SlideShare a Scribd company logo

Cloud Security And Cyber Security Legal And Regulatory Hp Version V 2.1

Download as PPTX, PDF
David Spinks
David Spinks
1 of 13
Cyber Security and Cloud Infrastructure as a Service (IaaS) – Legal & RegulatoryDavid Spinks ©2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice March 2011
Intothe(Cloud) Futurewith hp SERVICES ECOSYSTEM agility SYSTEMS INTEGRATION TECHNOLOGY ISLAND advanced cloud Traditional configured services enterprise cloud services Managed hosting UTILITY SERVICES Automated hosting sourcing models
ABC of Cloud Security, Legal and Regulatory Acceptance of standard security policies and procedures Better be prepared to compromise yet aware of potential legal issues Contracts ... review at an early stage to provide an understanding of what the gaps might be.
Acceptance and Compromise Single security policy & procedures Shared set of Internal Controls Shared independent assurance No physical rights of access Little or no flexibility on RTO/RPO Access to log files Limited security reporting
Better be prepared Legal disclosure
Better be prepared BSI BIP 0008 is a code of practice that provides guidance to ensure, as far as possible, that electronic documents and scanned images will be accepted as evidence by the courts.  http://www.thecabinetoffice.co.uk/page28.html
C - Contracts Advice from E-Discovery processes standards: 3.9. Cloud Computing or Third-Party Systems It has become increasingly popular to store data in locations away from the primary business for security, cost-efficiency or disaster recovery purposes. These sources should be identified if they house data potentially relevant to the dispute. Examples of this include cloud computing, SaaS, off-site company storage facilities, co-location data centres, third party data warehousing, or third party tape storage (i.e., Iron Mountain, Recall, etc.). If a cloud solution is being utilized to store potentially relevant information you will likely need to put a 3rd party hold in place. Additionally you should interview the 3rd party provider to identify where and how the data is stored. 3rd party providers are likely to have back-ups of the data so it is important to ask about retention and rotation of back-ups. You should also ask what their policy is for swapping out servers. You may find out that there is an old server sitting around that contains relevant data. Another area to consider is whether the potentially relevant information is comingled with any other data. Finally, ask where the servers are located. This information will identify if there are any challenges in collecting data from another country. The Electronic Discovery Reference Model
C - Contracts Ask for examples of independent assurance reports Speak to independent auditors Seek client references Copy of BCP and IT DR Plans & Plan Tests are these also in scope for assurance audits Copies of ISO 27001 certificate Details of SAS 70 internal controls Copy of BS25999 certificate Copy of ISO 20000 certificate Copy of ISO 14000 certificate Check the scope!
So what are the cloud security hot buttons? Identity and access management need to get this working anyway! Business continuity and IT DR acceptance of standard RTO and RPO. Encryption (key management) will be a client responsibility this issue is related to IdM! Flexibility in contracts and please kill off the “old school” purchasing and contracts departments!
Solutions and Best Practice :
Conclusions Flexibility required Ensure you are prepared Examine Contracts Cloud is immature and experiences are limited Legal and regulatory issues (e-Discovery Jury is still out!) Watch this space ....
Finally David.spinks@hp.com http://www.cloudsecurityalliance.org/ http://www.hp.com/hpinfo/newsroom/press/2009/090331xa.html Q and A

Recommended

Procurement Of Software And Information Technology Services
Procurement Of Software And Information Technology ServicesProcurement Of Software And Information Technology Services
Procurement Of Software And Information Technology Services
Peister
 
Cloud computing: 'everything you always wanted to know (but were aftaid to ask')
Cloud computing: 'everything you always wanted to know (but were aftaid to ask')Cloud computing: 'everything you always wanted to know (but were aftaid to ask')
Cloud computing: 'everything you always wanted to know (but were aftaid to ask')
DLA Piper Nederland N.V.
 
