SlideShare uma empresa Scribd logo

Cloud Computing Legal Issues

I
Ikuo Takahashi

Analyzing Cloud computing legal issues.Focusing international aspects.

1 de 37
Legal issues of Cloud Computing Ikuo Takahashi
Risk analysis 2 possibility Compliance Subpoena E-discovery 1 2 Loss of governance Jurisdiction 3 Quoted form ENISA “Cloud Computing-Benefits, risks and recommendations for information security” Data protection
Lessons from risk assessment • Important – implementation of security management system – compliance issues – In Japan, lega l issues are not disputed as such important issue. • MIC (Ministry of Internal affairs and Communications) ”Smart Cloud Research Committee” report • METI “Japan’s competitiveness and cloud computing Research Committee” report
Analysis of compliance issues • Within one country boundary – Governance issues – Data Protection Law/Information Security Law – International standards – General Information Security Issues – Controls of Information security • International elements(Transborder issues) – Four rules • Complexities in civil case • Access authority and territorial nature • Prohibition of transborder data flow by sovereign • Difficulties of Law enforcement 4
Inbound-(1) Loss of governance • Customer’s Information security is strongly influenced by CSP on many issues – Conflict with CSP’s policy of security testing – No guarantee of out source of sub-contractor. – Difficulties in audit and assessment
Inbound-(2) Compliance risk • In US – FISMA,HIPAA,SOX,PCI-DSS,SAS 70 • In Japan – Personal information Protection Law – Information Security law (case ) – International standards – General information security issues
Inbound-(2)-A Personal Information Protection Law Issue• Data may be processed by external party (SPI model) – Issues data is handled by external party • Depending on model – Data is located in user’s site and processed by external provider in some model. – (Japan)Personal Information Protection law Article 22 • “Data processor shall exercise necessary and appropriate supervision to the external contractor “ • “necessary and appropriate supervision” • Guidelines – Criteria to choose third party – Periodically review the standards – Agreement shall mention about security measures – Services, reports and records shall be regularly monitored and reviewed – Data Lifecycle management • Erase after termination 7
Inbound-(2)-B Information Security Law • Litigation for Compensation based on Privacy – US law v. Japan law • Japan – Yahoo BB case(Osaka High C. Judgement,June 21.2007),TBC case(Tokyo D.C.Feb.8,2007) – Comepnsation-50 dollars per person • US law-Twitter case – Data leakage in January,April,2009 – FTC order Data processor to implement Information security management system(FTC Act) – No monetary compensation • Notification law to Data subject – The Security Breach Information Act (S.B. 1386) – EU directives – “Basic policy about protection of personal information”(April 2,2004 Cabinet decision) and guidelines issued by Ministries 8
Inbound-(2)-C International Standard • ”CSA Cloud Controls Matrix V1” – Control areas • “compliance” “Data governance” “Facility security” “Human resources management” “Information security” “Legal” “Operation Management” “Risk assessment” “Resiliency” “Security Architecture” – Controls discussed by each SPI model • Standards asnd Laws – COBIT(Control Objectives for Information and related Technology) – HIPAA(Health Insurance Portability and Accountability Act) – ISO/IEC 27002-2005 – NIST SP800-53 – PCI DSS 9
Inbound-(2)-D General information security issues • Network Security Issues – D-DoS, Targetted attacks, others • Business health of cloud security providers – Search and Seizure against Core IP Networks(later) • Virtualization technology issues – Side channel attacks – Huge damage if virtual machine monitor is hacked – Attack to vulnerability of virtual machine – Physical error may cause attack – Attacks as cache sharing, exploiting predictability of memory 10
Additional- Core IP Networks case • March and April,2009 – FBI conducted search and seizure against Data center located in Texas (Crydon Technology & Core IP Networks) • Seized servers and Reuters by no knock warrant. • Damage to co-tenant users – “Damage caused by Patriot act”(reported by Japan) or “Care about business health of CSP” • FBI Defends Disruptive Raids on Texas Data Centers” (http://www.wired.com/threatlevel/2009/04/data-centers-ra/) • “a number of conspirators, some of who may have connections to Faulkner, conspired to obtain agreements from AT&T and Verizon to purchase connectivity services with the telecoms. “ • Lessons from SJG case(DOJ “Searching & Seizing Computers and Obtaining Electronic Evidence in Criminal Investigation”3rd ed. 2009) 11
Inbound (2)-E Internal control • Cloud control from aspect of risk management – Management of third party contract – Auditors shall assess whether business exercise supervision properly if ask external party to process information relating to financial report. • How to control the CSP’s Information security management level? • How to monitor the CSP’s security management activity? • How to choose CSP ? Criteria? • Investor relations and cloud computing – Business report – Internal control report – Securities report
Inbound-(3) Cloud Forensic Subpoena・e-discovery – In Common law countries, parties shall “card face up on the table” in litigation. – Is it possible to prove that data stored in the cloud are all and nothing is hidden. • Forensic issue – Transparency needed(Trace-Past data transition) – Business shall produce data stored in Cloud with proving that such data are all and nothing is hidden.
Transborder Issues • What laws are applied ? – Basic example • Wikileaks case – Elements • Who • Where • What(nature) – Four rules • Complexities in Civil case • Access authority and territorial nature • Prohibition of transborder data flow by sovereign • Difficulties of Law enforcement
Transborder-(1) Example WikiLeaks case – Julian Paul Assange • Manager of WikiLeaks site - revealing confidential information • No definite address(house in Iceland) • Server Located in Sweden • Data located all over the World – Confidential information-more than75000 are revealed • July 25,2010 • Including US army and Intelligent agency’s information • Violation of federal law • Where • What kind of issue 15
Transborder-(2) Elements considered • Where – Principle of laws differ on each country • Who – Territorial principle is strictly applied to nation’s enforcement nature. • Nature of legal issue – Criminal Law(territorial principle, nationality principle, protective principle) – Civil Law(International private Law(JP) v.Revolution of conflicts of law(US)) – Public Law(not only administrative law but also public nature law) 16
Transborder-(3) four rules • R1-Even in civil case,there are so many complexities about application of law. • R2-Laws of country able to access stored data may be applied even if parties contract specify applicable law. • R3-Soveregn state may prohibit the transborder data flow outside jurisdiction by the use of sovereign. • R4-If data administrator located outside Jurisdiction,it is very difficult to enforce legal request. 17
