SlideShare uma empresa Scribd logo

Legal/technical strategies addressing data risks as perimeter shifts to Cloud

Transferir como PPTX, PDF
Source Conference
Source Conference

SOURCE Barcelona 2011 - David Snead & Nadeem Bukhari

TecnologiaNegócios
1 de 27
Legal & technical strategies addressing data risks as security controls shift to the Cloud David Snead & Nadeem Bukhari
• Issue Based • Sectoral Based • Proactive • Reactive • National • Generally state implementation based • Narrowly tailored -2-
Legislative and Regulatory Targets • Breach – both benign and malicious • Breach notification • Mitigation • Security policies • Contracting parties, third parties and vendors -3-
• Data governance laws are here to stay • Expectation that in some format data breach will be extended to cover not just telecoms • General data breach requirements in some EU Member States already • Accountability and transparency principles • Broad scope of definition of personal data • Cloud and jurisdictional challenges • The role of controllers and processors -4-
Sectoral / Country Specific Sectoral • Sectoral standards • GLB • Encryption • HIPAA / HITECH • Implementation of EU • CFAA directives • ECPA -5-
Country specific regulation Data transfer Disposition of data on termination Access to data -6-
In what country is the provider located? Who in the company should be involved? What should be included in the outsourcing contracts? What kind of backup / disaster recovery should be considered? Where is the provider’s infrastructure? Is special permission needed for outsourcing? What kind of sensitive information should not be outsourced? Will other providers be used? Are appropriate data protection measures in place for all countries? Where will the data be physically located? What happens if there is a breach? -7-
Security • Define “breach” • Determine when a breach happens • Assume there will be data breach laws • Review any laws that my currently exist • Understand who will be responsible for security • Create enforceable contract terms • Remember post termination issues • Understand that you may not be made whole -8-
Vendor has provided Sol Vidro with a copy of its current security policy (Policy) as it applies to the services to be performed by Vendor pursuant to this Agreement. Vendor represents and warrants that this security policy represents best of breed security procedures in its industry. Vendor shall give Sol Vidro no less than sixty days prior written notices of any changes in the Policy that impact the services provided to Sol Vidro. Should Sol Vidro determine that these changes materially impact the security of the services, Sol Vidro shall have the right to terminate this Agreement. In such a case, Vendor shall provide reasonable assistance to Sol Vidro to transition its services to another provider. -9-
Data Transfer • How is the data transmitted? • Understand concepts like: controller, processor, transfer and aggregation. • Limit uses • Require flow down and flow up contract terms • Evaluate whether “Safe Harbor” is appropriate • Create methods to address data leakage - 10 -
Sol Vidro is providing payroll data to Vendor solely for the purpose of processing the data as set out in Exhibit A to this Agreement. Vendor may only provide access to this data to third parties upon written notice and receipt of Sol Vidro’s express consent. Sol Vidro’s consent may be withheld. - 11 -
Disposition of data upon termination • Review data retention laws • Specify terms for deletion / transfer • Set out obligations for security post termination - 12 -
Upon termination or expiration of this Agreement, Vendor shall delete all data and provide Sol Vidro with written confirmation of this deletion. Vendor shall also instruct any entities who have had access to the data to also delete it and provide Vendor with written certification of this deletion. The security obligations set out in this Agreement relating to the data shall survive termination or expiration of this Agreement until such time as the data is completely deleted by Vendor and/or Vendor’s suppliers. Vendor shall require this provision, or one similarly protective of Sol Vidro’s rights in all its contracts with suppliers or other vendors who provide aspects of the Services. - 13 -
Access to data • Understand how transmission is outsourced / subcontracted • Review your obligations to provide access to police • Review your provider’s obligations to provide access • Research your laws about third party police access • Set out notification and consent provisions • Determine your legal obligations to provide access to parties in your contracting chain - 14 -
Vendor shall provide Sol Vidro with no less than ten days prior written notice of any governmental request for access to the data. For the purposes of this paragraph only, the term “governmental” includes any law enforcement or similar entity. Should Vendor be prohibited by law from providing this notice, Vendor shall strictly limit any disclosure of the data to that which is required by the law and the written document upon which disclosure is based. Under no circumstances shall Vendor provide access without a written request of disclosure which cites the law requiring such disclosure. Vendor shall require this provision, or one similarly protective of Sol Vidro’s rights in all its contracts with suppliers or other vendors who provide aspects of the Services. Vendor agrees, upon written request, to provide access, including, but not limited to transmission, of data provided by Sol Vidro to Vendor. - 15 -
Do you know where sensitive information resides and how to protect it? Can you lower costs AND improve your security posture by rationalizing your security Can you enforce IT policies and remediate deficiencies? Can you control who has access to your information? Do you know how the services will be used How does termination affect you? Have you researched breach notification? Have you researched high risk regulatory areas? - 16 -
Do things go wrong?  2010 - Google engineer broke into the Gmail and Google Voice accounts of several children. Parents of the children complained. +100´s more US Public  2011 - 20 million Gmail accounts hacked, allowing for sector org´s user information to be gathered.  ~3 hours of outage affected multiple availability zones in the service's "US East" region.  people were shocked by how many web sites and services rely on EC2  $9.75 million to settle investigations by 41 state attorneys general.  the incident was reported by TJX officials around a month after an extensive fraud had occurred. - 17 -
Cloud Security Control In Control of Security Software as a Services (SaaS) PROVIDER Platform as a Services (PaaS) API USER Infrastructure as a Service (IaaS) - 18 -
When things go wrong: HR SaaS? "Your use of the Service is at your sole risk. The service is provided on an „as is‟ and „as available‟ basis." "You expressly understand and agree that HR SaaS Companyxyz shall not be liable for any direct, indirect...losses...unauthorized access to or alteration of data” - 19 -
Nothing is 100% Secure CLIENT ABC INSTANCE CLIENT XYZ INSTANCE VM1 VM2 VM2 SaaS PaaS IaaS APP/ API APP/API ... APP/API ... OS OS ... OS ... HYPERVISOR Operating System (Linux, Windows....  60% of Virtual Servers less secure than their physical counterparts (Gartner 2010)  Yes, Hypervisors Are Vulnerable. (Gartner 2011) - 20 -
Audit Log Trends  “Cyber attacks can get costly if not resolved quickly….companies using SIEM were better able to quickly detect and contain cyber crimes than those companies not using SIEM” (Ponemon 2011)  Worldwide revenue for SIEM was $663.3 million in 2008 and is expected to grow to $1.4 billion in 2013” (IDC 2010)  Audit trail collection, preservation and reporting regulatory and compliance demands e.g. PCI DSS, FISMA, FDA 21 CRF Part 11, EU DRD, SoX, SEC 14a, ISO27001,..  “Audit trails/ logging issues” top 5 internal/ external audit findings. (Deloitte 2011) - 21 - Credit for image: jscreationzs
Audit Trails Security  Changing audit trails knowledge is in the mainstream - NEVER DELETE THE LOGS!  NOT near real-time protection false sense of security  “system logs need to be protected, because if the data can be modified or data in them deleted, their existence may create a false sense of security.” ISO27001  Linux Log Eraser 1.0 - Linux Log Eraser is a set of shell scripts that will cleanly search for specific data in log files and wipe it wtmpclean Record Wiper 0.6.7 - wtmpClean is a tool for Unix which clears a given user from the wtmp database; http://www.logwiper.biz; bowz4p.c, chusr.c cloak.c, cloak2.c, displant.c, gh0st.sh, invisible.c, lastlogin.c, logcloak.c, logrzap2.c, logsunwtmptmp.c, logutmpeditor.c, logwedit.c, logzap2.c, marryv11.c, mme.c, pimpslap.c, remove.c, rclean.c, sysfog.c, utcl.c, vanish.c, vanish2.tgz, wipe- 1.00.tgz, wzap.c, zap.c, zap2.c - 22 -
Digital Evidence Audit Trails  Digital Evidence  American Express Travel Related Services Co. Inc. vs Vee Vinhee  Lorraine v. Markel American Insurance Company  California v Khaled  BS10008 – Evidential Weight and Legal Admissibility of Electronic Information  NIST SP 800-92 - Guide to Computer Security Log Management  “In cases where logs may be needed as evidence, organizations may wish to acquire copies of the original log files” - 23 -
The Depth of Secure Logging: Trust in Untrusted Environments  M.Bellare and B.Yee – Forward integrity for secure audit logs (1997) DATA + Metadata = #MAC  Bruce Schneier/ John Kelsey - Secure Audit Logs to Support Computer Forensics (1999) #MAC DATA + Metadata = #MAC  J.Holt – Logcrypt: Forward security and public verification for secure audit logs (2006)  Rafael Accorsi – Safekeeping Digital Evidence with #MAC DATA + Metadata = #MAC Secure Logging Protocols: State of the Art and Challenges (2009)  Transmission Phase - Origin authentication, message confidentiality, message integrity, message uniqueness, reliable #MAC DATA + Metadata = #MAC delivery  Storage Phase - Entry accountability, entry integrity, entry … confidentiality  Jeff Jonas (IBM Chief Scientist) / Markle Foundation - Implementing a Trusted Information Sharing Environment: Using Immutable Audit Logs to Increase Security, Trust, and Accountability (2006)  “Immutable audit logs (IALs) will be a critical component for the information sharing environment” - 24 -
Implement and insist on secure audit logs? CLIENT ABC INSTANCE CLIENT XYZ INSTANCE VM1 VM2 VM2 SaaS PaaS IaaS APP/ API APP/API ... APP/API ... OS OS ... OS ... HYPERVISOR Operating System (Linux, Windows.... - 25 -
Secure Logging  SaaS users are at the mercy of the service providers contracts  PaaS users should ensure audit event logging and preservation capabilities are build into the applications.  IaaS users should deploy audit log collection, analysis and preservations tools.  Collect logs from firewalls, monitoring systems, applications, databases, operating systems  Ensure delivery of logs cannot be spoofed  Ensure audit log time cannot be refuted  Protect the integrity of the data as soon as you can. Use cryptographic data integrity tools  Remember to comply with data retention legislation... I.e. Securely delete the data.  Consider complying to BS10008 Evidential Weight and legal admissibility of information stored - 26 -
For the Pen Testers  Include testing of audit logs, monitoring systems and incident response in your proposals  Be stealthy, turn off auditing systems, change audit logs, note response times…  Include secure logging remediation in your reports Access Controls and Encryption are not data integrity controls - 27 -