Cutting-Edge Network Behavior Audit Technology from BMST
Cutting-Edge Network Behavior Audit Technology from BMSTCutting-Edge Network Behavior Audit Technology from BMST
Cutting-Edge Network Behavior Audit Technology from BMST
BMST
 
Ahead of the Curve: Digital Reinvention in Electronics with Intelligent IoT
Ahead of the Curve: Digital Reinvention in Electronics with Intelligent IoTAhead of the Curve: Digital Reinvention in Electronics with Intelligent IoT
Ahead of the Curve: Digital Reinvention in Electronics with Intelligent IoT
Christophe Begue
 
Ethics for lawyers in the cloud
Ethics for lawyers in the cloudEthics for lawyers in the cloud
Ethics for lawyers in the cloud
Law Practice Strategy
 
Ibm blockchain summit tokyo sep 11 2019 industrial solutions
Ibm blockchain summit tokyo sep 11 2019 industrial solutionsIbm blockchain summit tokyo sep 11 2019 industrial solutions
Ibm blockchain summit tokyo sep 11 2019 industrial solutions
Christophe Begue
 
Wearable technologies, privacy and intellectual property rights
Wearable technologies, privacy and intellectual property rightsWearable technologies, privacy and intellectual property rights
Wearable technologies, privacy and intellectual property rights
Giulio Coraggio
 
NSTIC Panel on Mobile-based Identity and Access Management
NSTIC Panel on Mobile-based Identity and Access ManagementNSTIC Panel on Mobile-based Identity and Access Management
NSTIC Panel on Mobile-based Identity and Access Management
Bjorn Hjelm
 

Recommended

Procurement Of Software And Information Technology Services
Procurement Of Software And Information Technology ServicesProcurement Of Software And Information Technology Services
Procurement Of Software And Information Technology Services
Peister
 
Cloud computing: 'everything you always wanted to know (but were aftaid to ask')
Cloud computing: 'everything you always wanted to know (but were aftaid to ask')Cloud computing: 'everything you always wanted to know (but were aftaid to ask')
Cloud computing: 'everything you always wanted to know (but were aftaid to ask')
DLA Piper Nederland N.V.
 
Cutting-Edge Network Behavior Audit Technology from BMST
Cutting-Edge Network Behavior Audit Technology from BMSTCutting-Edge Network Behavior Audit Technology from BMST
Cutting-Edge Network Behavior Audit Technology from BMST
BMST
 
Ahead of the Curve: Digital Reinvention in Electronics with Intelligent IoT
Ahead of the Curve: Digital Reinvention in Electronics with Intelligent IoTAhead of the Curve: Digital Reinvention in Electronics with Intelligent IoT
Ahead of the Curve: Digital Reinvention in Electronics with Intelligent IoT
Christophe Begue
 
Ethics for lawyers in the cloud
Ethics for lawyers in the cloudEthics for lawyers in the cloud
Ethics for lawyers in the cloud
Law Practice Strategy
 
Ibm blockchain summit tokyo sep 11 2019 industrial solutions
Ibm blockchain summit tokyo sep 11 2019 industrial solutionsIbm blockchain summit tokyo sep 11 2019 industrial solutions
Ibm blockchain summit tokyo sep 11 2019 industrial solutions
Christophe Begue
 
Wearable technologies, privacy and intellectual property rights
Wearable technologies, privacy and intellectual property rightsWearable technologies, privacy and intellectual property rights
Wearable technologies, privacy and intellectual property rights
Giulio Coraggio
 
NSTIC Panel on Mobile-based Identity and Access Management
NSTIC Panel on Mobile-based Identity and Access ManagementNSTIC Panel on Mobile-based Identity and Access Management
NSTIC Panel on Mobile-based Identity and Access Management
Bjorn Hjelm
 
GDPR and technology - details matter
GDPR and technology - details matterGDPR and technology - details matter
GDPR and technology - details matter
Exove
 
#Privacy Matters - Come il regolamento privacy europeo da un problema può div...
#Privacy Matters - Come il regolamento privacy europeo da un problema può div...#Privacy Matters - Come il regolamento privacy europeo da un problema può div...
#Privacy Matters - Come il regolamento privacy europeo da un problema può div...
Giulio Coraggio
 
Designing GDPR compliant services in AWS
Designing GDPR compliant services in AWSDesigning GDPR compliant services in AWS
Designing GDPR compliant services in AWS
karthisoft
 
Cloud security - Auditing and Compliance
Cloud security - Auditing and ComplianceCloud security - Auditing and Compliance
Cloud security - Auditing and Compliance
Josh Tullo
 
Securing data in the cloud: A challenge for UK Law Firms
Securing data in the cloud: A challenge for UK Law FirmsSecuring data in the cloud: A challenge for UK Law Firms
Securing data in the cloud: A challenge for UK Law Firms
CloudMask inc.
 