Transborder-(3) -Rule1 • R1-Even in civil case, there are so many complexities about application of law. • Example – (1)Personal data of Information subject(living in Japan) is processed by data controller(business-located in Japan).Data controller uses cloud service(SaaS) by which stored data in US data center and managed in US. – (2)Data center had negligence and data is leaked from data center – (3)Information subject filed a litigation against Data Controller and Data Center • In Japan (Compensatory damage permissible) • In US (Compensatory damage –not permissible) • Enforcement of foreign judgment? 18
Transborder-(3) –Rule 2 • R2-Laws of country which can access stored data may be applied even if parties contract specify applicable law – Legal access by Law enforcement agency • In Japan, LEA must get warrant even to traffic data • In US, classification between traffic data and contents. No Knock warrant – e-Discovery in civil case • If disclosure order conflict with protective legal duty in original country, what shall we do? – Marc Rich case » US-Marc Rich was paying in contempt-of-court fines for not turning over certain documents » Switzerland-Documents should not be produced 19
Transborder-(3) -3 Prohibition of transborder data flow by sovereign • R3-Soveregn state may prohibit the transborder data flow outside jurisdiction by the use of sovereign – (1)Data Protection Law – (2)Administrative Supervision – (3)National Security 20
Transborder-(3) -3 Prohibition of transborder data flow by sovereign 1-Data Protection • Personal data cannot flow from the 27 EU member states and three EEA member countries (Norway, Liechtenstein and Iceland) to that third country if the third country does not provide adequate level of protection of data protection • Adequate level of protection – Argentina, Australia, Canada, Switzerland, Faeroe Islands, Guensey , Isle of Man, Jersey, US(Air Passenger Name Records, Safe harbor ) – http://ec.europa.eu/justice/policies/privacy/thridcountries/index _en.htm » Nov,7.2010 21
Transborder-(3) -3 Prohibition of transborder data flow by sovereign 2-Administrative supervision • Administrative agency may transborder data flow in the area with reasonable administrative supervision. – (JP)”Guideline about Medical Information system’s information security management ver.4.1(Feb.2010) issued by Ministry of Health labor and welfare) • “Security Management guideleine when ASP・SaaS provider handle with Medical Information” issued by Ministry of Internal affairs and communication. – Table3-8 Requirements to ASP/SaaS provider at emergency response such as disasters. – “Provider shall locate application, platform, server and storage in the place which national law may apply in order to produce legal requested references to agency smoothly. “ 22
Transborder-(3) -3 Prohibition of transborder data flow by sovereign 3 National security – Foreign Exchange and Foreign Trade Act(article 25) • “shall obtain, pursuant to the provisions of Cabinet Order, permission from the Minister of Economy, Trade and Industry” – as those considered to undermine the maintenance of international peace and security – Article 25 section3”Ministry of METI may request him/her to obtain permission of electronic communication in order to be received in specified country ” • Cyber Espionage(economic spy in the network) – Big issue – (JP) Japanese government processed information of residents at Supplementary Income Payments(Teigaku- Kyufukin) by Salesforce. – We do not know where such resident’s data were processed. 23
Transborder-Rule 4 Difficulties of Law enforcement • R4-If data administrator located outside Jurisdiction, it is very difficult to enforce legal request. – Example ;Wiki Leaks case • Criminal-International cooperation framework • Dual criminality is needed to International cooperation framework • Federal code-national secrecy protection – Difficult to enforce – Even injunction » UK cannot get injunction in Australia or New Zealand (Spy Catcher case) 24
Behind Scenes 25 Network Network Security Beyond Boundary Sovereign Privacy ??? Human Factor Potential factors behind surface
26 Cloud Computing and IT security framework
Cloud computing & PDCA 27 Plan Do Action Check Procedure Integrate cloud computing security, business continuity and disaster recovery into the customer’s own policy and procedures.(Guidance 1.0 P.58)
Identify general threat Identify threats to assets Cloud Risk Assessment organization Policies Planning Risk assessment Controls implementation Assessment & audit Controls Assessment & audit
Controls • Risks –caused by uncertainty (risks and uncertainty) • Avoiding,reducing,sharing,accepting • Reducing, sharing-(technology, fair agreement) – Evaluation of subject and vendor selection – Evaluation of technology and vendor selection – Risk sharing by agreement with vendors 29 Risks risks Uncertainty Trust Subject Tech. Fair agreement
Evaluation of subject and vendor selection • Who(subject),What services(kind),How much(cost),How good(quality) • Objective evaluation • references – ”CSA Cloud Controls Matrix V1” • Control areas ”compliance””Data governance””Facility security””Human resources management””Information security” “Legal” “Operation Management” “Risk assessment” “Resiliency” “Security Architecture” • Controls discussed by each SPI model 30
Cloud Service Provider • Guideline on standard to choose external parties – Service subject(Service provider) • Financial health • Reputation in the market • Information security management • Members of directors • Evaluation of past performances • Third party’s list, roles, responsibilities ,interface information – Risk management • Assessment of provider’s risk level • Assessment of provider’s information management policy • Review of procedure and process • Business continuity plan • Attitude of compliance, possibility of data life cycle management, insurance against information loss 31
Objective evaluation-accountability • Contracts are not your only governance tool but should encompass the broad due diligence required of a cloud provider.(CSA Guidance p.15) • Due Diligence – Domains • Service provider • Type of service • Condition of service • Service level agreement 32
Who -how to control cloud service provider • Legal control – Effectiveness of SLA(control provider by legal agreement) • Data isolation • Data access by provider • Article of technical measures • Ownership of data • Monitoring right • Compliance • Ensuring smooth termination – Data access after termination – Transform data to other platform 33
Controls • After assessment of risks, choice of service, controls should be implemented and monitored/audited properly . – Do not forget, the security of the cloud computing environment isn’t mutually exclusive of your organizations internal policies, procedures, standards, guidelines and processes. (G p.46)。 • Definition and documentation as a first step; How data is stored ,processed, accessed and managed. • Ensured that cloud service provider implement,operate and maintaion properly – SAS70 report is helpful. 34
Technology controls • Traditional Issues – encryption – Key management – Identity management – アプリケーションセキュリティなど • モデル選択 35 IaaS PaaS SaaS Private cloud User’s responsibility Hybrid cloud Public cloud Risks such as Data isolation and leakage
Process to choose controls • Reduce risks of identified information assets • Completing risk control matrix • Approval of residual risks
Assessment & Audit • SLO(Service Level Objectives) • SLA(SLA: :Service Level Agreement) – Framework for assessment and audit • Difficulties in Audit – Limitation of SAS70