Recomendados

Cybersecurity 101: Government Contracts
Cybersecurity 101: Government ContractsCybersecurity 101: Government Contracts
Cybersecurity 101: Government ContractsPatton Boggs LLP
 
Tape vaulting audit and encryption usage analysis
Tape vaulting audit and encryption usage analysisTape vaulting audit and encryption usage analysis
Tape vaulting audit and encryption usage analysisThomas Bronack
 
Sept 2012 data security & cyber liability
Sept 2012 data security & cyber liabilitySept 2012 data security & cyber liability
Sept 2012 data security & cyber liabilityDFickett
 
NIST Cybersecurity Requirements for Government Contractors
NIST Cybersecurity Requirements for Government ContractorsNIST Cybersecurity Requirements for Government Contractors
NIST Cybersecurity Requirements for Government ContractorsUnanet
 
Data Risks In A Digital Age
Data Risks In A Digital Age Data Risks In A Digital Age
Data Risks In A Digital Age padler01
 
Technology & Life Science Practice, FailSafe Overview
Technology & Life Science Practice, FailSafe OverviewTechnology & Life Science Practice, FailSafe Overview
Technology & Life Science Practice, FailSafe OverviewCary Adler
 
Defensible cybersecurity-jan-25th-
Defensible cybersecurity-jan-25th-Defensible cybersecurity-jan-25th-
Defensible cybersecurity-jan-25th-IT Strategy Group
 
2015 09-22 Is it time for a Security and Compliance Assessment?
2015 09-22 Is it time for a Security and Compliance Assessment?2015 09-22 Is it time for a Security and Compliance Assessment?
2015 09-22 Is it time for a Security and Compliance Assessment?Raffa Learning Community
 

Recomendados

Cybersecurity 101: Government Contracts
Cybersecurity 101: Government ContractsCybersecurity 101: Government Contracts
Cybersecurity 101: Government ContractsPatton Boggs LLP
 
Tape vaulting audit and encryption usage analysis
Tape vaulting audit and encryption usage analysisTape vaulting audit and encryption usage analysis
Tape vaulting audit and encryption usage analysisThomas Bronack
 
Sept 2012 data security & cyber liability
Sept 2012 data security & cyber liabilitySept 2012 data security & cyber liability
Sept 2012 data security & cyber liabilityDFickett
 