Legal issues of the Internet of Things
Legal issues of the Internet of ThingsLegal issues of the Internet of Things
Legal issues of the Internet of Things
Giulio Coraggio
 
SLALOM Project Legal Webinar Introduction 20151019 Legal Aspects
SLALOM Project Legal Webinar Introduction 20151019 Legal AspectsSLALOM Project Legal Webinar Introduction 20151019 Legal Aspects
SLALOM Project Legal Webinar Introduction 20151019 Legal Aspects
Oliver Barreto Rodríguez
 
Regulatory and compliance forum cloud computing for law firms
Regulatory and compliance forum cloud computing for law firmsRegulatory and compliance forum cloud computing for law firms
Regulatory and compliance forum cloud computing for law firms
Databarracks
 
Aadhaar eSign Gateway- Leegality Digital Documentation Platform
Aadhaar eSign Gateway- Leegality Digital Documentation PlatformAadhaar eSign Gateway- Leegality Digital Documentation Platform
Aadhaar eSign Gateway- Leegality Digital Documentation Platform
Shivam Singla
 
ITCamp 2018 - Cristiana Fernbach - GDPR compliance in the industry 4.0
ITCamp 2018 - Cristiana Fernbach - GDPR compliance in the industry 4.0ITCamp 2018 - Cristiana Fernbach - GDPR compliance in the industry 4.0
ITCamp 2018 - Cristiana Fernbach - GDPR compliance in the industry 4.0
ITCamp
 
IT for Escrow & Title Firms
IT for Escrow & Title FirmsIT for Escrow & Title Firms
IT for Escrow & Title Firms
SwiftTech Solutions, Inc.
 
How privacy by design can be the key of your success at the time of the digit...
How privacy by design can be the key of your success at the time of the digit...How privacy by design can be the key of your success at the time of the digit...
How privacy by design can be the key of your success at the time of the digit...
Giulio Coraggio
 
Privacy issues in the cloud final
Privacy issues in the cloud finalPrivacy issues in the cloud final
Privacy issues in the cloud final
guest50a642f
 
Cloud computing in Australia - Separating hype from reality
Cloud computing in Australia - Separating hype from realityCloud computing in Australia - Separating hype from reality
Cloud computing in Australia - Separating hype from reality
Russell_Kennedy
 
TRUST. IP and Technology Update - IT Audit Toolkit for CIOs and General Couns...
TRUST. IP and Technology Update - IT Audit Toolkit for CIOs and General Couns...TRUST. IP and Technology Update - IT Audit Toolkit for CIOs and General Couns...
TRUST. IP and Technology Update - IT Audit Toolkit for CIOs and General Couns...
Jan Lindberg
 
Gss Company Profile
Gss Company ProfileGss Company Profile
Gss Company Profile
Paul O'Sullivan
 
TECHNOLOGY 101 AND THE PRACTICE OF LAW: KEEPING YOUR FIRM SAFE
TECHNOLOGY 101 AND THE PRACTICE OF LAW: KEEPING YOUR FIRM SAFETECHNOLOGY 101 AND THE PRACTICE OF LAW: KEEPING YOUR FIRM SAFE
TECHNOLOGY 101 AND THE PRACTICE OF LAW: KEEPING YOUR FIRM SAFE
James Wier
 
Ten Questions You Should Ask Your Cloud Provider
Ten Questions You Should Ask Your Cloud ProviderTen Questions You Should Ask Your Cloud Provider
Ten Questions You Should Ask Your Cloud Provider
Brian Miller, Solicitor
 