Recomendados

Cloud Computing: Legal Issues and Safety Risks by Brian Miller Solicitor
Cloud Computing: Legal Issues and Safety Risks by Brian Miller SolicitorCloud Computing: Legal Issues and Safety Risks by Brian Miller Solicitor
Cloud Computing: Legal Issues and Safety Risks by Brian Miller Solicitor
Brian Miller, Solicitor
 
Legal ethics & cloud computing
Legal ethics & cloud computingLegal ethics & cloud computing
Legal ethics & cloud computing
Patrick Fowler
 
Cloud computing: Legal and ethical issues in library and information services
Cloud computing: Legal and ethical issues in library and information servicesCloud computing: Legal and ethical issues in library and information services
Cloud computing: Legal and ethical issues in library and information services
e-Marefa
 
Cloud Computing for Lawyers- Chicago Bar Association Presentation
Cloud Computing for Lawyers- Chicago Bar Association PresentationCloud Computing for Lawyers- Chicago Bar Association Presentation
Cloud Computing for Lawyers- Chicago Bar Association Presentation
Nicole Black
 
Ethics and Security of Cloud Computing for Lawyers
Ethics and Security of Cloud Computing for LawyersEthics and Security of Cloud Computing for Lawyers
Ethics and Security of Cloud Computing for Lawyers
Robert Ambrogi
 
Data Privacy Introduction
Data Privacy IntroductionData Privacy Introduction
Data Privacy Introduction
G Prachi
 
Strong Host Security Policies are Good Business
Strong Host Security Policies are Good BusinessStrong Host Security Policies are Good Business
Strong Host Security Policies are Good Business
HostingCon
 
Privacy and Data Security: Risk Management and Avoidance
Privacy and Data Security: Risk Management and AvoidancePrivacy and Data Security: Risk Management and Avoidance
Privacy and Data Security: Risk Management and Avoidance
Amy Purcell
 

Recomendados

Cloud Computing: Legal Issues and Safety Risks by Brian Miller Solicitor
Cloud Computing: Legal Issues and Safety Risks by Brian Miller SolicitorCloud Computing: Legal Issues and Safety Risks by Brian Miller Solicitor
Cloud Computing: Legal Issues and Safety Risks by Brian Miller Solicitor
Brian Miller, Solicitor
 
Legal ethics & cloud computing
Legal ethics & cloud computingLegal ethics & cloud computing
Legal ethics & cloud computing
Patrick Fowler
 
Cloud computing: Legal and ethical issues in library and information services
Cloud computing: Legal and ethical issues in library and information servicesCloud computing: Legal and ethical issues in library and information services
Cloud computing: Legal and ethical issues in library and information services
e-Marefa
 
Cloud Computing for Lawyers- Chicago Bar Association Presentation
Cloud Computing for Lawyers- Chicago Bar Association PresentationCloud Computing for Lawyers- Chicago Bar Association Presentation
Cloud Computing for Lawyers- Chicago Bar Association Presentation
Nicole Black
 
Ethics and Security of Cloud Computing for Lawyers
Ethics and Security of Cloud Computing for LawyersEthics and Security of Cloud Computing for Lawyers
Ethics and Security of Cloud Computing for Lawyers
Robert Ambrogi
 
Data Privacy Introduction
Data Privacy IntroductionData Privacy Introduction
Data Privacy Introduction
G Prachi
 
Strong Host Security Policies are Good Business
Strong Host Security Policies are Good BusinessStrong Host Security Policies are Good Business
Strong Host Security Policies are Good Business
HostingCon
 
Privacy and Data Security: Risk Management and Avoidance
Privacy and Data Security: Risk Management and AvoidancePrivacy and Data Security: Risk Management and Avoidance
Privacy and Data Security: Risk Management and Avoidance
Amy Purcell
 
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Financial Poise
 
S719a
S719aS719a
S719a
ecommerce
 
Unit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrUnit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hr
Tushar Rajput
 
Data Privacy
Data PrivacyData Privacy
Data Privacy
cliff_rudolph
 
Personal Data Privacy and Information Security
Personal Data Privacy and Information SecurityPersonal Data Privacy and Information Security
Personal Data Privacy and Information Security
Charles Mok
 
Closer All The Time: Moving Toward Fiduciary Access to Digital Assets
Closer All The Time: Moving Toward Fiduciary Access to Digital AssetsCloser All The Time: Moving Toward Fiduciary Access to Digital Assets
Closer All The Time: Moving Toward Fiduciary Access to Digital Assets
gallowayandcollens
 
Information Security: The Trinidad & Tobago Legal Context
Information Security: The Trinidad & Tobago Legal ContextInformation Security: The Trinidad & Tobago Legal Context
Information Security: The Trinidad & Tobago Legal Context
Jason Nathu
 
Pubcon Privacy Legal Presentation by David Mink
Pubcon Privacy Legal Presentation by David MinkPubcon Privacy Legal Presentation by David Mink
Pubcon Privacy Legal Presentation by David Mink
Matt Siltala
 
Cloud and mobile computing for lawyers
Cloud and mobile computing for lawyersCloud and mobile computing for lawyers
Cloud and mobile computing for lawyers
Nicole Black
 
Data protection and privacy
Data protection and privacyData protection and privacy
Data protection and privacy
himanshu jain
 
Presentation on Information Privacy
Presentation on Information PrivacyPresentation on Information Privacy
Presentation on Information Privacy
Perry Slack
 
E commerce(report)
E commerce(report)E commerce(report)
E commerce(report)
Delmer Gerald Calderon
 
Draft Bill on the Protection of Personal Data
Draft Bill on the Protection of Personal DataDraft Bill on the Protection of Personal Data
Draft Bill on the Protection of Personal Data
Renato Monteiro
 
Anti-circumvention and ISP liability provisions in Free Trade Agreements.
Anti-circumvention and ISP liability provisions in Free Trade Agreements.Anti-circumvention and ISP liability provisions in Free Trade Agreements.
Anti-circumvention and ISP liability provisions in Free Trade Agreements.
blogzilla
 