NIST Cybersecurity Requirements for Government Contractors
NIST Cybersecurity Requirements for Government ContractorsNIST Cybersecurity Requirements for Government Contractors
NIST Cybersecurity Requirements for Government ContractorsUnanet
 
Data Risks In A Digital Age
Data Risks In A Digital Age Data Risks In A Digital Age
Data Risks In A Digital Age padler01
 
Technology & Life Science Practice, FailSafe Overview
Technology & Life Science Practice, FailSafe OverviewTechnology & Life Science Practice, FailSafe Overview
Technology & Life Science Practice, FailSafe OverviewCary Adler
 
Defensible cybersecurity-jan-25th-
Defensible cybersecurity-jan-25th-Defensible cybersecurity-jan-25th-
Defensible cybersecurity-jan-25th-IT Strategy Group
 
2015 09-22 Is it time for a Security and Compliance Assessment?
2015 09-22 Is it time for a Security and Compliance Assessment?2015 09-22 Is it time for a Security and Compliance Assessment?
2015 09-22 Is it time for a Security and Compliance Assessment?Raffa Learning Community
 
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...IBM Security
 
Enterprise cyber security
Enterprise cyber securityEnterprise cyber security
Enterprise cyber securitynsheel
 
Policies and Law in IT
Policies and Law in ITPolicies and Law in IT
Policies and Law in ITAnushka Perera
 
Cyber security cgi moving forward
Cyber security cgi moving forwardCyber security cgi moving forward
Cyber security cgi moving forwardNils Thulin
 
Raising the Bar for Email Security: Confidentiality and Privacy Standards tha...
Raising the Bar for Email Security: Confidentiality and Privacy Standards tha...Raising the Bar for Email Security: Confidentiality and Privacy Standards tha...
Raising the Bar for Email Security: Confidentiality and Privacy Standards tha...Jim Brashear
 
Data Security and Regulatory Compliance
Data Security and Regulatory ComplianceData Security and Regulatory Compliance
Data Security and Regulatory ComplianceLifeline Data Centers
 
Proven Practices to Protect Critical Data - DarkReading VTS Deck
Proven Practices to Protect Critical Data - DarkReading VTS DeckProven Practices to Protect Critical Data - DarkReading VTS Deck
Proven Practices to Protect Critical Data - DarkReading VTS DeckNetIQ
 
Protecting Data Privacy in Analytics and Machine Learning
Protecting Data Privacy in Analytics and Machine LearningProtecting Data Privacy in Analytics and Machine Learning
Protecting Data Privacy in Analytics and Machine LearningUlf Mattsson
 
Cloud Privacy Update: What You Need to Know
Cloud Privacy Update: What You Need to KnowCloud Privacy Update: What You Need to Know
Cloud Privacy Update: What You Need to KnowAct-On Software
 
Cloud Privacy
Cloud PrivacyCloud Privacy
Cloud PrivacyAct-On Software
 
What's new with Cybersecurity in Singapore?
What's new with Cybersecurity in Singapore? What's new with Cybersecurity in Singapore?
What's new with Cybersecurity in Singapore? Abraham Vergis
 
Legal issues in cloud computing
Legal issues in cloud computingLegal issues in cloud computing
Legal issues in cloud computingRitambhara Agrawal
 
Implementing a Security Management Framework
Implementing a Security Management FrameworkImplementing a Security Management Framework
Implementing a Security Management FrameworkJoseph Wynn
 
Cybersecurity in ME April 25 slides
Cybersecurity in ME April 25 slidesCybersecurity in ME April 25 slides
Cybersecurity in ME April 25 slidesAmerican Chamber of Commerce in Bahrain
 
Master Data in the Cloud: 5 Security Fundamentals
Master Data in the Cloud: 5 Security FundamentalsMaster Data in the Cloud: 5 Security Fundamentals
Master Data in the Cloud: 5 Security FundamentalsSarah Fane
 
Data Confidentiality, Security and Recent Changes to the ABA Model Rules
Data Confidentiality, Security and Recent Changes to the ABA Model RulesData Confidentiality, Security and Recent Changes to the ABA Model Rules
Data Confidentiality, Security and Recent Changes to the ABA Model Rulessaurnou
 
DoD Implements Broad Cybersecurity Information–Sharing Program
DoD Implements Broad Cybersecurity Information–Sharing Program DoD Implements Broad Cybersecurity Information–Sharing Program
DoD Implements Broad Cybersecurity Information–Sharing Program Patton Boggs LLP
 
Blockchain Decentralized Identifier (DID) Innovation Insights from Patents
Blockchain Decentralized Identifier (DID) Innovation Insights from PatentsBlockchain Decentralized Identifier (DID) Innovation Insights from Patents
Blockchain Decentralized Identifier (DID) Innovation Insights from PatentsAlex G. Lee, Ph.D. Esq. CLP
 
SecureMAG Volume 6 - 2014
SecureMAG Volume 6 - 2014SecureMAG Volume 6 - 2014
SecureMAG Volume 6 - 2014Chin Wan Lim
 
Under Lock And Key
Under Lock And KeyUnder Lock And Key
Under Lock And KeyYarko Petriw
 
Andrew Hay - Chris Nickerson - Building Bridges - Forcing Hackers and Busine...
Andrew Hay - Chris Nickerson - Building Bridges - Forcing Hackers and Busine...Andrew Hay - Chris Nickerson - Building Bridges - Forcing Hackers and Busine...
Andrew Hay - Chris Nickerson - Building Bridges - Forcing Hackers and Busine...Source Conference
 
Wendy Nather - Building a Rube Goldberg Application Security Program
Wendy Nather - Building a Rube Goldberg Application Security ProgramWendy Nather - Building a Rube Goldberg Application Security Program
Wendy Nather - Building a Rube Goldberg Application Security ProgramSource Conference
 

Mais conteúdo relacionado

Mais procurados

Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...IBM Security
 
Enterprise cyber security
Enterprise cyber securityEnterprise cyber security
Enterprise cyber securitynsheel
 
Policies and Law in IT
Policies and Law in ITPolicies and Law in IT
Policies and Law in ITAnushka Perera
 
Cyber security cgi moving forward
Cyber security cgi moving forwardCyber security cgi moving forward
Cyber security cgi moving forwardNils Thulin
 
Raising the Bar for Email Security: Confidentiality and Privacy Standards tha...
Raising the Bar for Email Security: Confidentiality and Privacy Standards tha...Raising the Bar for Email Security: Confidentiality and Privacy Standards tha...
Raising the Bar for Email Security: Confidentiality and Privacy Standards tha...Jim Brashear
 