Cloud Contract Terms - Kuan Hon, Queen Mary University of London
Cloud Contract Terms - Kuan Hon, Queen Mary University of LondonCloud Contract Terms - Kuan Hon, Queen Mary University of London
Cloud Contract Terms - Kuan Hon, Queen Mary University of London
Chris Purrington
 
Journey to the Cloud with Dora The Explorer (Spookinnati Version)
Journey to the Cloud with Dora The Explorer (Spookinnati Version)Journey to the Cloud with Dora The Explorer (Spookinnati Version)
Journey to the Cloud with Dora The Explorer (Spookinnati Version)
Seb Matthews
 
Casablanca a Cloud Security od HP – Miroslav Knapovský
Casablanca a Cloud Security od HP – Miroslav KnapovskýCasablanca a Cloud Security od HP – Miroslav Knapovský
Casablanca a Cloud Security od HP – Miroslav Knapovský
Casablanca
 
Are your Cloud Services Secure and Compliant today?
Are your Cloud Services Secure and Compliant today?Are your Cloud Services Secure and Compliant today?
Are your Cloud Services Secure and Compliant today?
Sridhar Karnam
 

More Related Content

What's hot

Cloud security - Auditing and Compliance
Cloud security - Auditing and ComplianceCloud security - Auditing and Compliance
Cloud security - Auditing and Compliance
Josh Tullo
 
Privacy issues in the cloud final
Privacy issues in the cloud finalPrivacy issues in the cloud final
Privacy issues in the cloud final
guest50a642f
 
TECHNOLOGY 101 AND THE PRACTICE OF LAW: KEEPING YOUR FIRM SAFE
TECHNOLOGY 101 AND THE PRACTICE OF LAW: KEEPING YOUR FIRM SAFETECHNOLOGY 101 AND THE PRACTICE OF LAW: KEEPING YOUR FIRM SAFE
TECHNOLOGY 101 AND THE PRACTICE OF LAW: KEEPING YOUR FIRM SAFE
James Wier
 
Cloud Contract Terms - Kuan Hon, Queen Mary University of London
Cloud Contract Terms - Kuan Hon, Queen Mary University of LondonCloud Contract Terms - Kuan Hon, Queen Mary University of London
Cloud Contract Terms - Kuan Hon, Queen Mary University of London
Chris Purrington
 

What's hot (20)

GDPR and technology - details matter
GDPR and technology - details matterGDPR and technology - details matter
GDPR and technology - details matter
 
#Privacy Matters - Come il regolamento privacy europeo da un problema può div...
#Privacy Matters - Come il regolamento privacy europeo da un problema può div...#Privacy Matters - Come il regolamento privacy europeo da un problema può div...
#Privacy Matters - Come il regolamento privacy europeo da un problema può div...
 
Designing GDPR compliant services in AWS
Designing GDPR compliant services in AWSDesigning GDPR compliant services in AWS
Designing GDPR compliant services in AWS
 
Cloud security - Auditing and Compliance
Cloud security - Auditing and ComplianceCloud security - Auditing and Compliance
Cloud security - Auditing and Compliance
 
Securing data in the cloud: A challenge for UK Law Firms
Securing data in the cloud: A challenge for UK Law FirmsSecuring data in the cloud: A challenge for UK Law Firms
Securing data in the cloud: A challenge for UK Law Firms
 
Legal issues of the Internet of Things
Legal issues of the Internet of ThingsLegal issues of the Internet of Things
Legal issues of the Internet of Things
 
SLALOM Project Legal Webinar Introduction 20151019 Legal Aspects
SLALOM Project Legal Webinar Introduction 20151019 Legal AspectsSLALOM Project Legal Webinar Introduction 20151019 Legal Aspects
SLALOM Project Legal Webinar Introduction 20151019 Legal Aspects
 
Regulatory and compliance forum cloud computing for law firms
Regulatory and compliance forum cloud computing for law firmsRegulatory and compliance forum cloud computing for law firms
Regulatory and compliance forum cloud computing for law firms
 