An overview of the Indian Data Privacy Bill
An overview of the Indian Data Privacy Bill An overview of the Indian Data Privacy Bill
An overview of the Indian Data Privacy Bill
Komal Gadia
 
Cybercrime law in the philippines
Cybercrime law in the philippinesCybercrime law in the philippines
Cybercrime law in the philippines
ian_oguis
 
EFFECTIVENESS OF THE EXISTING LEGAL FRAMEWORK GOVERNING CYBER-CRIMES IN SRI L...
EFFECTIVENESS OF THE EXISTING LEGAL FRAMEWORK GOVERNING CYBER-CRIMES IN SRI L...EFFECTIVENESS OF THE EXISTING LEGAL FRAMEWORK GOVERNING CYBER-CRIMES IN SRI L...
EFFECTIVENESS OF THE EXISTING LEGAL FRAMEWORK GOVERNING CYBER-CRIMES IN SRI L...
Vishni Ganepola
 
Introduction to Law relating to e commerce and computer crimes in Sri Lanka
Introduction to Law relating to e commerce and computer crimes in Sri LankaIntroduction to Law relating to e commerce and computer crimes in Sri Lanka
Introduction to Law relating to e commerce and computer crimes in Sri Lanka
Maxwell Ranasinghe
 
ICANN WhoIs Backgrounder
ICANN WhoIs BackgrounderICANN WhoIs Backgrounder
ICANN WhoIs Backgrounder
Internet Law Center
 
Cybercrime law
Cybercrime lawCybercrime law
Cybercrime law
Tearsome Llantada
 
Legal issues in cloud computing
Legal issues in cloud computingLegal issues in cloud computing
Legal issues in cloud computing
movinghats
 
Cloud computing : legal , privacy and contract issues
Cloud computing : legal , privacy and contract issuesCloud computing : legal , privacy and contract issues
Cloud computing : legal , privacy and contract issues
Lilian Edwards
 

Mais conteúdo relacionado

Mais procurados

Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Financial Poise
 
Anti-circumvention and ISP liability provisions in Free Trade Agreements.
Anti-circumvention and ISP liability provisions in Free Trade Agreements.Anti-circumvention and ISP liability provisions in Free Trade Agreements.
Anti-circumvention and ISP liability provisions in Free Trade Agreements.
blogzilla
 
Cybercrime law in the philippines
Cybercrime law in the philippinesCybercrime law in the philippines
Cybercrime law in the philippines
ian_oguis
 
EFFECTIVENESS OF THE EXISTING LEGAL FRAMEWORK GOVERNING CYBER-CRIMES IN SRI L...
EFFECTIVENESS OF THE EXISTING LEGAL FRAMEWORK GOVERNING CYBER-CRIMES IN SRI L...EFFECTIVENESS OF THE EXISTING LEGAL FRAMEWORK GOVERNING CYBER-CRIMES IN SRI L...
EFFECTIVENESS OF THE EXISTING LEGAL FRAMEWORK GOVERNING CYBER-CRIMES IN SRI L...
Vishni Ganepola
 
Introduction to Law relating to e commerce and computer crimes in Sri Lanka
Introduction to Law relating to e commerce and computer crimes in Sri LankaIntroduction to Law relating to e commerce and computer crimes in Sri Lanka
Introduction to Law relating to e commerce and computer crimes in Sri Lanka
Maxwell Ranasinghe
 

Mais procurados (20)

Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
 
S719a
S719aS719a
S719a
 
Unit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrUnit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hr
 
Data Privacy
Data PrivacyData Privacy
Data Privacy
 
Personal Data Privacy and Information Security
Personal Data Privacy and Information SecurityPersonal Data Privacy and Information Security
Personal Data Privacy and Information Security
 
Closer All The Time: Moving Toward Fiduciary Access to Digital Assets
Closer All The Time: Moving Toward Fiduciary Access to Digital AssetsCloser All The Time: Moving Toward Fiduciary Access to Digital Assets
Closer All The Time: Moving Toward Fiduciary Access to Digital Assets
 
Information Security: The Trinidad & Tobago Legal Context
Information Security: The Trinidad & Tobago Legal ContextInformation Security: The Trinidad & Tobago Legal Context
Information Security: The Trinidad & Tobago Legal Context
 
Pubcon Privacy Legal Presentation by David Mink
Pubcon Privacy Legal Presentation by David MinkPubcon Privacy Legal Presentation by David Mink
Pubcon Privacy Legal Presentation by David Mink
 
Cloud and mobile computing for lawyers
Cloud and mobile computing for lawyersCloud and mobile computing for lawyers
Cloud and mobile computing for lawyers
 
Data protection and privacy
Data protection and privacyData protection and privacy
Data protection and privacy
 
Presentation on Information Privacy
Presentation on Information PrivacyPresentation on Information Privacy
Presentation on Information Privacy
 
E commerce(report)
E commerce(report)E commerce(report)
E commerce(report)
 
Draft Bill on the Protection of Personal Data
Draft Bill on the Protection of Personal DataDraft Bill on the Protection of Personal Data
Draft Bill on the Protection of Personal Data
 
Anti-circumvention and ISP liability provisions in Free Trade Agreements.
Anti-circumvention and ISP liability provisions in Free Trade Agreements.Anti-circumvention and ISP liability provisions in Free Trade Agreements.
Anti-circumvention and ISP liability provisions in Free Trade Agreements.
 
An overview of the Indian Data Privacy Bill
An overview of the Indian Data Privacy Bill An overview of the Indian Data Privacy Bill
An overview of the Indian Data Privacy Bill
 
Cybercrime law in the philippines
Cybercrime law in the philippinesCybercrime law in the philippines
Cybercrime law in the philippines
 
EFFECTIVENESS OF THE EXISTING LEGAL FRAMEWORK GOVERNING CYBER-CRIMES IN SRI L...
EFFECTIVENESS OF THE EXISTING LEGAL FRAMEWORK GOVERNING CYBER-CRIMES IN SRI L...EFFECTIVENESS OF THE EXISTING LEGAL FRAMEWORK GOVERNING CYBER-CRIMES IN SRI L...
EFFECTIVENESS OF THE EXISTING LEGAL FRAMEWORK GOVERNING CYBER-CRIMES IN SRI L...
 