Data Security and Regulatory Compliance
Data Security and Regulatory ComplianceData Security and Regulatory Compliance
Data Security and Regulatory ComplianceLifeline Data Centers
 
Proven Practices to Protect Critical Data - DarkReading VTS Deck
Proven Practices to Protect Critical Data - DarkReading VTS DeckProven Practices to Protect Critical Data - DarkReading VTS Deck
Proven Practices to Protect Critical Data - DarkReading VTS DeckNetIQ
 
Protecting Data Privacy in Analytics and Machine Learning
Protecting Data Privacy in Analytics and Machine LearningProtecting Data Privacy in Analytics and Machine Learning
Protecting Data Privacy in Analytics and Machine LearningUlf Mattsson
 
Cloud Privacy Update: What You Need to Know
Cloud Privacy Update: What You Need to KnowCloud Privacy Update: What You Need to Know
Cloud Privacy Update: What You Need to KnowAct-On Software
 
What's new with Cybersecurity in Singapore?
What's new with Cybersecurity in Singapore? What's new with Cybersecurity in Singapore?
What's new with Cybersecurity in Singapore? Abraham Vergis
 
Legal issues in cloud computing
Legal issues in cloud computingLegal issues in cloud computing
Legal issues in cloud computingRitambhara Agrawal
 
Implementing a Security Management Framework
Implementing a Security Management FrameworkImplementing a Security Management Framework
Implementing a Security Management FrameworkJoseph Wynn
 
Master Data in the Cloud: 5 Security Fundamentals
Master Data in the Cloud: 5 Security FundamentalsMaster Data in the Cloud: 5 Security Fundamentals
Master Data in the Cloud: 5 Security FundamentalsSarah Fane
 
Data Confidentiality, Security and Recent Changes to the ABA Model Rules
Data Confidentiality, Security and Recent Changes to the ABA Model RulesData Confidentiality, Security and Recent Changes to the ABA Model Rules
Data Confidentiality, Security and Recent Changes to the ABA Model Rulessaurnou
 
DoD Implements Broad Cybersecurity Information–Sharing Program
DoD Implements Broad Cybersecurity Information–Sharing Program DoD Implements Broad Cybersecurity Information–Sharing Program
DoD Implements Broad Cybersecurity Information–Sharing Program Patton Boggs LLP
 
Blockchain Decentralized Identifier (DID) Innovation Insights from Patents
Blockchain Decentralized Identifier (DID) Innovation Insights from PatentsBlockchain Decentralized Identifier (DID) Innovation Insights from Patents
Blockchain Decentralized Identifier (DID) Innovation Insights from PatentsAlex G. Lee, Ph.D. Esq. CLP
 
SecureMAG Volume 6 - 2014
SecureMAG Volume 6 - 2014SecureMAG Volume 6 - 2014
SecureMAG Volume 6 - 2014Chin Wan Lim
 
Under Lock And Key
Under Lock And KeyUnder Lock And Key
Under Lock And KeyYarko Petriw
 

Mais procurados (20)

Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
 
Enterprise cyber security
Enterprise cyber securityEnterprise cyber security
Enterprise cyber security
 
Policies and Law in IT
Policies and Law in ITPolicies and Law in IT
Policies and Law in IT
 
Cyber security cgi moving forward
Cyber security cgi moving forwardCyber security cgi moving forward
Cyber security cgi moving forward
 
Raising the Bar for Email Security: Confidentiality and Privacy Standards tha...
Raising the Bar for Email Security: Confidentiality and Privacy Standards tha...Raising the Bar for Email Security: Confidentiality and Privacy Standards tha...
Raising the Bar for Email Security: Confidentiality and Privacy Standards tha...
 
Data Security and Regulatory Compliance
Data Security and Regulatory ComplianceData Security and Regulatory Compliance
Data Security and Regulatory Compliance
 
Proven Practices to Protect Critical Data - DarkReading VTS Deck
Proven Practices to Protect Critical Data - DarkReading VTS DeckProven Practices to Protect Critical Data - DarkReading VTS Deck
Proven Practices to Protect Critical Data - DarkReading VTS Deck
 
Protecting Data Privacy in Analytics and Machine Learning
Protecting Data Privacy in Analytics and Machine LearningProtecting Data Privacy in Analytics and Machine Learning
Protecting Data Privacy in Analytics and Machine Learning
 
Cloud Privacy Update: What You Need to Know
Cloud Privacy Update: What You Need to KnowCloud Privacy Update: What You Need to Know
Cloud Privacy Update: What You Need to Know
 
Cloud Privacy
Cloud PrivacyCloud Privacy
Cloud Privacy
 
What's new with Cybersecurity in Singapore?
What's new with Cybersecurity in Singapore? What's new with Cybersecurity in Singapore?
What's new with Cybersecurity in Singapore?
 
Legal issues in cloud computing
Legal issues in cloud computingLegal issues in cloud computing
Legal issues in cloud computing
 
Implementing a Security Management Framework
Implementing a Security Management FrameworkImplementing a Security Management Framework
Implementing a Security Management Framework
 
Cybersecurity in ME April 25 slides
Cybersecurity in ME April 25 slidesCybersecurity in ME April 25 slides
Cybersecurity in ME April 25 slides
 
Master Data in the Cloud: 5 Security Fundamentals
Master Data in the Cloud: 5 Security FundamentalsMaster Data in the Cloud: 5 Security Fundamentals
Master Data in the Cloud: 5 Security Fundamentals
 
Data Confidentiality, Security and Recent Changes to the ABA Model Rules
Data Confidentiality, Security and Recent Changes to the ABA Model RulesData Confidentiality, Security and Recent Changes to the ABA Model Rules
Data Confidentiality, Security and Recent Changes to the ABA Model Rules
 
DoD Implements Broad Cybersecurity Information–Sharing Program
DoD Implements Broad Cybersecurity Information–Sharing Program DoD Implements Broad Cybersecurity Information–Sharing Program
DoD Implements Broad Cybersecurity Information–Sharing Program
 
Blockchain Decentralized Identifier (DID) Innovation Insights from Patents
Blockchain Decentralized Identifier (DID) Innovation Insights from PatentsBlockchain Decentralized Identifier (DID) Innovation Insights from Patents
Blockchain Decentralized Identifier (DID) Innovation Insights from Patents
 
