Patriot Act Impact on Canadian Organizations Using Cloud Services November 8, 2013 By Scott Wright The Streetwise Security Coach http://www.securityperspectives.com 1 PRESENTATION TITLE
Why do nation-states do surveillance? To Fight Terrorism 2
Why do nation-states do surveillance? To protect their citizens, of course Also: Economic advantage Military advantage Idealogy, persecution and other reasons Why does this matter to businesses in Canada? Shareholders Clients Stakeholders 3
What is the Patriot Act? Provide Appropriate Tools Required to Intercept and Obstruct Terrorism (PATRIOT) Act of 2001 Foreign Intelligence Surveillance Act (1978) 4
Risks to business from surveillance Risk = Assets X Vulnerabilities X Threats 5
Provisions affecting Canadian organizations? Removed the requirement that government prove a surveillance target under FISA is a non-u.s. citizen and agent of a foreign power USA PATRIOT Act (U.S. H.R. 3162, Public Law 107-56), Title II, Sec. 214. Gave authorities the ability to share information gathered before a federal grand jury with other agencies.[34] USA PATRIOT Act (U.S. H.R. 3162, Public Law 107-56), Title II, Sec. 203. Relaxed requirements can allow collection from any US controlled organization Even if data centres are not on US soil 6
Does it matter where the data is? For nations that don t abide by international laws and agreements NO. It doesn t matter 7
Does it matter where the data is? Legally, not really Mutual Legal Asssistance agreements basically exempt requests for legal investigations from data protection laws Subsidiaries can be compelled to export data http://www.zdnet.com/yes-u-s-authorities-can-spy-on-eu-cloud-data-heres-how-7000010653/ 8
Why worry about data in the cloud? Represents a one-stop shop for attackers Businesses have less control Security can be complicated Terms and conditions are often one size fits all to suit the provider Often the Weakest Link 9
Who does surveillance of cloud data affect? Depends on your assumptions Do authorities follow the publicized laws? Worry about legal liabilities to your clients Or do they overstep? Looks more like a malicious attack Worst case?: Any entity that uses the Internet 10
European concerns in 2011 http://arstechnica.com/tech-policy/2011/12/patriot-act-and-privacy-laws-take-a-bite-out-of-us-cloud-business/ 11
European concerns in 2011 12
Protecting Public Bodies from PATRIOT Act BC Freedom of Information and Protection of Privacy Act (FOIPPA) requires service providers to public bodies: 1. to make reasonable security arrangements to protect from unauthorized collection, use or disclosure the personal information disclosed to them by their public body clients; 2. to ensure their storage of and all access to such personal information is restricted to locations within Canada; 3. to report to the B.C. Government any foreign demands for disclosure of such personal information made to that service provider; and 4. not to disclose any of such personal information inside or outside Canada in a manner that contravenes FOIPPA. 13
Which Canadian organizations does it affect? Assume nation-states are crossing the line, to some extent What could they want with your data or systems? Intellectual property Operations Critical infrastructure High profile clients Vocal Strategic Or your partners systems or data? 14
Types of cloud services and risks Range of exposures Free and impulsive Google Search, Maps Membership sites Social media Youtube, G+, Facebook, Linkedin Storage sites Drive, Dropbox, Box.net Value-added services Android, Salesforce, PayPal Metadata 15 Rich Data
Why you should care about privacy Attacker s focus on real vulnerabilities Their remote admin access is single factor! Service Providers claims of security shape Clients perceptions We use SSL! Your clients care about their information Not just personal information No excuse for allowing misconceptions 16
When is there risk to corporate data? When you don t have total control Cloud use by apparently self-contained products Hard to migrate Hard to audit When should you avoid? Risk averse Business operations could be compromised Competitive risks Sensitive information assets Potentially targeted clients or partners 17
How did Snowden change the perceived risks? PRISM BULLRUN Email and other unencrypted transmissions Potentially weak or weakened security products or features What can be decrypted? How? Insiders are a different aspect of the same problem 18
How should we view the risks? Risk = Assets X Vulnerabilities X Threats 19
Options for Canadian organizations? Don t use cloud for sensitive data Use end-to-end or persistent encryption What about Cloud services with value added services and specialized functionality Don t assume they are encrypted What about encryption of data in use? Open source security products E.g. Dark Mail, TrueCrypt 20
Practical internal options? When using cloud our any outsourced services Negotiate agreements that closely match your security policies Explicit provisions in case of lawful access requests Cloud providers should follow developments Try to implement security to reduce likelihood of data exposure Plausible deniability when asked for lawful access Try to encrypt and wipe when not processing Implement private clouds, virtualized remote access Defence in diversity; layers of open source and proprietary safeguards 21
What about policies? Assume lawful access requests will happen Assume nation states will attempt to access your data, or use your infrastructure as a stepping stone Be clear on policies for protecting operational data Understand legal positioning around lawful access Formulate policies to support legal position Educate staff on workflow security Should be no need for emailing work home Efficient control Your clients and partners put trust in your policies 22
What if your cloud provider is breached Know your commitments to your: Employees Clients Partners Shareholders/Stakeholders Reporting Remediation Compensation/Liabilities Your clients and partners put trust in your policies 23
Preparing for a lawful access request Should be specific How does it affect your SLAs and agreements? 24
Rethinking Open Source solutions Momentum is swinging Occasional signs of tampering with open source software TrueCrypt Value in peer review must be realized Hosting Open Source software internally Outsourcing open source software operation to a hosting provider? http://www.computerweekly.com/feature/open-source-software-security 25
Wrap up 1. The USA PATRIOT Act and FISA have always been concerns for Canada and European countries 2. Recent revelations show worst fears realized 3. Businesses should be seriously concerned Not just their own data Not just against normal hackers 4. Due diligence and risk management can help internally 5. Well-governed Open Source solutions can help externally 26
Consider risks in both technical and legal contexts plus VISA, Walmart, Future Shop, Yahoo, frequent flyer and bonus programs Risk = Assets X Vulnerabilities X Threats 27
Don t forget to fill out a feedback form Scott Wright The Streetwise Security Coach Email: swright@securityperspectives.com Website: http://www.securityperspectives.com LinkedIn: http://linkedin/in/scottwright Twitter: http://twitter.com/streetsec Podcast: http://socialmediasecurity.com 28 613-859-7800 http://www.securityperspectives.com 28
Don t forget to fill out a feedback form Scott Wright The Streetwise Security Coach Email: swright@securityperspectives.com Website: http://www.securityperspectives.com LinkedIn: http://linkedin/in/scottwright Twitter: http://twitter.com/streetsec Podcast: http://socialmediasecurity.com 29 613-859-7800 http://www.securityperspectives.com 29