Introduction to Law relating to e commerce and computer crimes in Sri Lanka
Introduction to Law relating to e commerce and computer crimes in Sri LankaIntroduction to Law relating to e commerce and computer crimes in Sri Lanka
Introduction to Law relating to e commerce and computer crimes in Sri Lanka
 
ICANN WhoIs Backgrounder
ICANN WhoIs BackgrounderICANN WhoIs Backgrounder
ICANN WhoIs Backgrounder
 
Cybercrime law
Cybercrime lawCybercrime law
Cybercrime law
 

Destaque

Legal issues in cloud computing
Legal issues in cloud computingLegal issues in cloud computing
Legal issues in cloud computing
movinghats
 
Cloud Computing: legal issues
Cloud Computing: legal issuesCloud Computing: legal issues
Cloud Computing: legal issues
ISPABelgium
 
E discovery 2-cloud_v5
E discovery 2-cloud_v5E discovery 2-cloud_v5
E discovery 2-cloud_v5
scm24
 
E Discovery Cloud
E Discovery CloudE Discovery Cloud
E Discovery Cloud
gjohansen
 
Forecast 2014: eDiscovery and Forensics
Forecast 2014: eDiscovery and Forensics Forecast 2014: eDiscovery and Forensics
Forecast 2014: eDiscovery and Forensics
Open Data Center Alliance
 
E-Discovery: How do Litigation Hold, BYOD, and Privacy Affect You? - Course T...
E-Discovery: How do Litigation Hold, BYOD, and Privacy Affect You? - Course T...E-Discovery: How do Litigation Hold, BYOD, and Privacy Affect You? - Course T...
E-Discovery: How do Litigation Hold, BYOD, and Privacy Affect You? - Course T...
Cengage Learning
 
Unit i introduction to grid computing
Unit i introduction to grid computingUnit i introduction to grid computing
Unit i introduction to grid computing
sudha kar
 

Destaque (20)

Legal issues in cloud computing
Legal issues in cloud computingLegal issues in cloud computing
Legal issues in cloud computing
 
Cloud computing : legal , privacy and contract issues
Cloud computing : legal , privacy and contract issuesCloud computing : legal , privacy and contract issues
Cloud computing : legal , privacy and contract issues
 
Cloud Computing Security Issues
Cloud Computing Security Issues Cloud Computing Security Issues
Cloud Computing Security Issues
 
Cloud Computing: legal issues
Cloud Computing: legal issuesCloud Computing: legal issues
Cloud Computing: legal issues
 
Cloud computing security issues and challenges
Cloud computing security issues and challengesCloud computing security issues and challenges
Cloud computing security issues and challenges
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing Security
 
Cloud Computing: Peluang Bisnis dan Tantangan Regulasi
Cloud Computing: Peluang Bisnis dan Tantangan RegulasiCloud Computing: Peluang Bisnis dan Tantangan Regulasi
Cloud Computing: Peluang Bisnis dan Tantangan Regulasi
 
Ejecutables
EjecutablesEjecutables
Ejecutables
 
Cloud Computing - Is it the Future of ESI?
Cloud Computing - Is it the Future of ESI?Cloud Computing - Is it the Future of ESI?
Cloud Computing - Is it the Future of ESI?
 
E discovery 2-cloud_v5
E discovery 2-cloud_v5E discovery 2-cloud_v5
E discovery 2-cloud_v5
 
WordPress Security Hardening
WordPress Security HardeningWordPress Security Hardening
WordPress Security Hardening
 
E Discovery Cloud
E Discovery CloudE Discovery Cloud
E Discovery Cloud
 
Forecast 2014: eDiscovery and Forensics
Forecast 2014: eDiscovery and Forensics Forecast 2014: eDiscovery and Forensics
Forecast 2014: eDiscovery and Forensics
 
E-Discovery: How do Litigation Hold, BYOD, and Privacy Affect You? - Course T...
E-Discovery: How do Litigation Hold, BYOD, and Privacy Affect You? - Course T...E-Discovery: How do Litigation Hold, BYOD, and Privacy Affect You? - Course T...
E-Discovery: How do Litigation Hold, BYOD, and Privacy Affect You? - Course T...
 
Data Ownership: Who Owns 'My Data'?
Data Ownership: Who Owns 'My Data'?Data Ownership: Who Owns 'My Data'?
Data Ownership: Who Owns 'My Data'?
 
System hardening - OS and Application
System hardening - OS and ApplicationSystem hardening - OS and Application
System hardening - OS and Application
 
Presentation on cloud computing security issues using HADOOP and HDFS ARCHITE...
Presentation on cloud computing security issues using HADOOP and HDFS ARCHITE...Presentation on cloud computing security issues using HADOOP and HDFS ARCHITE...
Presentation on cloud computing security issues using HADOOP and HDFS ARCHITE...
 
Identity and Access Management (IAM)
Identity and Access Management (IAM)Identity and Access Management (IAM)
Identity and Access Management (IAM)
 
Unit i introduction to grid computing
Unit i introduction to grid computingUnit i introduction to grid computing
Unit i introduction to grid computing
 
Cloud security ppt
Cloud security pptCloud security ppt
Cloud security ppt
 

Semelhante a Cloud Computing Legal Issues

The Patriot Act and Cloud Security - Busting the European FUD
The Patriot Act and Cloud Security - Busting the European FUDThe Patriot Act and Cloud Security - Busting the European FUD
The Patriot Act and Cloud Security - Busting the European FUD
Resilient Systems
 
Chapter2
Chapter2Chapter2
Chapter2
Pibi Lu
 
[Privacy Webinar Slides] Global Enforcement Priorities
[Privacy Webinar Slides] Global Enforcement Priorities[Privacy Webinar Slides] Global Enforcement Priorities
[Privacy Webinar Slides] Global Enforcement Priorities
TrustArc
 
2013.11.30.Brook-CSA_Congress_EU_Avoiding_US_Cloud_Providers
2013.11.30.Brook-CSA_Congress_EU_Avoiding_US_Cloud_Providers2013.11.30.Brook-CSA_Congress_EU_Avoiding_US_Cloud_Providers
2013.11.30.Brook-CSA_Congress_EU_Avoiding_US_Cloud_Providers
Jon-Michael C. Brook, CISSP
 
Wsgr eu data protection briefing march 20 2013 - final
Wsgr eu data protection briefing march 20 2013 - finalWsgr eu data protection briefing march 20 2013 - final
Wsgr eu data protection briefing march 20 2013 - final
Valentin Korobkov
 