SecureMAG Volume 6 - 2014
SecureMAG Volume 6 - 2014SecureMAG Volume 6 - 2014
SecureMAG Volume 6 - 2014
 
Under Lock And Key
Under Lock And KeyUnder Lock And Key
Under Lock And Key
 

Destaque

Andrew Hay - Chris Nickerson - Building Bridges - Forcing Hackers and Busine...
Andrew Hay - Chris Nickerson - Building Bridges - Forcing Hackers and Busine...Andrew Hay - Chris Nickerson - Building Bridges - Forcing Hackers and Busine...
Andrew Hay - Chris Nickerson - Building Bridges - Forcing Hackers and Busine...Source Conference
 
Wendy Nather - Building a Rube Goldberg Application Security Program
Wendy Nather - Building a Rube Goldberg Application Security ProgramWendy Nather - Building a Rube Goldberg Application Security Program
Wendy Nather - Building a Rube Goldberg Application Security ProgramSource Conference
 
From DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and BobsFrom DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and BobsSource Conference
 
Advanced (persistent) binary planting
Advanced (persistent) binary plantingAdvanced (persistent) binary planting
Advanced (persistent) binary plantingSource Conference
 
Dan Guido SOURCE Boston 2011
Dan Guido SOURCE Boston 2011Dan Guido SOURCE Boston 2011
Dan Guido SOURCE Boston 2011Source Conference
 
Don Bailey - A Million Little Tracking Devices
Don Bailey - A Million Little Tracking DevicesDon Bailey - A Million Little Tracking Devices
Don Bailey - A Million Little Tracking DevicesSource Conference
 

Destaque (6)

Andrew Hay - Chris Nickerson - Building Bridges - Forcing Hackers and Busine...
Andrew Hay - Chris Nickerson - Building Bridges - Forcing Hackers and Busine...Andrew Hay - Chris Nickerson - Building Bridges - Forcing Hackers and Busine...
Andrew Hay - Chris Nickerson - Building Bridges - Forcing Hackers and Busine...
 
Wendy Nather - Building a Rube Goldberg Application Security Program
Wendy Nather - Building a Rube Goldberg Application Security ProgramWendy Nather - Building a Rube Goldberg Application Security Program
Wendy Nather - Building a Rube Goldberg Application Security Program
 
From DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and BobsFrom DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and Bobs
 
Advanced (persistent) binary planting
Advanced (persistent) binary plantingAdvanced (persistent) binary planting
Advanced (persistent) binary planting
 
Dan Guido SOURCE Boston 2011
Dan Guido SOURCE Boston 2011Dan Guido SOURCE Boston 2011
Dan Guido SOURCE Boston 2011
 
Don Bailey - A Million Little Tracking Devices
Don Bailey - A Million Little Tracking DevicesDon Bailey - A Million Little Tracking Devices
Don Bailey - A Million Little Tracking Devices
 

Semelhante a Legal/technical strategies addressing data risks as perimeter shifts to Cloud

New regulations and the evolving cybersecurity technology landscape
New regulations and the evolving cybersecurity technology landscapeNew regulations and the evolving cybersecurity technology landscape
New regulations and the evolving cybersecurity technology landscapeUlf Mattsson
 
Are banks ready for the cloud?
Are banks ready for the cloud?Are banks ready for the cloud?
Are banks ready for the cloud?Chris Skinner
 
Cybersecurity Brief: Understanding Risk, Legal Framework, & Insurance
Cybersecurity Brief: Understanding Risk, Legal Framework, & InsuranceCybersecurity Brief: Understanding Risk, Legal Framework, & Insurance
Cybersecurity Brief: Understanding Risk, Legal Framework, & InsuranceSecureDocs
 
The Cloud Computing Contract Playbook: Contracting for Cloud Services
The Cloud Computing Contract Playbook: Contracting for Cloud ServicesThe Cloud Computing Contract Playbook: Contracting for Cloud Services
The Cloud Computing Contract Playbook: Contracting for Cloud ServicesThis account is closed
 
apidays New York 2023 - CATTS out of the bag, Jean-Paul LaClair, FDX
apidays New York 2023 - CATTS out of the bag, Jean-Paul LaClair, FDXapidays New York 2023 - CATTS out of the bag, Jean-Paul LaClair, FDX
apidays New York 2023 - CATTS out of the bag, Jean-Paul LaClair, FDXapidays
 
Contracting in the Cloud by Tammy Bortz
Contracting in the Cloud by Tammy BortzContracting in the Cloud by Tammy Bortz
Contracting in the Cloud by Tammy Bortzitnewsafrica
 
Michael Josephs
Michael JosephsMichael Josephs
Michael JosephsdaveGBE
 
apidays LIVE New York 2021 - Security Design Patterns that Protect Sensitive ...
apidays LIVE New York 2021 - Security Design Patterns that Protect Sensitive ...apidays LIVE New York 2021 - Security Design Patterns that Protect Sensitive ...
apidays LIVE New York 2021 - Security Design Patterns that Protect Sensitive ...apidays
 
The Cloud Computing Contract Playbook - Contracting for Cloud Services, Sept. 30
The Cloud Computing Contract Playbook - Contracting for Cloud Services, Sept. 30The Cloud Computing Contract Playbook - Contracting for Cloud Services, Sept. 30
The Cloud Computing Contract Playbook - Contracting for Cloud Services, Sept. 30This account is closed
 
4b. P&C Insurance and The IOT - Z. Schmiesing
4b. P&C Insurance and The IOT - Z. Schmiesing4b. P&C Insurance and The IOT - Z. Schmiesing
4b. P&C Insurance and The IOT - Z. Schmiesingschmiez
 
Contracting for Better Cybersecurity
Contracting for Better CybersecurityContracting for Better Cybersecurity
Contracting for Better CybersecurityShawn Tuma
 
ISSA Atlanta - Emerging application and data protection for multi cloud
ISSA Atlanta - Emerging application and data protection for multi cloudISSA Atlanta - Emerging application and data protection for multi cloud
ISSA Atlanta - Emerging application and data protection for multi cloudUlf Mattsson
 
GDPR and NIS Compliance - How HyTrust Can Help
GDPR and NIS Compliance - How HyTrust Can HelpGDPR and NIS Compliance - How HyTrust Can Help
GDPR and NIS Compliance - How HyTrust Can HelpJason Lackey
 
The Complexities of Cloud Computing - The Rules are New, But is the Game
The Complexities of Cloud Computing - The Rules are New, But is the GameThe Complexities of Cloud Computing - The Rules are New, But is the Game
The Complexities of Cloud Computing - The Rules are New, But is the GameJanine Anthony Bowen, Esq.
 