Aadhaar eSign Gateway- Leegality Digital Documentation Platform
Aadhaar eSign Gateway- Leegality Digital Documentation PlatformAadhaar eSign Gateway- Leegality Digital Documentation Platform
Aadhaar eSign Gateway- Leegality Digital Documentation Platform
 
ITCamp 2018 - Cristiana Fernbach - GDPR compliance in the industry 4.0
ITCamp 2018 - Cristiana Fernbach - GDPR compliance in the industry 4.0ITCamp 2018 - Cristiana Fernbach - GDPR compliance in the industry 4.0
ITCamp 2018 - Cristiana Fernbach - GDPR compliance in the industry 4.0
 
IT for Escrow & Title Firms
IT for Escrow & Title FirmsIT for Escrow & Title Firms
IT for Escrow & Title Firms
 
How privacy by design can be the key of your success at the time of the digit...
How privacy by design can be the key of your success at the time of the digit...How privacy by design can be the key of your success at the time of the digit...
How privacy by design can be the key of your success at the time of the digit...
 
Privacy issues in the cloud final
Privacy issues in the cloud finalPrivacy issues in the cloud final
Privacy issues in the cloud final
 
Cloud computing in Australia - Separating hype from reality
Cloud computing in Australia - Separating hype from realityCloud computing in Australia - Separating hype from reality
Cloud computing in Australia - Separating hype from reality
 
TRUST. IP and Technology Update - IT Audit Toolkit for CIOs and General Couns...
TRUST. IP and Technology Update - IT Audit Toolkit for CIOs and General Couns...TRUST. IP and Technology Update - IT Audit Toolkit for CIOs and General Couns...
TRUST. IP and Technology Update - IT Audit Toolkit for CIOs and General Couns...
 
Gss Company Profile
Gss Company ProfileGss Company Profile
Gss Company Profile
 
TECHNOLOGY 101 AND THE PRACTICE OF LAW: KEEPING YOUR FIRM SAFE
TECHNOLOGY 101 AND THE PRACTICE OF LAW: KEEPING YOUR FIRM SAFETECHNOLOGY 101 AND THE PRACTICE OF LAW: KEEPING YOUR FIRM SAFE
TECHNOLOGY 101 AND THE PRACTICE OF LAW: KEEPING YOUR FIRM SAFE
 
Ten Questions You Should Ask Your Cloud Provider
Ten Questions You Should Ask Your Cloud ProviderTen Questions You Should Ask Your Cloud Provider
Ten Questions You Should Ask Your Cloud Provider
 
Cloud Contract Terms - Kuan Hon, Queen Mary University of London
Cloud Contract Terms - Kuan Hon, Queen Mary University of LondonCloud Contract Terms - Kuan Hon, Queen Mary University of London
Cloud Contract Terms - Kuan Hon, Queen Mary University of London
 
Journey to the Cloud with Dora The Explorer (Spookinnati Version)
Journey to the Cloud with Dora The Explorer (Spookinnati Version)Journey to the Cloud with Dora The Explorer (Spookinnati Version)
Journey to the Cloud with Dora The Explorer (Spookinnati Version)
 

Viewers also liked

Are your Cloud Services Secure and Compliant today?
Are your Cloud Services Secure and Compliant today?Are your Cloud Services Secure and Compliant today?
Are your Cloud Services Secure and Compliant today?
Sridhar Karnam
 
Hp Fortify Cloud Application Security
Hp Fortify Cloud Application SecurityHp Fortify Cloud Application Security
Hp Fortify Cloud Application Security
Ed Wong
 

Viewers also liked (10)

Casablanca a Cloud Security od HP – Miroslav Knapovský
Casablanca a Cloud Security od HP – Miroslav KnapovskýCasablanca a Cloud Security od HP – Miroslav Knapovský
Casablanca a Cloud Security od HP – Miroslav Knapovský
 
Are your Cloud Services Secure and Compliant today?
Are your Cloud Services Secure and Compliant today?Are your Cloud Services Secure and Compliant today?
Are your Cloud Services Secure and Compliant today?
 
