1. Sumaya Shakir
Sumaya.shakir@gmail.com
September 2012
Cloud Computing Security Risks
Background and key information:
It finally seems like the Feds are catching up with the Cloud era boom. The US
government has released its stand on the data security on cloud technologies at the
Security in Government 2012 conference. Important concerns regarding the
jurisdictional issues of data storage were raised. The Federal Financial Institutions
Examination Council(FFIEC) issued a press release with cloud computing risks and
issued guidelines in its FFIEC IT Examination Handbook. The department will be
coming up with new cloud guidelines. Separately in Europe, the European Network
and Information Security Agency (ENISA) and the Cloud Security Alliance (CSA)
have come up with their own assessment of how to addresses cloud risk
guidelines. The European commission and European data protection council has issued
statements indicating firms offering cloud solutions should offer legal clarity and clear
privacy policies. The UK Government Digital Service is formulating its policies to
maximize on the potential benefits to the UK economy. The CSA is also working on
standards for cloud interface.
HP has partnered with VMware in providing cloud platform solutions. The partnership
aims at providing infrastructure with strong security and converged cloud solutions to
the PCI industry. The companies are selling their solutions that goes beyond addressing
the security guidelines put forth by various councils; it will be interesting to see how HP-
VMware partnership will fair against various commission guidelines. In another initiative
HP has partnered with Microsoft for cloud integration. HP has signed new contracts with
various government organizations to provide both hardware and software solutions. HP
has made new investments in cloud computing in China. Following its China five-year
growth plan, HP opened a brand new center called HP Cloud Executive Briefing Center
in Tianjin and expanded its R & D in China. In addition, HP has started other big
investments in China. With so many countries and their respective Governments on the
bandwagon trying to form their own policies and drawing the blueprint of how the cloud
infrastructure should look like, the result will be a set of conflicting laws and regulations
between borders and countries. To add to the complexity, some governments are leery
of working with China. And China’s stand on how these services will impact its own
industry and Government is a question that is yet to be raised.
While HP is ahead of the game, it may be missing some key mandates from the Cloud
Security Alliance and the various Government policies that could prove as a costly
mistake. Moreover setting up a cloud hub in China could be security threat to
businesses and organization in the US including the US government especially in the
wake of latest allegations in regards to spying from two big Chinese firms ZTE Corp.
and Huawei Technologies. Given the sensitive nature of government and payment data,
this can soon become an unmanageable nightmare and lead to unimaginable
vulnerabilities for the United States or for the western European nations. The issue is in
1

2. the late formation phase and early interest group formation. The issues are skirting
around the cloud circles and in the various CSA congress presentations and has yet to
be identified as a full blown threat. The story has been picked up by a few freelance
technology journalists. For example, the author for
http://www.businesscloud9.com/content/policy-blueprint-cloud-computing-market/11476
has provided enough validation to show the issues surrounding a global cloud dilemma.
The main interest groups for this issue will be the consumers and enterprises across the
globe that will use the cloud services technology irrespective of geographical
boundaries. There is no doubt that the Governments across the globe have to take an
active role in formulating the compliance and security protocols and HP being a key
leader of cloud services will be impacted by this and needs to be more involved with the
formation of any cloud law legislation that will give it a competitive advantage in the non
market arena.
Cloud Computing Security Risks
Issue Summary:
Issue  Security vulnerabilities in Cloud Computing
Interest  Cloud Security Alliance
Groups  Consumer and Enterprise Business using Cloud
Services
 Banks, Payments Card Industry(PCI)
 Government Organizations like US Military
Institutions  UK Government Digital Service,
 Federal Financial Institutions Examination
Council ( FFIEC),
 European Network and Information Security
Agency (ENISA)
Information  Jurisdictional issues of data storage
 Cloud Computing conflicting laws and
regulations between borders and countries
needs to be resolved
 Safety of hosting cloud services from China
Issue Life  Late issue identification, early interest group
Cycle formation
Media  Currently the story is published by a few
Attention technology magazines. Main stream media is yet
to pick up the story but eventually in the next few
months, this issue will be a hot topic.
HP’s Business Strategic Political Actions for Security Risks
Lobbying
2