Cloud computing-security-issues
Cloud computing-security-issuesCloud computing-security-issues
Cloud computing-security-issuesAleem Mohammed
 
Insights into cyber security and risk
Insights into cyber security and riskInsights into cyber security and risk
Insights into cyber security and riskEY
 
Cloud computing contracts
Cloud computing contractsCloud computing contracts
Cloud computing contractsMeera Kaul
 

Semelhante a Legal/technical strategies addressing data risks as perimeter shifts to Cloud (20)

New regulations and the evolving cybersecurity technology landscape
New regulations and the evolving cybersecurity technology landscapeNew regulations and the evolving cybersecurity technology landscape
New regulations and the evolving cybersecurity technology landscape
 
Are banks ready for the cloud?
Are banks ready for the cloud?Are banks ready for the cloud?
Are banks ready for the cloud?
 
Cybersecurity Brief: Understanding Risk, Legal Framework, & Insurance
Cybersecurity Brief: Understanding Risk, Legal Framework, & InsuranceCybersecurity Brief: Understanding Risk, Legal Framework, & Insurance
Cybersecurity Brief: Understanding Risk, Legal Framework, & Insurance
 
The Cloud Computing Contract Playbook: Contracting for Cloud Services
The Cloud Computing Contract Playbook: Contracting for Cloud ServicesThe Cloud Computing Contract Playbook: Contracting for Cloud Services
The Cloud Computing Contract Playbook: Contracting for Cloud Services
 
apidays New York 2023 - CATTS out of the bag, Jean-Paul LaClair, FDX
apidays New York 2023 - CATTS out of the bag, Jean-Paul LaClair, FDXapidays New York 2023 - CATTS out of the bag, Jean-Paul LaClair, FDX
apidays New York 2023 - CATTS out of the bag, Jean-Paul LaClair, FDX
 
Contracting in the Cloud by Tammy Bortz
Contracting in the Cloud by Tammy BortzContracting in the Cloud by Tammy Bortz
Contracting in the Cloud by Tammy Bortz
 
Michael Josephs
Michael JosephsMichael Josephs
Michael Josephs
 
apidays LIVE New York 2021 - Security Design Patterns that Protect Sensitive ...
apidays LIVE New York 2021 - Security Design Patterns that Protect Sensitive ...apidays LIVE New York 2021 - Security Design Patterns that Protect Sensitive ...
apidays LIVE New York 2021 - Security Design Patterns that Protect Sensitive ...
 
The Cloud Computing Contract Playbook - Contracting for Cloud Services, Sept. 30
The Cloud Computing Contract Playbook - Contracting for Cloud Services, Sept. 30The Cloud Computing Contract Playbook - Contracting for Cloud Services, Sept. 30
The Cloud Computing Contract Playbook - Contracting for Cloud Services, Sept. 30
 
4b. P&C Insurance and The IOT - Z. Schmiesing
4b. P&C Insurance and The IOT - Z. Schmiesing4b. P&C Insurance and The IOT - Z. Schmiesing
4b. P&C Insurance and The IOT - Z. Schmiesing
 
Contracting for Better Cybersecurity
Contracting for Better CybersecurityContracting for Better Cybersecurity
Contracting for Better Cybersecurity
 
Is There Sun Behind Those Clouds
Is There Sun Behind Those CloudsIs There Sun Behind Those Clouds
Is There Sun Behind Those Clouds
 
ISSA Atlanta - Emerging application and data protection for multi cloud
ISSA Atlanta - Emerging application and data protection for multi cloudISSA Atlanta - Emerging application and data protection for multi cloud
ISSA Atlanta - Emerging application and data protection for multi cloud
 
GDPR and NIS Compliance - How HyTrust Can Help
GDPR and NIS Compliance - How HyTrust Can HelpGDPR and NIS Compliance - How HyTrust Can Help
GDPR and NIS Compliance - How HyTrust Can Help
 
Legal issues in the cloud renzo marchini & gene landy
Legal issues in the cloud renzo marchini & gene landyLegal issues in the cloud renzo marchini & gene landy
Legal issues in the cloud renzo marchini & gene landy
 
The Complexities of Cloud Computing - The Rules are New, But is the Game
The Complexities of Cloud Computing - The Rules are New, But is the GameThe Complexities of Cloud Computing - The Rules are New, But is the Game
The Complexities of Cloud Computing - The Rules are New, But is the Game
 
Cloud computing-security-issues
Cloud computing-security-issuesCloud computing-security-issues
Cloud computing-security-issues
 
Insights into cyber security and risk
Insights into cyber security and riskInsights into cyber security and risk
Insights into cyber security and risk
 
Robert Nichols: Cybersecurity for Government Contractors
Robert Nichols: Cybersecurity for Government ContractorsRobert Nichols: Cybersecurity for Government Contractors
Robert Nichols: Cybersecurity for Government Contractors
 
Cloud computing contracts
Cloud computing contractsCloud computing contracts
Cloud computing contracts
 

Mais de Source Conference

iBanking - a botnet on Android
iBanking - a botnet on AndroidiBanking - a botnet on Android
iBanking - a botnet on AndroidSource Conference
 
I want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUICI want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUICSource Conference
 
Extracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus DerivativesExtracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus DerivativesSource Conference
 
How to Like Social Media Network Security
How to Like Social Media Network SecurityHow to Like Social Media Network Security
How to Like Social Media Network SecuritySource Conference
 
Wfuzz para Penetration Testers
Wfuzz para Penetration TestersWfuzz para Penetration Testers
Wfuzz para Penetration TestersSource Conference
 
Security Goodness with Ruby on Rails
Security Goodness with Ruby on RailsSecurity Goodness with Ruby on Rails
Security Goodness with Ruby on RailsSource Conference
 
Securty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSecurty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSource Conference
 
Men in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the BrowserMen in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the BrowserSource Conference
 
Advanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done ItAdvanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done ItSource Conference
 
Adapting To The Age Of Anonymous
Adapting To The Age Of AnonymousAdapting To The Age Of Anonymous
Adapting To The Age Of AnonymousSource Conference
 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Source Conference
 
Who should the security team hire next?
Who should the security team hire next?Who should the security team hire next?
Who should the security team hire next?Source Conference
 
The Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime LawThe Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime LawSource Conference
 
How To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security SpendHow To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security SpendSource Conference
 