Securing Cloud Services
Securing Cloud ServicesSecuring Cloud Services
Securing Cloud Services
 
Cheatsheet for your cloud project
Cheatsheet for your cloud projectCheatsheet for your cloud project
Cheatsheet for your cloud project
 
4 hp converged_cloud
4 hp converged_cloud4 hp converged_cloud
4 hp converged_cloud
 
Hypervisor Security - OpenStack Summit Hong Kong
Hypervisor Security - OpenStack Summit Hong KongHypervisor Security - OpenStack Summit Hong Kong
Hypervisor Security - OpenStack Summit Hong Kong
 
Hp Fortify Cloud Application Security
Hp Fortify Cloud Application SecurityHp Fortify Cloud Application Security
Hp Fortify Cloud Application Security
 
Cloud infrastructure and Cloud Services
Cloud infrastructure and Cloud ServicesCloud infrastructure and Cloud Services
Cloud infrastructure and Cloud Services
 
Capgemini Digital Reference Architecture with HPE
Capgemini Digital Reference Architecture with HPECapgemini Digital Reference Architecture with HPE
Capgemini Digital Reference Architecture with HPE
 
HP Cloud System Matrix Overview
HP Cloud System Matrix OverviewHP Cloud System Matrix Overview
HP Cloud System Matrix Overview
 

Similar to Cloud Security And Cyber Security Legal And Regulatory Hp Version V 2.1

C:\Fakepath\Cloud Computing Mitigating Risk Fmb 0110
C:\Fakepath\Cloud Computing Mitigating Risk Fmb 0110C:\Fakepath\Cloud Computing Mitigating Risk Fmb 0110
C:\Fakepath\Cloud Computing Mitigating Risk Fmb 0110
guestd7fc9c
 
Understanding Minimizing And Mitigating Risk In Cloud Computing
Understanding Minimizing And Mitigating Risk In Cloud ComputingUnderstanding Minimizing And Mitigating Risk In Cloud Computing
Understanding Minimizing And Mitigating Risk In Cloud Computing
Janine Anthony Bowen, Esq.
 
E Discovery Cloud
E Discovery CloudE Discovery Cloud
E Discovery Cloud
gjohansen
 
Carla Pinheiro Presentation / CloudViews.Org - Cloud Computing Conference 2009
Carla Pinheiro Presentation / CloudViews.Org - Cloud Computing Conference 2009 Carla Pinheiro Presentation / CloudViews.Org - Cloud Computing Conference 2009
Carla Pinheiro Presentation / CloudViews.Org - Cloud Computing Conference 2009
EuroCloud
 
Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0
David Spinks
 
How Secure Is Cloud
How Secure Is CloudHow Secure Is Cloud
How Secure Is Cloud
William Lam
 
Misa cloud computing workshop lhm final
Misa cloud computing workshop lhm finalMisa cloud computing workshop lhm final
Misa cloud computing workshop lhm final
Lou Milrad
 
Legal Challenges in Contracting for Cloud Services
Legal Challenges in Contracting for Cloud ServicesLegal Challenges in Contracting for Cloud Services
Legal Challenges in Contracting for Cloud Services
Lou Milrad
 
Master Class Cyber Compliance
Master Class Cyber Compliance Master Class Cyber Compliance
Master Class Cyber Compliance
Hernan Huwyler, MBA CPA
 
Legal issues in cloud computing
Legal issues in cloud computingLegal issues in cloud computing
Legal issues in cloud computing
movinghats
 

Similar to Cloud Security And Cyber Security Legal And Regulatory Hp Version V 2.1 (20)

Cloud computing & service level agreements
Cloud computing & service level agreementsCloud computing & service level agreements
Cloud computing & service level agreements
 
Cloud services and it security
Cloud services and it securityCloud services and it security
Cloud services and it security
 
C:\Fakepath\Cloud Computing Mitigating Risk Fmb 0110
C:\Fakepath\Cloud Computing Mitigating Risk Fmb 0110C:\Fakepath\Cloud Computing Mitigating Risk Fmb 0110
C:\Fakepath\Cloud Computing Mitigating Risk Fmb 0110
 
