3. Lessons from risk assessment
• Important
– implementation of security management system
– compliance issues
– In Japan, lega l issues are not disputed as such
important issue.
• MIC (Ministry of Internal affairs and
Communications) ”Smart Cloud Research Committee” report
• METI “Japan’s competitiveness and cloud computing
Research Committee” report
4. Analysis of compliance issues
• Within one country boundary
– Governance issues
– Data Protection Law/Information Security Law
– International standards
– General Information Security Issues
– Controls of Information security
• International elements(Transborder issues)
– Four rules
• Complexities in civil case
• Access authority and territorial nature
• Prohibition of transborder data flow by sovereign
• Difficulties of Law enforcement
4
5. Inbound-(1) Loss of governance
• Customer’s Information security is
strongly influenced by CSP on
many issues
– Conflict with CSP’s policy of security testing
– No guarantee of out source of sub-contractor.
– Difficulties in audit and assessment
6. Inbound-(2) Compliance risk
• In US
– FISMA,HIPAA,SOX,PCI-DSS,SAS 70
• In Japan
– Personal information
Protection Law
– Information Security law (case )
– International standards
– General information security
issues
7. Inbound-(2)-A
Personal Information Protection Law
Issue• Data may be processed by external party (SPI model)
– Issues data is handled by external party
• Depending on model
– Data is located in user’s site and processed by external provider in some
model.
– (Japan)Personal Information Protection law Article 22
• “Data processor shall exercise necessary and appropriate supervision
to the external contractor “
• “necessary and appropriate supervision”
• Guidelines
– Criteria to choose third party
– Periodically review the standards
– Agreement shall mention about security measures
– Services, reports and records shall be regularly monitored and reviewed
– Data Lifecycle management
• Erase after termination
7
8. Inbound-(2)-B Information Security
Law
• Litigation for Compensation based on Privacy
– US law v. Japan law
• Japan
– Yahoo BB case(Osaka High C. Judgement,June 21.2007),TBC case(Tokyo D.C.Feb.8,2007)
– Comepnsation-50 dollars per person
• US law-Twitter case
– Data leakage in January,April,2009
– FTC order Data processor to implement Information security management system(FTC
Act)
– No monetary compensation
• Notification law to Data subject
– The Security Breach Information Act (S.B. 1386)
– EU directives
– “Basic policy about protection of personal information”(April 2,2004
Cabinet decision) and guidelines issued by Ministries
8
9. Inbound-(2)-C International Standard
• ”CSA Cloud Controls Matrix V1”
– Control areas
• “compliance” “Data governance” “Facility security” “Human
resources management” “Information security” “Legal” “Operation
Management” “Risk assessment” “Resiliency” “Security Architecture”
– Controls discussed by each SPI model
• Standards asnd Laws
– COBIT(Control Objectives for Information and related
Technology)
– HIPAA(Health Insurance Portability and Accountability
Act)
– ISO/IEC 27002-2005
– NIST SP800-53
– PCI DSS
9
10. Inbound-(2)-D
General information security issues
• Network Security Issues
– D-DoS, Targetted attacks, others
• Business health of cloud security providers
– Search and Seizure against Core IP Networks(later)
• Virtualization technology issues
– Side channel attacks
– Huge damage if virtual machine monitor is hacked
– Attack to vulnerability of virtual machine
– Physical error may cause attack
– Attacks as cache sharing, exploiting predictability of
memory
10
11. Additional- Core IP Networks case
• March and April,2009
– FBI conducted search and seizure against Data center
located in Texas (Crydon Technology & Core IP Networks)
• Seized servers and Reuters by no knock warrant.
• Damage to co-tenant users
– “Damage caused by Patriot act”(reported by Japan) or
“Care about business health of CSP”
• FBI Defends Disruptive Raids on Texas Data Centers”
(http://www.wired.com/threatlevel/2009/04/data-centers-ra/)
• “a number of conspirators, some of who may have connections to
Faulkner, conspired to obtain agreements from AT&T and Verizon
to purchase connectivity services with the telecoms. “
• Lessons from SJG case(DOJ “Searching & Seizing Computers and
Obtaining Electronic Evidence in Criminal Investigation”3rd ed.
2009)
11
12. Inbound (2)-E Internal control
• Cloud control from aspect of risk management
– Management of third party contract
– Auditors shall assess whether business exercise
supervision properly if ask external party to process
information relating to financial report.
• How to control the CSP’s Information security management level?