Data breach protection from a DB2 perspective
Data breach protection from a DB2 perspectiveData breach protection from a DB2 perspective
Data breach protection from a DB2 perspective
Craig Mullins
 

Semelhante a Cloud Computing Legal Issues (20)

ethcpp04-Unit 3.ppt
ethcpp04-Unit 3.pptethcpp04-Unit 3.ppt
ethcpp04-Unit 3.ppt
 
ethcpp04-Unit 3.ppt
ethcpp04-Unit 3.pptethcpp04-Unit 3.ppt
ethcpp04-Unit 3.ppt
 
Data Sovereignty
Data SovereigntyData Sovereignty
Data Sovereignty
 
The Patriot Act and Cloud Security - Busting the European FUD
The Patriot Act and Cloud Security - Busting the European FUDThe Patriot Act and Cloud Security - Busting the European FUD
The Patriot Act and Cloud Security - Busting the European FUD
 
4482LawEthics.ppt
4482LawEthics.ppt4482LawEthics.ppt
4482LawEthics.ppt
 
33rd TWNIC IP OPM: Legal cooperation to overcome jurisdictional and territori...
33rd TWNIC IP OPM: Legal cooperation to overcome jurisdictional and territori...33rd TWNIC IP OPM: Legal cooperation to overcome jurisdictional and territori...
33rd TWNIC IP OPM: Legal cooperation to overcome jurisdictional and territori...
 
Digital&computforensic
Digital&computforensicDigital&computforensic
Digital&computforensic
 
Cloud primer
Cloud primerCloud primer
Cloud primer
 
Legal and privacy implications of IoT
Legal and privacy implications of IoTLegal and privacy implications of IoT
Legal and privacy implications of IoT
 
1º Palestra sobre Proteção de Dados Pessoais
1º Palestra sobre Proteção de Dados Pessoais1º Palestra sobre Proteção de Dados Pessoais
1º Palestra sobre Proteção de Dados Pessoais
 
Data Privacy for Information Security Professionals Part 1
Data Privacy for Information Security Professionals Part 1Data Privacy for Information Security Professionals Part 1
Data Privacy for Information Security Professionals Part 1
 
Amberhawk - Law Enforcement Parts of the Data Protection Bill
Amberhawk - Law Enforcement Parts of the Data Protection BillAmberhawk - Law Enforcement Parts of the Data Protection Bill
Amberhawk - Law Enforcement Parts of the Data Protection Bill
 
GDPR and Blockchain
GDPR and BlockchainGDPR and Blockchain
GDPR and Blockchain
 
State regulation of information protection in the cloud - international and K...
State regulation of information protection in the cloud - international and K...State regulation of information protection in the cloud - international and K...
State regulation of information protection in the cloud - international and K...
 
Chapter2
Chapter2Chapter2
Chapter2
 
[Privacy Webinar Slides] Global Enforcement Priorities
[Privacy Webinar Slides] Global Enforcement Priorities[Privacy Webinar Slides] Global Enforcement Priorities
[Privacy Webinar Slides] Global Enforcement Priorities
 
2013.11.30.Brook-CSA_Congress_EU_Avoiding_US_Cloud_Providers
2013.11.30.Brook-CSA_Congress_EU_Avoiding_US_Cloud_Providers2013.11.30.Brook-CSA_Congress_EU_Avoiding_US_Cloud_Providers
2013.11.30.Brook-CSA_Congress_EU_Avoiding_US_Cloud_Providers
 
Wsgr eu data protection briefing march 20 2013 - final
Wsgr eu data protection briefing march 20 2013 - finalWsgr eu data protection briefing march 20 2013 - final
Wsgr eu data protection briefing march 20 2013 - final
 
Trade Secret Theft in the Digital Age
Trade Secret Theft in the Digital AgeTrade Secret Theft in the Digital Age
Trade Secret Theft in the Digital Age
 
Data breach protection from a DB2 perspective
Data breach protection from a DB2 perspectiveData breach protection from a DB2 perspective
Data breach protection from a DB2 perspective
 

Mais de Ikuo Takahashi

ACDPub.pptx
ACDPub.pptxACDPub.pptx
ACDPub.pptx
Ikuo Takahashi
 

Mais de Ikuo Takahashi (13)

ACDPub.pptx
ACDPub.pptxACDPub.pptx
ACDPub.pptx
 
Ikuo0823.pdf
Ikuo0823.pdfIkuo0823.pdf
Ikuo0823.pdf
 
Cydef 2021 国際的サイバー防衛法
Cydef 2021 国際的サイバー防衛法Cydef 2021 国際的サイバー防衛法
Cydef 2021 国際的サイバー防衛法
 
Crossover of Data protection and competition law concerning privacy protection
Crossover of Data protection and competition law concerning privacy protection Crossover of Data protection and competition law concerning privacy protection
Crossover of Data protection and competition law concerning privacy protection
 
What is contact tracing?
What is contact tracing?What is contact tracing?
What is contact tracing?
 
Ikuo takahashi0509
Ikuo takahashi0509Ikuo takahashi0509
Ikuo takahashi0509
 
Ikuo takahashi0509
Ikuo takahashi0509Ikuo takahashi0509
Ikuo takahashi0509
 
20slide0306
20slide030620slide0306
20slide0306
 
APPI (Japan) and Rikunabi case
APPI (Japan) and Rikunabi caseAPPI (Japan) and Rikunabi case
APPI (Japan) and Rikunabi case
 