Everything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitationEverything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitationSource Conference
 
Reputation Digital Vaccine: Reinventing Internet Blacklists
Reputation Digital Vaccine: Reinventing Internet BlacklistsReputation Digital Vaccine: Reinventing Internet Blacklists
Reputation Digital Vaccine: Reinventing Internet BlacklistsSource Conference
 

Mais de Source Conference (20)

Million Browser Botnet
Million Browser BotnetMillion Browser Botnet
Million Browser Botnet
 
iBanking - a botnet on Android
iBanking - a botnet on AndroidiBanking - a botnet on Android
iBanking - a botnet on Android
 
I want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUICI want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUIC
 
Extracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus DerivativesExtracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus Derivatives
 
How to Like Social Media Network Security
How to Like Social Media Network SecurityHow to Like Social Media Network Security
How to Like Social Media Network Security
 
Wfuzz para Penetration Testers
Wfuzz para Penetration TestersWfuzz para Penetration Testers
Wfuzz para Penetration Testers
 
Security Goodness with Ruby on Rails
Security Goodness with Ruby on RailsSecurity Goodness with Ruby on Rails
Security Goodness with Ruby on Rails
 
Securty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSecurty Testing For RESTful Applications
Securty Testing For RESTful Applications
 
Esteganografia
EsteganografiaEsteganografia
Esteganografia
 
Men in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the BrowserMen in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the Browser
 
Advanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done ItAdvanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done It
 
Adapting To The Age Of Anonymous
Adapting To The Age Of AnonymousAdapting To The Age Of Anonymous
Adapting To The Age Of Anonymous
 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?
 
Who should the security team hire next?
Who should the security team hire next?Who should the security team hire next?
Who should the security team hire next?
 
The Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime LawThe Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime Law
 
JSF Security
JSF SecurityJSF Security
JSF Security
 
How To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security SpendHow To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security Spend
 
Everything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitationEverything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitation
 
Keynote
KeynoteKeynote
Keynote
 
Reputation Digital Vaccine: Reinventing Internet Blacklists
Reputation Digital Vaccine: Reinventing Internet BlacklistsReputation Digital Vaccine: Reinventing Internet Blacklists
Reputation Digital Vaccine: Reinventing Internet Blacklists
 

Último

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 

Último (20)

