA in the Cloud. How to Effectively Collaborate with Cloud Providers

CPNI VIEWPOINT 01/2010 CLOUD COMPUTING

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

Cloud Computing and HIPAA Privacy and Security

Cloud Security: The Grand Challenge

SECURITY MODELS FOR CLOUD Kurtis E. Minder, CISSP

Enterprise Architecture Review Checklist

Cloud Computing in the Federal Sector: What is it, what to worry about, and what to negotiate.

Cloud Computing; What is it, How long has it been here, and Where is it going?

How To Protect Your Data In The Cloud

Understanding ISO and Preparing for the Modern Era of Cloud Security

Cloud Computing and Records Management

Third Party Security: Are your vendors compromising the security of your Agency?

How to ensure control and security when moving to SaaS/cloud applications

PII Compliance Guidelines

Transparency. Privacy. Compliance. Security. What does privacy at Microsoft mean? Are you using my data to build advertising products?

Cloud Computing in a Government Context

Hans Bos Microsoft Nederland.

Cloud Security considerations for business adoption. Ricci IEONG CSA-HK&M Chapter

Cloud Computing: Risks and Auditing

What Is The Cloud And How Can Your Agency Use It. Tom Konop Mark Piontek Cathleen Christensen

The Cloud is Not Enough Why Hybrid Infrastructure is Shaping the Future of Cloud Computing

ISO COMPLIANCE WITH OBSERVEIT

Information Security: Cloud Computing

3rd Party Assurance & Information Governance outlook IIA Ireland Annual Conference Straightforward Security and Compliance

Insights into Cloud Computing

Retention & Disposition in the Cloud Do you really have control?

Transcription:

Information Technology: This Year s Hot Issue - Cloud Computing Presented by: Alan Sutin Global IP & Technology Practice Group GREENBERG TRAURIG, LLP ATTORNEYS AT LAW WWW.GTLAW.COM 2011. All rights reserved. - 1 -

What is cloud computing? - 2 -

National Institution of Standards and Technology (NIST) Working Definition National Institution of Standards and Technology (NIST) defined Cloud computing as a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. There currently are three basic service models, delivered through public, private or hybrid delivery models. - 3 -

Public Cloud Service Models Software as a Service (SaaS) Use provider s application over the Internet Platform as a Service (PaaS) Deploy enterprise-created applications in a cloud Infrastructure as a Service (IaaS) Rent processing, storage, network capacity, and other fundamental computing resources - 4 -

The Cloud is Wonderful, but How can I maintain control of my data in the cloud? What if I want to change cloud vendors? How can I verify my data is destroyed when terminating a service provider? What happens if my service provider goes out of business? How can I comply with security best practices, internal governance and compliance rules in the cloud? How can I guarantee only I have access to my data? - 5 -

Security Issues Information is no longer in your direct custody or control data is handed over to a third party to manage Cloud Providers often use third party providers themselves, creating further distance to data use and potential storage Information may be resident in another jurisdiction or multiple jurisdictions Multiple third parties have access to physical devices and processing environment, even if virtually segregated: Cloud providers sometimes implement security assuming that those outside of their cloud are evil, and those inside are good but what if those inside are also evil? - 6 -

Privacy Issues Throughout the Data Lifecycle Protection of personal information should consider the impact of the cloud on each phase - 7 -

Storage Is data commingled with information from other organizations that use the same vendor? What third parties can access my information? In some jurisdictions, governments may have the right and ability to search through data without necessarily notifying the data owner. Does the cloud provider itself has any right to see and access customer data? Some vendors today track user activity for a range of purposes, from sending targeted advertising to improving services. - 8 -

Retention How long is personal information retained in the cloud? Which retention policy governs the data? Who enforces the retention policy in the cloud, and how are exceptions to this policy (such as litigation holds) managed? Does the customer own the data, or the vendor? - 9 -

Destruction How does the cloud provider destroy data at the end of the retention period? Cloud storage providers often replicate the data across multiple systems and sites: How do you assure the vendor didn t retain additional copies? Did the vendor really destroy the data, or just make it inaccessible to the organization? Is the vendor keeping the information longer than necessary so that it can mine the data for its own use? How do organizations ensure that their PII is destroyed by the vendor at the right point? - 10 -

Business to Business Privacy Issues Trade Secrets Privileged Information Access by Governmental Entities Export Control Issues - 11 -

Approaching Privacy in the Cloud Define the Workload (isolate a function) Classify the Relevant Data Establish Contractual Obligations Sensitive Data Assess the Associated Risks Define Appropriate Controls Determine Legal and Regulatory Requirements - 12 -

Remember Basic Principles The original custodian is responsible for protecting and safeguarding the personal information The original custodian must make informed choices about data handling, including what services and providers to use for its processing Should be a risk-based approach What is the sensitivity of the information? What is the risk to the data? What role does the jurisdiction play in that risk? If the risk is high and the safeguards cannot be assured, then don t use the service provider - 13 -

Threshold Questions/Issues Where and how will users access the cloud? How secure is the cloud provider? Does it have incident response, notification and remediation processes? Are its servers in a secure facility? Does it conduct ongoing 3rd party assessments (e.g., SAS 70 Type II Audits) and make these available to customers? Does the provider segregate job duties, limit access to systems, limit access to customers data? Does it use strong authentication and robust password policies? Does it keep audit trails? - 14 -

8 Questions to Ask Your Cloud Vendor 1. Can I see your data center? Ask the vendor to show you their environment and explain their security controls. 2. How do I move my apps to the cloud? Understand the processes and procedures, which may introduce additional security risks. 3. How are my apps and data protected from other users on the same cloud servers? Understand how vendors handle multiple tenants on the same cloud servers how segregation of data and applications is achieved. 4. Can I speak with some of your customers? Customer references will give you the opportunity to compare vendor statements with customer experiences. - 15 -

8 Questions to Ask Your Cloud Vendor 5. Can I move an existing app from my servers to your cloud without massive reconfiguration? The cloud vendor's infrastructure is likely different. 6. How do I get my data back? In the event you need to move applications and data back into your data center (or to another cloud vendor), know where is data stored and how you will get it back. 7. How do you address government regulations? It is critical to know how your cloud vendor is handling your data so you can assure regulatory compliance. 8. What will I really pay? Cloud vendors sometimes leave details out of their cost estimates (e.g., cost of data transfer and set up). - 16 -

Vendor Selection Avoid take-it-or-leave-it agreements with standard, nonnegotiable terms. To ensure that your organization s data is not inadvertently mingled with that of any other company (especially a competitor), ascertain the provider s data segregation procedures: Ensure that no one other than your organization has access to the data, even in a multi-tenant sharedhosting environment Determine how frequently the provider monitors its environment to confirm that data is properly segregated? Cloud provider should have good disaster recovery and business continuity plans - 17 -

Vendor Selection Has cloud provider implemented a security incident response plan (including forensic investigations and remediation procedures)? How will provider deal with electronic discovery requests? Will provider sign EU model contract clauses or become Safe Harbor certified if needed? Does provider have good physical security measures in its data centers (video cameras, key card entry, security personnel, etc.)? Does provider conduct background checks on IT administrators who will have access to the cloud? Does provider have current certifications, as applicable? (e.g., PCI DSS, ISO 27001/02, SAS 70) - 18 -

Thank You Alan N. Sutin 212.801.9286 sutina@gtlaw.com - 19 -

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information