Ikuoedisclosure Uk
Ikuoedisclosure UkIkuoedisclosure Uk
Ikuoedisclosure Uk
 
10 Keio513
10 Keio51310 Keio513
10 Keio513
 
Sec Wars Episode 3
Sec Wars Episode 3Sec Wars Episode 3
Sec Wars Episode 3
 
Security Wars
Security WarsSecurity Wars
Security Wars
 

Cloud Computing Legal Issues

  • 1. Legal issues of Cloud Computing Ikuo Takahashi
  • 2. Risk analysis 2 possibility Compliance Subpoena E-discovery 1 2 Loss of governance Jurisdiction 3 Quoted form ENISA “Cloud Computing-Benefits, risks and recommendations for information security” Data protection
  • 3. Lessons from risk assessment • Important – implementation of security management system – compliance issues – In Japan, lega l issues are not disputed as such important issue. • MIC (Ministry of Internal affairs and Communications) ”Smart Cloud Research Committee” report • METI “Japan’s competitiveness and cloud computing Research Committee” report
  • 4. Analysis of compliance issues • Within one country boundary – Governance issues – Data Protection Law/Information Security Law – International standards – General Information Security Issues – Controls of Information security • International elements(Transborder issues) – Four rules • Complexities in civil case • Access authority and territorial nature • Prohibition of transborder data flow by sovereign • Difficulties of Law enforcement 4
  • 5. Inbound-(1) Loss of governance • Customer’s Information security is strongly influenced by CSP on many issues – Conflict with CSP’s policy of security testing – No guarantee of out source of sub-contractor. – Difficulties in audit and assessment
  • 6. Inbound-(2) Compliance risk • In US – FISMA,HIPAA,SOX,PCI-DSS,SAS 70 • In Japan – Personal information Protection Law – Information Security law (case ) – International standards – General information security issues
  • 7. Inbound-(2)-A Personal Information Protection Law Issue• Data may be processed by external party (SPI model) – Issues data is handled by external party • Depending on model – Data is located in user’s site and processed by external provider in some model. – (Japan)Personal Information Protection law Article 22 • “Data processor shall exercise necessary and appropriate supervision to the external contractor “ • “necessary and appropriate supervision” • Guidelines – Criteria to choose third party – Periodically review the standards – Agreement shall mention about security measures – Services, reports and records shall be regularly monitored and reviewed – Data Lifecycle management • Erase after termination 7
  • 8. Inbound-(2)-B Information Security Law • Litigation for Compensation based on Privacy – US law v. Japan law • Japan – Yahoo BB case(Osaka High C. Judgement,June 21.2007),TBC case(Tokyo D.C.Feb.8,2007) – Comepnsation-50 dollars per person • US law-Twitter case – Data leakage in January,April,2009 – FTC order Data processor to implement Information security management system(FTC Act) – No monetary compensation • Notification law to Data subject – The Security Breach Information Act (S.B. 1386) – EU directives – “Basic policy about protection of personal information”(April 2,2004 Cabinet decision) and guidelines issued by Ministries 8
  • 9. Inbound-(2)-C International Standard • ”CSA Cloud Controls Matrix V1” – Control areas • “compliance” “Data governance” “Facility security” “Human resources management” “Information security” “Legal” “Operation Management” “Risk assessment” “Resiliency” “Security Architecture” – Controls discussed by each SPI model • Standards asnd Laws – COBIT(Control Objectives for Information and related Technology) – HIPAA(Health Insurance Portability and Accountability Act) – ISO/IEC 27002-2005 – NIST SP800-53 – PCI DSS 9
  • 10. Inbound-(2)-D General information security issues • Network Security Issues – D-DoS, Targetted attacks, others • Business health of cloud security providers – Search and Seizure against Core IP Networks(later) • Virtualization technology issues – Side channel attacks – Huge damage if virtual machine monitor is hacked – Attack to vulnerability of virtual machine – Physical error may cause attack – Attacks as cache sharing, exploiting predictability of memory 10
  • 11. Additional- Core IP Networks case • March and April,2009 – FBI conducted search and seizure against Data center located in Texas (Crydon Technology & Core IP Networks) • Seized servers and Reuters by no knock warrant. • Damage to co-tenant users – “Damage caused by Patriot act”(reported by Japan) or “Care about business health of CSP” • FBI Defends Disruptive Raids on Texas Data Centers” (http://www.wired.com/threatlevel/2009/04/data-centers-ra/) • “a number of conspirators, some of who may have connections to Faulkner, conspired to obtain agreements from AT&T and Verizon to purchase connectivity services with the telecoms. “ • Lessons from SJG case(DOJ “Searching & Seizing Computers and Obtaining Electronic Evidence in Criminal Investigation”3rd ed. 2009) 11
  • 12. Inbound (2)-E Internal control • Cloud control from aspect of risk management – Management of third party contract – Auditors shall assess whether business exercise supervision properly if ask external party to process information relating to financial report. • How to control the CSP’s Information security management level? • How to monitor the CSP’s security management activity? • How to choose CSP ? Criteria? • Investor relations and cloud computing – Business report – Internal control report – Securities report
  • 13. Inbound-(3) Cloud Forensic Subpoena・e-discovery – In Common law countries, parties shall “card face up on the table” in litigation. – Is it possible to prove that data stored in the cloud are all and nothing is hidden. • Forensic issue – Transparency needed(Trace-Past data transition) – Business shall produce data stored in Cloud with proving that such data are all and nothing is hidden.
  • 14. Transborder Issues • What laws are applied ? – Basic example • Wikileaks case – Elements • Who • Where • What(nature) – Four rules • Complexities in Civil case • Access authority and territorial nature • Prohibition of transborder data flow by sovereign • Difficulties of Law enforcement
  • 15. Transborder-(1) Example WikiLeaks case – Julian Paul Assange • Manager of WikiLeaks site - revealing confidential information • No definite address(house in Iceland) • Server Located in Sweden • Data located all over the World – Confidential information-more than75000 are revealed • July 25,2010 • Including US army and Intelligent agency’s information • Violation of federal law • Where • What kind of issue 15
  • 16. Transborder-(2) Elements considered • Where – Principle of laws differ on each country • Who – Territorial principle is strictly applied to nation’s enforcement nature. • Nature of legal issue – Criminal Law(territorial principle, nationality principle, protective principle) – Civil Law(International private Law(JP) v.Revolution of conflicts of law(US)) – Public Law(not only administrative law but also public nature law) 16
  • 17. Transborder-(3) four rules • R1-Even in civil case,there are so many complexities about application of law. • R2-Laws of country able to access stored data may be applied even if parties contract specify applicable law. • R3-Soveregn state may prohibit the transborder data flow outside jurisdiction by the use of sovereign. • R4-If data administrator located outside Jurisdiction,it is very difficult to enforce legal request. 17