• How to monitor the CSP’s security management activity?
• How to choose CSP ? Criteria?
• Investor relations and cloud computing
– Business report
– Internal control report
– Securities report
13. Inbound-(3) Cloud Forensic
Subpoena・e-discovery
– In Common law countries,
parties shall “card face up on the
table” in litigation.
– Is it possible to prove that data
stored in the cloud are all and
nothing is hidden.
• Forensic issue
– Transparency needed(Trace-Past data transition)
– Business shall produce data stored in Cloud with
proving that such data are all and nothing is hidden.
14. Transborder Issues
• What laws are applied ?
– Basic example
• Wikileaks case
– Elements
• Who
• Where
• What(nature)
– Four rules
• Complexities in Civil case
• Access authority and territorial nature
• Prohibition of transborder data flow by sovereign
• Difficulties of Law enforcement
15. Transborder-(1) Example
WikiLeaks case
– Julian Paul Assange
• Manager of WikiLeaks site -
revealing confidential
information
• No definite address(house in
Iceland)
• Server Located in Sweden
• Data located all over the
World
– Confidential information-more
than75000 are revealed
• July 25,2010
• Including US army and
Intelligent agency’s
information
• Violation of federal law
• Where
• What kind of issue
15
16. Transborder-(2) Elements considered
• Where
– Principle of laws differ on each country
• Who
– Territorial principle is strictly applied to nation’s
enforcement nature.
• Nature of legal issue
– Criminal Law(territorial principle, nationality principle,
protective principle)
– Civil Law(International private Law(JP) v.Revolution of
conflicts of law(US))
– Public Law(not only administrative law but also public
nature law) 16
17. Transborder-(3) four rules
• R1-Even in civil case,there are so many
complexities about application of law.
• R2-Laws of country able to access stored data
may be applied even if parties contract specify
applicable law.
• R3-Soveregn state may prohibit the transborder
data flow outside jurisdiction by the use of
sovereign.
• R4-If data administrator located outside
Jurisdiction,it is very difficult to enforce legal
request.
17
18. Transborder-(3) -Rule1
• R1-Even in civil case, there are so many complexities
about application of law.
• Example
– (1)Personal data of Information subject(living in Japan) is
processed by data controller(business-located in
Japan).Data controller uses cloud service(SaaS) by which
stored data in US data center and managed in US.
– (2)Data center had negligence and data is leaked from data
center
– (3)Information subject filed a litigation against Data
Controller and Data Center
• In Japan (Compensatory damage permissible)
• In US (Compensatory damage –not permissible)
• Enforcement of foreign judgment?
18
19. Transborder-(3) –Rule 2
• R2-Laws of country which can access stored data may
be applied even if parties contract specify applicable
law
– Legal access by Law enforcement agency
• In Japan, LEA must get warrant even to traffic data
• In US, classification between traffic data and contents. No Knock
warrant
– e-Discovery in civil case
• If disclosure order conflict with protective legal duty in original
country, what shall we do?
– Marc Rich case
» US-Marc Rich was paying in contempt-of-court fines for not turning
over certain documents
» Switzerland-Documents should not be produced
19
20. Transborder-(3) -3
Prohibition of transborder data flow by sovereign
• R3-Soveregn state may prohibit the
transborder data flow outside jurisdiction by
the use of sovereign
– (1)Data Protection Law
– (2)Administrative Supervision
– (3)National Security
20
21. Transborder-(3) -3 Prohibition of transborder data flow by sovereign
1-Data Protection
• Personal data cannot flow from the 27 EU member
states and three EEA member countries (Norway,
Liechtenstein and Iceland) to that third country if the
third country does not provide adequate level of
protection of data protection
• Adequate level of protection
– Argentina, Australia, Canada, Switzerland, Faeroe Islands,
Guensey , Isle of Man, Jersey, US(Air Passenger Name Records,
Safe harbor )
– http://ec.europa.eu/justice/policies/privacy/thridcountries/index
_en.htm
» Nov,7.2010
21
22. Transborder-(3) -3 Prohibition of transborder data flow by sovereign
2-Administrative supervision
• Administrative agency may transborder data flow
in the area with reasonable administrative
supervision.
– (JP)”Guideline about Medical Information system’s
information security management ver.4.1(Feb.2010)
issued by Ministry of Health labor and welfare)
• “Security Management guideleine when ASP・SaaS provider
handle with Medical Information” issued by Ministry of
Internal affairs and communication.