Legal Framework for Cloud Computing Cebit May 31 2011 Sydney
Legal Framework for Cloud Computing Cebit May 31 2011 SydneyLegal Framework for Cloud Computing Cebit May 31 2011 Sydney
Legal Framework for Cloud Computing Cebit May 31 2011 Sydney
 
Cutting To The Chase: Cloud From A Customers Perspective
Cutting To The Chase: Cloud From A Customers PerspectiveCutting To The Chase: Cloud From A Customers Perspective
Cutting To The Chase: Cloud From A Customers Perspective
 
Understanding Minimizing And Mitigating Risk In Cloud Computing
Understanding Minimizing And Mitigating Risk In Cloud ComputingUnderstanding Minimizing And Mitigating Risk In Cloud Computing
Understanding Minimizing And Mitigating Risk In Cloud Computing
 
IEEE PHM Cloud Computing
IEEE PHM Cloud ComputingIEEE PHM Cloud Computing
IEEE PHM Cloud Computing
 
E Discovery Cloud
E Discovery CloudE Discovery Cloud
E Discovery Cloud
 
Cloud Services As An Enabler
Cloud Services As An EnablerCloud Services As An Enabler
Cloud Services As An Enabler
 
Cloud Services As An Enabler: The Strategic, Legal & Pragmatic Approach
Cloud Services As An Enabler: The Strategic, Legal & Pragmatic ApproachCloud Services As An Enabler: The Strategic, Legal & Pragmatic Approach
Cloud Services As An Enabler: The Strategic, Legal & Pragmatic Approach
 
Carla Pinheiro Presentation / CloudViews.Org - Cloud Computing Conference 2009
Carla Pinheiro Presentation / CloudViews.Org - Cloud Computing Conference 2009 Carla Pinheiro Presentation / CloudViews.Org - Cloud Computing Conference 2009
Carla Pinheiro Presentation / CloudViews.Org - Cloud Computing Conference 2009
 
Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0
 
Identity privacy and data protection in the cloud – what is being done is it ...
Identity privacy and data protection in the cloud – what is being done is it ...Identity privacy and data protection in the cloud – what is being done is it ...
Identity privacy and data protection in the cloud – what is being done is it ...
 
Cloud
CloudCloud
Cloud
 
How Secure Is Cloud
How Secure Is CloudHow Secure Is Cloud
How Secure Is Cloud
 
Misa cloud computing workshop lhm final
Misa cloud computing workshop lhm finalMisa cloud computing workshop lhm final
Misa cloud computing workshop lhm final
 
Legal Challenges in Contracting for Cloud Services
Legal Challenges in Contracting for Cloud ServicesLegal Challenges in Contracting for Cloud Services
Legal Challenges in Contracting for Cloud Services
 
Master Class Cyber Compliance
Master Class Cyber Compliance Master Class Cyber Compliance
Master Class Cyber Compliance
 
Why CCSK with InfosecTrain (1).pdf
Why CCSK with InfosecTrain (1).pdfWhy CCSK with InfosecTrain (1).pdf
Why CCSK with InfosecTrain (1).pdf
 
Legal issues in cloud computing
Legal issues in cloud computingLegal issues in cloud computing
Legal issues in cloud computing
 

More from David Spinks

Cyber response to insider threats 3.1
Cyber response to insider threats 3.1Cyber response to insider threats 3.1
Cyber response to insider threats 3.1
David Spinks
 
Csirs Trabsport Security September 2011 V 3.6
Csirs Trabsport Security September 2011 V 3.6Csirs Trabsport Security September 2011 V 3.6
Csirs Trabsport Security September 2011 V 3.6
David Spinks
 
Operational Risk V2.1
Operational Risk V2.1Operational Risk V2.1
Operational Risk V2.1
David Spinks
 

More from David Spinks (6)

Cyber Security Threats to Industrial Control Systems
Cyber Security Threats to Industrial Control SystemsCyber Security Threats to Industrial Control Systems
Cyber Security Threats to Industrial Control Systems
 