3. HP, Microsoft and other internet companies who are offering services on the Cloud
have been lobbying for safer cloud computing laws since 2010. Microsoft general
counsel Brad Smith insisted on electronic privacy laws being updated during a Senate
Judiciary Committee in Washington in 2010. Since then, there have been continued
lobbying efforts for cloud security.
HP as part of the Cloud Security Alliance group has been lobbying against the
Cybersecurity Act of 2012 and has been successful in protecting the cloud initiatives.
The above graph shows HP’s spending on lobbying for various causes including trade
legislations, cloud security, data security and privacy regulations, patent approvals, free
trade, broadband subsidies and defense funding. HP is one of the biggest spenders on
lobbying efforts. It hires lobbying firms like Palmetto Group, Mehlman Vogel Castagnetti
Inc, Sternhell Group, Innovative Federal Strategies and Akin, Gump et al . HP has
spent $3,750,000 so far in 2012 on various lobbying.
There are a number of individual cloud computing legislations that HP along with
Microsoft, Google, Facebook and other companies have been lobbying like the policy
issues in cloud computing, Electronic Communications Privacy Act (ECPA) and the
number of other policies regarding,
 Cloud Physical Location and Access Issues Jurisdictional issues affecting the
Cloud. Example: “safe harbor law - a European law enacted in reaction to the U.S.
Patriot Act. Another example is the Trade Agreements Act of 1979 (TAA) prohibits
government contractors from using cloud serveices that are set up in countries that
don’t have trade agreements with United States.
 Privacy, Security and the Cloud Concerns around data stored in the Cloud is less
protected than other in other contexts. fundamental concern about the security of
essential business and government information and processes maintained in the
Cloud.
 Law Enforcement and the Cloud Concerns with privacy issues in law enforcement
context and legal protections against unreasonable search and seizure of data
stored in a Cloud context. Example: Congress is currently reviewing a proposed
update to the Electronic Communications Privacy Act
3

4.  Intellectual Property (IP) and the Cloud Concerns regarding valuable intellectual
property, trade secrets or copyrighted material in a Cloud environment. Example:
The Digital Millennium Copyright Act provides a safe harbor to cloud service
providers from infringement liability for copyright violations if they adhere to
guidelines and immediately block access or remove copyrighted materials from their
website upon notification.
 Global Competition and the Cloud: U.S. companies can compete for a share of
global cloud market but U.S. put them at a competitive disadvantage. Example: U.S.
Patriot Act
Sen. Amy Klobuchar has introduced a new bill called the “Cloud Computing Act of
2012” (S.3569), that is supposed to “ improve the enforcement of criminal and civil law
with respect to cloud computing.”
The proposed bill’s main purpose is to give “cloud computing services” protections
under the CFAA. HP as part of the CSA alliance is lobbying for this bill.
Eric Goldman, Internet Law professor from Santa Clara University has written an article
on forbes.com regarding the Cloud Computing Act . The article can be found at
http://www.forbes.com/sites/ericgoldman/2012/10/02/the-proposed-cloud-computing-
act-of-2012-and-how-internet-regulation-can-go-awry/
Forming Coalitions
HP is part of the Cloud Security Alliance group to promote the use of best practices
for providing security assurance within Cloud Computing. All the top companies like
Google, MicroSoft and even US Department of Defense are members of this alliance
group. The Alliance aims to provide education on the uses of Cloud Computing. The
Cloud Security Alliance is led by a broad coalition of industry practitioners, corporations,
associations and other key stakeholders.
4

5. HP along with the CSA has developed a number of useful and valuable resources like
the secure best practices for cloud computing, tools for managing governance, risk and
compliance, cloud user certification and cloud security knowledge certification, registry
of cloud services amongst other cloud security standards.
Public Advocacy & Awareness Raising
For the last 8 years, every year HP has used events like HP Protect to raise awareness
and increase visibility on security infrastructure, potential security risks and breaches,
security landscape, cloud security information, security and compliance standards by
hosting a two day event where it invites experts, architects, and gurus under one roof. It
then makes public all the lectures, information shared during the summit to the general
population.
HP along with CSA has provided a number of toolkits, handbooks, standards, guides to
educate various businesses and public interested in cloud security. HP provides this
information on its website and also on CSA website.
HP also attends other security conferences like the RSA and shares its
knowledge/research with the community. It has also set up community forums,
knowledge base, FAQs, social media and blogs to reach out the general public on its
efforts on Cloud Computing Security.
Summary
HP’s Political Strategy for addressing Cloud Security Issues
Lobbying  Cloud Physical Location and Access Issues
 Privacy, Security and the Cloud
 Law Enforcement and the Cloud Electronic
Communications Privacy Act
 Intellectual Property (IP) and the Cloud The Digital
Millennium Copyright Act
 Global Competition and the Cloud: U.S. Patriot Act
 Cloud Computing Act of 2012
Coalition  Cloud Security Alliance
Public Advocacy  Protect 2012
& Raising  RSA
Awareness  HP website – community groups, forums, blogs, social
media
Conclusion
HP is taking cloud computing seriously and is using every avenue to be as close as
possible to meeting the mandates of the Cloud Security Alliance and the various
Government policies in order to avoid any costly mistakes. It is staying close by
lobbying to the various legislations related to cloud computing.
5