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 

Legal/technical strategies addressing data risks as perimeter shifts to Cloud

  • 1. Legal & technical strategies addressing data risks as security controls shift to the Cloud David Snead & Nadeem Bukhari
  • 2. • Issue Based • Sectoral Based • Proactive • Reactive • National • Generally state implementation based • Narrowly tailored -2-
  • 3. Legislative and Regulatory Targets • Breach – both benign and malicious • Breach notification • Mitigation • Security policies • Contracting parties, third parties and vendors -3-
  • 4. • Data governance laws are here to stay • Expectation that in some format data breach will be extended to cover not just telecoms • General data breach requirements in some EU Member States already • Accountability and transparency principles • Broad scope of definition of personal data • Cloud and jurisdictional challenges • The role of controllers and processors -4-
  • 5. Sectoral / Country Specific Sectoral • Sectoral standards • GLB • Encryption • HIPAA / HITECH • Implementation of EU • CFAA directives • ECPA -5-
  • 6. Country specific regulation Data transfer Disposition of data on termination Access to data -6-
  • 7. In what country is the provider located? Who in the company should be involved? What should be included in the outsourcing contracts? What kind of backup / disaster recovery should be considered? Where is the provider’s infrastructure? Is special permission needed for outsourcing? What kind of sensitive information should not be outsourced? Will other providers be used? Are appropriate data protection measures in place for all countries? Where will the data be physically located? What happens if there is a breach? -7-
  • 8. Security • Define “breach” • Determine when a breach happens • Assume there will be data breach laws • Review any laws that my currently exist • Understand who will be responsible for security • Create enforceable contract terms • Remember post termination issues • Understand that you may not be made whole -8-
  • 9. Vendor has provided Sol Vidro with a copy of its current security policy (Policy) as it applies to the services to be performed by Vendor pursuant to this Agreement. Vendor represents and warrants that this security policy represents best of breed security procedures in its industry. Vendor shall give Sol Vidro no less than sixty days prior written notices of any changes in the Policy that impact the services provided to Sol Vidro. Should Sol Vidro determine that these changes materially impact the security of the services, Sol Vidro shall have the right to terminate this Agreement. In such a case, Vendor shall provide reasonable assistance to Sol Vidro to transition its services to another provider. -9-
  • 10. Data Transfer • How is the data transmitted? • Understand concepts like: controller, processor, transfer and aggregation. • Limit uses • Require flow down and flow up contract terms • Evaluate whether “Safe Harbor” is appropriate • Create methods to address data leakage - 10 -
  • 11. Sol Vidro is providing payroll data to Vendor solely for the purpose of processing the data as set out in Exhibit A to this Agreement. Vendor may only provide access to this data to third parties upon written notice and receipt of Sol Vidro’s express consent. Sol Vidro’s consent may be withheld. - 11 -
  • 12. Disposition of data upon termination • Review data retention laws • Specify terms for deletion / transfer • Set out obligations for security post termination - 12 -
  • 13. Upon termination or expiration of this Agreement, Vendor shall delete all data and provide Sol Vidro with written confirmation of this deletion. Vendor shall also instruct any entities who have had access to the data to also delete it and provide Vendor with written certification of this deletion. The security obligations set out in this Agreement relating to the data shall survive termination or expiration of this Agreement until such time as the data is completely deleted by Vendor and/or Vendor’s suppliers. Vendor shall require this provision, or one similarly protective of Sol Vidro’s rights in all its contracts with suppliers or other vendors who provide aspects of the Services. - 13 -
  • 14. Access to data • Understand how transmission is outsourced / subcontracted • Review your obligations to provide access to police • Review your provider’s obligations to provide access • Research your laws about third party police access • Set out notification and consent provisions • Determine your legal obligations to provide access to parties in your contracting chain - 14 -
  • 15. Vendor shall provide Sol Vidro with no less than ten days prior written notice of any governmental request for access to the data. For the purposes of this paragraph only, the term “governmental” includes any law enforcement or similar entity. Should Vendor be prohibited by law from providing this notice, Vendor shall strictly limit any disclosure of the data to that which is required by the law and the written document upon which disclosure is based. Under no circumstances shall Vendor provide access without a written request of disclosure which cites the law requiring such disclosure. Vendor shall require this provision, or one similarly protective of Sol Vidro’s rights in all its contracts with suppliers or other vendors who provide aspects of the Services. Vendor agrees, upon written request, to provide access, including, but not limited to transmission, of data provided by Sol Vidro to Vendor. - 15 -
  • 16. Do you know where sensitive information resides and how to protect it? Can you lower costs AND improve your security posture by rationalizing your security Can you enforce IT policies and remediate deficiencies? Can you control who has access to your information? Do you know how the services will be used How does termination affect you? Have you researched breach notification? Have you researched high risk regulatory areas? - 16 -
  • 17. Do things go wrong?  2010 - Google engineer broke into the Gmail and Google Voice accounts of several children. Parents of the children complained. +100´s more US Public  2011 - 20 million Gmail accounts hacked, allowing for sector org´s user information to be gathered.  ~3 hours of outage affected multiple availability zones in the service's "US East" region.  people were shocked by how many web sites and services rely on EC2  $9.75 million to settle investigations by 41 state attorneys general.  the incident was reported by TJX officials around a month after an extensive fraud had occurred. - 17 -
  • 18. Cloud Security Control In Control of Security Software as a Services (SaaS) PROVIDER Platform as a Services (PaaS) API USER Infrastructure as a Service (IaaS) - 18 -
  • 19. When things go wrong: HR SaaS? "Your use of the Service is at your sole risk. The service is provided on an „as is‟ and „as available‟ basis." "You expressly understand and agree that HR SaaS Companyxyz shall not be liable for any direct, indirect...losses...unauthorized access to or alteration of data” - 19 -
  • 20. Nothing is 100% Secure CLIENT ABC INSTANCE CLIENT XYZ INSTANCE VM1 VM2 VM2 SaaS PaaS IaaS APP/ API APP/API ... APP/API ... OS OS ... OS ... HYPERVISOR Operating System (Linux, Windows....  60% of Virtual Servers less secure than their physical counterparts (Gartner 2010)  Yes, Hypervisors Are Vulnerable. (Gartner 2011) - 20 -
  • 21. Audit Log Trends  “Cyber attacks can get costly if not resolved quickly….companies using SIEM were better able to quickly detect and contain cyber crimes than those companies not using SIEM” (Ponemon 2011)  Worldwide revenue for SIEM was $663.3 million in 2008 and is expected to grow to $1.4 billion in 2013” (IDC 2010)  Audit trail collection, preservation and reporting regulatory and compliance demands e.g. PCI DSS, FISMA, FDA 21 CRF Part 11, EU DRD, SoX, SEC 14a, ISO27001,..  “Audit trails/ logging issues” top 5 internal/ external audit findings. (Deloitte 2011) - 21 - Credit for image: jscreationzs
  • 22. Audit Trails Security  Changing audit trails knowledge is in the mainstream - NEVER DELETE THE LOGS!  NOT near real-time protection false sense of security  “system logs need to be protected, because if the data can be modified or data in them deleted, their existence may create a false sense of security.” ISO27001  Linux Log Eraser 1.0 - Linux Log Eraser is a set of shell scripts that will cleanly search for specific data in log files and wipe it wtmpclean Record Wiper 0.6.7 - wtmpClean is a tool for Unix which clears a given user from the wtmp database; http://www.logwiper.biz; bowz4p.c, chusr.c cloak.c, cloak2.c, displant.c, gh0st.sh, invisible.c, lastlogin.c, logcloak.c, logrzap2.c, logsunwtmptmp.c, logutmpeditor.c, logwedit.c, logzap2.c, marryv11.c, mme.c, pimpslap.c, remove.c, rclean.c, sysfog.c, utcl.c, vanish.c, vanish2.tgz, wipe- 1.00.tgz, wzap.c, zap.c, zap2.c - 22 -
  • 23. Digital Evidence Audit Trails  Digital Evidence  American Express Travel Related Services Co. Inc. vs Vee Vinhee  Lorraine v. Markel American Insurance Company  California v Khaled  BS10008 – Evidential Weight and Legal Admissibility of Electronic Information  NIST SP 800-92 - Guide to Computer Security Log Management  “In cases where logs may be needed as evidence, organizations may wish to acquire copies of the original log files” - 23 -
  • 24. The Depth of Secure Logging: Trust in Untrusted Environments  M.Bellare and B.Yee – Forward integrity for secure audit logs (1997) DATA + Metadata = #MAC  Bruce Schneier/ John Kelsey - Secure Audit Logs to Support Computer Forensics (1999) #MAC DATA + Metadata = #MAC  J.Holt – Logcrypt: Forward security and public verification for secure audit logs (2006)  Rafael Accorsi – Safekeeping Digital Evidence with #MAC DATA + Metadata = #MAC Secure Logging Protocols: State of the Art and Challenges (2009)  Transmission Phase - Origin authentication, message confidentiality, message integrity, message uniqueness, reliable #MAC DATA + Metadata = #MAC delivery  Storage Phase - Entry accountability, entry integrity, entry … confidentiality  Jeff Jonas (IBM Chief Scientist) / Markle Foundation - Implementing a Trusted Information Sharing Environment: Using Immutable Audit Logs to Increase Security, Trust, and Accountability (2006)  “Immutable audit logs (IALs) will be a critical component for the information sharing environment” - 24 -
  • 25. Implement and insist on secure audit logs? CLIENT ABC INSTANCE CLIENT XYZ INSTANCE VM1 VM2 VM2 SaaS PaaS IaaS APP/ API APP/API ... APP/API ... OS OS ... OS ... HYPERVISOR Operating System (Linux, Windows.... - 25 -
  • 26. Secure Logging  SaaS users are at the mercy of the service providers contracts  PaaS users should ensure audit event logging and preservation capabilities are build into the applications.  IaaS users should deploy audit log collection, analysis and preservations tools.  Collect logs from firewalls, monitoring systems, applications, databases, operating systems  Ensure delivery of logs cannot be spoofed  Ensure audit log time cannot be refuted  Protect the integrity of the data as soon as you can. Use cryptographic data integrity tools  Remember to comply with data retention legislation... I.e. Securely delete the data.  Consider complying to BS10008 Evidential Weight and legal admissibility of information stored - 26 -
  • 27. For the Pen Testers  Include testing of audit logs, monitoring systems and incident response in your proposals  Be stealthy, turn off auditing systems, change audit logs, note response times…  Include secure logging remediation in your reports Access Controls and Encryption are not data integrity controls - 27 -