CSIRS ICS BCS 2.2
CSIRS ICS BCS 2.2CSIRS ICS BCS 2.2
CSIRS ICS BCS 2.2
 
Cyber response to insider threats 3.1
Cyber response to insider threats 3.1Cyber response to insider threats 3.1
Cyber response to insider threats 3.1
 
Cyber response to insider threats 3.1
Cyber response to insider threats 3.1Cyber response to insider threats 3.1
Cyber response to insider threats 3.1
 
Csirs Trabsport Security September 2011 V 3.6
Csirs Trabsport Security September 2011 V 3.6Csirs Trabsport Security September 2011 V 3.6
Csirs Trabsport Security September 2011 V 3.6
 
Operational Risk V2.1
Operational Risk V2.1Operational Risk V2.1
Operational Risk V2.1
 

Cloud Security And Cyber Security Legal And Regulatory Hp Version V 2.1

  • 1. Cyber Security and Cloud Infrastructure as a Service (IaaS) – Legal & RegulatoryDavid Spinks ©2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice March 2011
  • 2. Intothe(Cloud) Futurewith hp SERVICES ECOSYSTEM agility SYSTEMS INTEGRATION TECHNOLOGY ISLAND advanced cloud Traditional configured services enterprise cloud services Managed hosting UTILITY SERVICES Automated hosting sourcing models
  • 3. ABC of Cloud Security, Legal and Regulatory Acceptance of standard security policies and procedures Better be prepared to compromise yet aware of potential legal issues Contracts ... review at an early stage to provide an understanding of what the gaps might be.
  • 4.
  • 5. Acceptance and Compromise Single security policy & procedures Shared set of Internal Controls Shared independent assurance No physical rights of access Little or no flexibility on RTO/RPO Access to log files Limited security reporting
  • 6. Better be prepared Legal disclosure
  • 7. Better be prepared BSI BIP 0008 is a code of practice that provides guidance to ensure, as far as possible, that electronic documents and scanned images will be accepted as evidence by the courts.  http://www.thecabinetoffice.co.uk/page28.html
  • 8. C - Contracts Advice from E-Discovery processes standards: 3.9. Cloud Computing or Third-Party Systems It has become increasingly popular to store data in locations away from the primary business for security, cost-efficiency or disaster recovery purposes. These sources should be identified if they house data potentially relevant to the dispute. Examples of this include cloud computing, SaaS, off-site company storage facilities, co-location data centres, third party data warehousing, or third party tape storage (i.e., Iron Mountain, Recall, etc.). If a cloud solution is being utilized to store potentially relevant information you will likely need to put a 3rd party hold in place. Additionally you should interview the 3rd party provider to identify where and how the data is stored. 3rd party providers are likely to have back-ups of the data so it is important to ask about retention and rotation of back-ups. You should also ask what their policy is for swapping out servers. You may find out that there is an old server sitting around that contains relevant data. Another area to consider is whether the potentially relevant information is comingled with any other data. Finally, ask where the servers are located. This information will identify if there are any challenges in collecting data from another country. The Electronic Discovery Reference Model
  • 9. C - Contracts Ask for examples of independent assurance reports Speak to independent auditors Seek client references Copy of BCP and IT DR Plans & Plan Tests are these also in scope for assurance audits Copies of ISO 27001 certificate Details of SAS 70 internal controls Copy of BS25999 certificate Copy of ISO 20000 certificate Copy of ISO 14000 certificate Check the scope!
  • 10. So what are the cloud security hot buttons? Identity and access management need to get this working anyway! Business continuity and IT DR acceptance of standard RTO and RPO. Encryption (key management) will be a client responsibility this issue is related to IdM! Flexibility in contracts and please kill off the “old school” purchasing and contracts departments!
  • 11. Solutions and Best Practice :
  • 12. Conclusions Flexibility required Ensure you are prepared Examine Contracts Cloud is immature and experiences are limited Legal and regulatory issues (e-Discovery Jury is still out!) Watch this space ....
  • 13. Finally David.spinks@hp.com http://www.cloudsecurityalliance.org/ http://www.hp.com/hpinfo/newsroom/press/2009/090331xa.html Q and A