– Table3-8 Requirements to ASP/SaaS provider at emergency
response such as disasters.
– “Provider shall locate application, platform, server and storage in
the place which national law may apply in order to produce legal
requested references to agency smoothly. “
22
23. Transborder-(3) -3 Prohibition of transborder data flow by sovereign
3 National security
– Foreign Exchange and Foreign Trade Act(article 25)
• “shall obtain, pursuant to the provisions of Cabinet Order,
permission from the Minister of Economy, Trade and Industry”
– as those considered to undermine the maintenance of international
peace and security
– Article 25 section3”Ministry of METI may request him/her to obtain
permission of electronic communication in order to be received in
specified country ”
• Cyber Espionage(economic spy in the network)
– Big issue
– (JP) Japanese government processed information of
residents at Supplementary Income Payments(Teigaku-
Kyufukin) by Salesforce.
– We do not know where such resident’s data were
processed.
23
24. Transborder-Rule 4
Difficulties of Law enforcement
• R4-If data administrator located outside
Jurisdiction, it is very difficult to enforce legal
request.
– Example ;Wiki Leaks case
• Criminal-International cooperation framework
• Dual criminality is needed to International cooperation
framework
• Federal code-national secrecy protection
– Difficult to enforce
– Even injunction
» UK cannot get injunction in Australia or New Zealand (Spy
Catcher case)
24
27. Cloud computing & PDCA
27
Plan
Do
Action
Check
Procedure
Integrate cloud computing security, business continuity and
disaster recovery into the customer’s own policy and
procedures.(Guidance 1.0 P.58)
29. Controls
• Risks –caused by uncertainty (risks
and uncertainty)
• Avoiding,reducing,sharing,accepting
• Reducing, sharing-(technology, fair
agreement)
– Evaluation of subject and vendor
selection
– Evaluation of technology and vendor
selection
– Risk sharing by agreement with vendors
29
Risks
risks Uncertainty
Trust
Subject
Tech.
Fair
agreement
30. Evaluation of subject and vendor selection
• Who(subject),What services(kind),How
much(cost),How good(quality)
• Objective evaluation
• references
– ”CSA Cloud Controls Matrix V1”
• Control areas ”compliance””Data governance””Facility
security””Human resources management””Information
security” “Legal” “Operation Management” “Risk
assessment” “Resiliency” “Security Architecture”
• Controls discussed by each SPI model
30
31. Cloud Service Provider
• Guideline on standard to choose external parties
– Service subject(Service provider)
• Financial health
• Reputation in the market
• Information security management
• Members of directors
• Evaluation of past performances
• Third party’s list, roles, responsibilities ,interface information
– Risk management
• Assessment of provider’s risk level
• Assessment of provider’s information management policy
• Review of procedure and process
• Business continuity plan
• Attitude of compliance, possibility of data life cycle management,
insurance against information loss
31
32. Objective evaluation-accountability
• Contracts are not your only governance tool
but should encompass the broad due
diligence required of a cloud provider.(CSA
Guidance p.15)
• Due Diligence
– Domains
• Service provider
• Type of service
• Condition of service
• Service level agreement
32
33. Who
-how to control cloud service provider
• Legal control
– Effectiveness of SLA(control provider by legal
agreement)
• Data isolation
• Data access by provider
• Article of technical measures
• Ownership of data
• Monitoring right
• Compliance
• Ensuring smooth termination
– Data access after termination
– Transform data to other platform
33
34. Controls
• After assessment of risks, choice of
service, controls should be
implemented and monitored/audited
properly .
– Do not forget, the security of the cloud computing environment
isn’t mutually exclusive of your organizations internal policies,
procedures, standards, guidelines and processes. (G p.46)。
• Definition and documentation as a first step; How data is
stored ,processed, accessed and managed.
• Ensured that cloud service provider implement,operate and maintaion
properly
– SAS70 report is helpful.
34
35. Technology controls
• Traditional Issues
– encryption
– Key management
– Identity management
– アプリケーションセキュリティなど
• モデル選択
35
IaaS PaaS SaaS
Private cloud User’s
responsibility
Hybrid cloud
Public cloud Risks such as Data
isolation and
leakage
36. Process to choose controls
• Reduce risks of identified
information assets
• Completing risk control
matrix
• Approval of residual risks
37. Assessment & Audit
• SLO(Service Level Objectives)
• SLA(SLA: :Service Level
Agreement)
– Framework for assessment and
audit
• Difficulties in Audit
– Limitation of SAS70