  • 18. Transborder-(3) -Rule1 • R1-Even in civil case, there are so many complexities about application of law. • Example – (1)Personal data of Information subject(living in Japan) is processed by data controller(business-located in Japan).Data controller uses cloud service(SaaS) by which stored data in US data center and managed in US. – (2)Data center had negligence and data is leaked from data center – (3)Information subject filed a litigation against Data Controller and Data Center • In Japan (Compensatory damage permissible) • In US (Compensatory damage –not permissible) • Enforcement of foreign judgment? 18
  • 19. Transborder-(3) –Rule 2 • R2-Laws of country which can access stored data may be applied even if parties contract specify applicable law – Legal access by Law enforcement agency • In Japan, LEA must get warrant even to traffic data • In US, classification between traffic data and contents. No Knock warrant – e-Discovery in civil case • If disclosure order conflict with protective legal duty in original country, what shall we do? – Marc Rich case » US-Marc Rich was paying in contempt-of-court fines for not turning over certain documents » Switzerland-Documents should not be produced 19
  • 20. Transborder-(3) -3 Prohibition of transborder data flow by sovereign • R3-Soveregn state may prohibit the transborder data flow outside jurisdiction by the use of sovereign – (1)Data Protection Law – (2)Administrative Supervision – (3)National Security 20
  • 21. Transborder-(3) -3 Prohibition of transborder data flow by sovereign 1-Data Protection • Personal data cannot flow from the 27 EU member states and three EEA member countries (Norway, Liechtenstein and Iceland) to that third country if the third country does not provide adequate level of protection of data protection • Adequate level of protection – Argentina, Australia, Canada, Switzerland, Faeroe Islands, Guensey , Isle of Man, Jersey, US(Air Passenger Name Records, Safe harbor ) – http://ec.europa.eu/justice/policies/privacy/thridcountries/index _en.htm » Nov,7.2010 21
  • 22. Transborder-(3) -3 Prohibition of transborder data flow by sovereign 2-Administrative supervision • Administrative agency may transborder data flow in the area with reasonable administrative supervision. – (JP)”Guideline about Medical Information system’s information security management ver.4.1(Feb.2010) issued by Ministry of Health labor and welfare) • “Security Management guideleine when ASP・SaaS provider handle with Medical Information” issued by Ministry of Internal affairs and communication. – Table3-8 Requirements to ASP/SaaS provider at emergency response such as disasters. – “Provider shall locate application, platform, server and storage in the place which national law may apply in order to produce legal requested references to agency smoothly. “ 22
  • 23. Transborder-(3) -3 Prohibition of transborder data flow by sovereign 3 National security – Foreign Exchange and Foreign Trade Act(article 25) • “shall obtain, pursuant to the provisions of Cabinet Order, permission from the Minister of Economy, Trade and Industry” – as those considered to undermine the maintenance of international peace and security – Article 25 section3”Ministry of METI may request him/her to obtain permission of electronic communication in order to be received in specified country ” • Cyber Espionage(economic spy in the network) – Big issue – (JP) Japanese government processed information of residents at Supplementary Income Payments(Teigaku- Kyufukin) by Salesforce. – We do not know where such resident’s data were processed. 23
  • 24. Transborder-Rule 4 Difficulties of Law enforcement • R4-If data administrator located outside Jurisdiction, it is very difficult to enforce legal request. – Example ;Wiki Leaks case • Criminal-International cooperation framework • Dual criminality is needed to International cooperation framework • Federal code-national secrecy protection – Difficult to enforce – Even injunction » UK cannot get injunction in Australia or New Zealand (Spy Catcher case) 24
  • 25. Behind Scenes 25 Network Network Security Beyond Boundary Sovereign Privacy ??? Human Factor Potential factors behind surface
  • 26. 26 Cloud Computing and IT security framework
  • 27. Cloud computing & PDCA 27 Plan Do Action Check Procedure Integrate cloud computing security, business continuity and disaster recovery into the customer’s own policy and procedures.(Guidance 1.0 P.58)
  • 28. Identify general threat Identify threats to assets Cloud Risk Assessment organization Policies Planning Risk assessment Controls implementation Assessment & audit Controls Assessment & audit
  • 29. Controls • Risks –caused by uncertainty (risks and uncertainty) • Avoiding,reducing,sharing,accepting • Reducing, sharing-(technology, fair agreement) – Evaluation of subject and vendor selection – Evaluation of technology and vendor selection – Risk sharing by agreement with vendors 29 Risks risks Uncertainty Trust Subject Tech. Fair agreement
  • 30. Evaluation of subject and vendor selection • Who(subject),What services(kind),How much(cost),How good(quality) • Objective evaluation • references – ”CSA Cloud Controls Matrix V1” • Control areas ”compliance””Data governance””Facility security””Human resources management””Information security” “Legal” “Operation Management” “Risk assessment” “Resiliency” “Security Architecture” • Controls discussed by each SPI model 30
  • 31. Cloud Service Provider • Guideline on standard to choose external parties – Service subject(Service provider) • Financial health • Reputation in the market • Information security management • Members of directors • Evaluation of past performances • Third party’s list, roles, responsibilities ,interface information – Risk management • Assessment of provider’s risk level • Assessment of provider’s information management policy • Review of procedure and process • Business continuity plan • Attitude of compliance, possibility of data life cycle management, insurance against information loss 31
  • 32. Objective evaluation-accountability • Contracts are not your only governance tool but should encompass the broad due diligence required of a cloud provider.(CSA Guidance p.15) • Due Diligence – Domains • Service provider • Type of service • Condition of service • Service level agreement 32
  • 33. Who -how to control cloud service provider • Legal control – Effectiveness of SLA(control provider by legal agreement) • Data isolation • Data access by provider • Article of technical measures • Ownership of data • Monitoring right • Compliance • Ensuring smooth termination – Data access after termination – Transform data to other platform 33
  • 34. Controls • After assessment of risks, choice of service, controls should be implemented and monitored/audited properly . – Do not forget, the security of the cloud computing environment isn’t mutually exclusive of your organizations internal policies, procedures, standards, guidelines and processes. (G p.46)。 • Definition and documentation as a first step; How data is stored ,processed, accessed and managed. • Ensured that cloud service provider implement,operate and maintaion properly – SAS70 report is helpful. 34
  • 35. Technology controls • Traditional Issues – encryption – Key management – Identity management – アプリケーションセキュリティなど • モデル選択 35 IaaS PaaS SaaS Private cloud User’s responsibility Hybrid cloud Public cloud Risks such as Data isolation and leakage
  • 36. Process to choose controls • Reduce risks of identified information assets • Completing risk control matrix • Approval of residual risks
  • 37. Assessment & Audit • SLO(Service Level Objectives) • SLA(SLA: :Service Level Agreement) – Framework for assessment and audit • Difficulties in Audit – Limitation of SAS70