• Like
  • Save
OSCON 2012 US Patriot Act Implications for Cloud Computing - Diane Mueller, ActiveState
Upcoming SlideShare
Loading in...5
×
 

OSCON 2012 US Patriot Act Implications for Cloud Computing - Diane Mueller, ActiveState

on

  • 2,376 views

Presented by Diane Mueller, ActiveState @pythondj ...

Presented by Diane Mueller, ActiveState @pythondj

Are you unsure what the security and privacy implications are for sensitive corporate data? US Patriot Act is causing many of us to hesitate on leveraging the cloud.

Organizations are thinking long and hard about the legal and regulatory implications of cloud computing. When it comes to actual corporate data, no matter what the efficiency gains are, legal departments are often directing IT departments to steer clear of any service that eliminates their ability to keep potential sensitive information out of the hands of Federal prosecutors.

Despite all the hype about every application moving into the cloud, some practical patterns are starting to emerge in the types of data corporations are willing to move to the cloud.

Covered in this session:
(a) Introduction to the US Patriot Act and Data Privacy issues Implications for on Cloud Computing Jurisdictional Issues
(b) Best Practices & Practical Patterns Classes of applications that best leverage the cloud
(c)What types of applications should stay on-premise Private Cloud Model(s) Building a Compliant Cloud Strategy

For more information:

email me at dianem {at} activestate {period} com

or ping me on twitter at @pythondj

visit http://activestate.com/stackato

Statistics

Views

Total Views
2,376
Views on SlideShare
2,375
Embed Views
1

Actions

Likes
2
Downloads
21
Comments
1

1 Embed 1

http://pinterest.com 1

Accessibility

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel

11 of 1

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
  • also see supplemental slides from David Mertz who also particpated in the presenation here: http://www.slideshare.net/OReillyOSCON/us-patriot-act-oscon2012-david-mertz
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Diane Mueller is Director, Enterprise Product Management at ActiveState, the dynamic language experts. She has been designing & implementing financial applications at Fortune 500 corporations for over 20 years. Diane has been actively involved in development efforts of XBRL Open Standard (http://www.xbrl.org) since 1999 and served on the XBRL Board of Directors, Best Practice Committee and chaired the XBRL-INT Technical working groups on Rendering and Global Ledger. Why is this important? XBRL is the semantic XML tagging standard for financial data both here in the US and around the globe; and is used around the globe by financial regulator (such as Federal Reserve Board, FDIC, SEC…) who are notoriously fanatical about data privacy and sovereignty issues.
  • Is the US Patriot Act & Data Privacy issues causing you to hesitate on leveraging the cloud in your enterprise? Do you want to leverage the power of cloud computing but unsure what the security and privacy implications are for sensitive corporate data?
  • What is cloud computing? Distributed computing architecture in which data and applications reside on servers separate from the user and are accessed via the Internet. Applications and data are generally accessible from anywhere, provided you have a net connection.Cloud computingis premised on the concept of infrastructure and resource pooling And with Enterprises today very focused on minimising their capital investments, there are real economic drivers to looking at the cloud. Cloud computing offers flexibility in infrastructure planning while improving time to market. Capacity can be scaled as needs change, leaving companies to pay only for what they need. Another driver is the demand for access anywhere, meaning more and more people with the need to access business files and data from remote locations. It’s also not uncommon for companies to deal with external and internal users – external users may include customers or business partners, while internal users are regular or temporary employees or contractors.
  • http://blog.privacylawyer.ca/#uds-search-results
  • The Patriot Act has been signed into law in October 2001 as a response to 9/11 and it was extended in May 2011. The Act grants the US government sweeping privileges to access private data in case of suspected terrorist threats. http://www.luborp.com/2011/08/cloud-and-asymmetric-patriot-act.htmlU.S. — In the United States, the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT) Act of 2001, allows the FBI to seize and review data stored in or transmitted within the United States. The FBI, CIA or the U.S. Department of Defense can issue National Security Letters to an organization, requiring that they provide data records pertaining to an individual. This can involve a gag order, which prevents the organization from ever disclosing receipt of a letter requiring the handover of records.The clumsily-titled Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (USA PATRIOT Act, or USAPA) introduced a plethora of legislative changes which significantly increased the surveillance and investigative powers of law enforcement agencies in the United States. The Act did not, however, provide for the system of checks and balances that traditionally safeguards civil liberties in the face of such legislation.Legislative proposals in response to the terrorist attacks of September 11, 2001 were introduced less than a week after the attacks. President Bush signed the final bill, the USA PATRIOT Act, into law on October 26, 2001. Though the Act made significant amendments to over 15 important statutes, it was introduced with great haste and passed with little debate, and without a House, Senate, or conference report. As a result, it lacks background legislative history that often retrospectively provides necessary statutory interpretation.The Act was a compromise version of the Anti-Terrorism Act of 2001 (ATA), a far-reaching legislative package intended to strengthen the nation's defense against terrorism. The ATA contained several provisions vastly expanding the authority of law enforcement and intelligence agencies to monitor private communications and access personal information. The final legislation included a few beneficial additions from the Administration's initial proposal: most notably, a so-called sunset provision (which provides that several sections of the act automatically expire after a certain period of time, unless they are explicitly renewed by Congress) on some of the electronic surveillance provisions, and an amendment providing judicial oversight of law enforcement's use of the FBI's Carnivore system.However, the USA PATRIOT Act retains provisions appreciably expanding government investigative authority, especially with respect to the Internet. Those provisions address issues that are complex and implicate fundamental constitutional protections of individual liberty, including the appropriate procedures for interception of information transmitted over the Internet and other rapidly evolving technologies.http://www.govtrack.us/congress/billtext.xpd?bill=h112-67
  • Requests for information about Google users from U.S. government authorities jumped 29 percent in the first six months of the year, according to a recent report issued by the online search company.The report showed that 5,950 requests for information were made by U.S. government authorities during the first six months of this year, compared with 4,601 requests during the last six months of last year -- an increase of 29 percent."The number of requests we receive for user account information as part of criminal investigations has increased year after year," the report explained. "The increase isn't surprising, since each year we offer more products and services, and we have a larger number of users."Of the near 6,000 requests for user information, which affected 11,057 accounts, Google fully or partially complied with 93 percent of them.There can be many reasons why Google will or will not comply with a request for information from a government, according to the company. Google said it complies with valid legal requests. Generally, requests must be in writing, signed by an authorized official of the requesting agency and issued under an appropriate law. Google's "Transparency Report" is prepared every six months and details requests by countries around the world made to the company to take down information from its websites, including YouTube, or to obtain information about user accounts.
  • Dropbox™ is a proprietary data backup and sharing service that uses servers in the ‘cloud’ to enable users to share data between devices, be they computers in an office or a smartphone anywhere in the world. The US law enforcement agencies can get your private data by requesting access to Dropbox servers because suspected terrorists might be allegedly using Dropbox to plan their activities.Dropbox™ uses Amazon’s S3 data centers, which are scattered throughout the US and world. Anyone with physical or remote access to those buildings has access to data stored with Dropbox™. Under the Stored Communications Act of 1986 as well as the Patriot Act, Dropbox™ is required to turn over your data when asked by law enforcement.Encryptionhelps..to a pointOf Course, Dropbox™ uses AES-256 encryption when they “store” your data, which is the same as the government uses for information designated as “top secret.”Dropbox™ manages these keys to your data on your behalf. The system only allows access to the keys once you’ve put in your password, but from a technical sense there’s nothing stopping Dropbox™ from decrypting your data except their internal company policies against doing so, which have wide exceptions for they need to comply with federal law.So you could encrypt all your data BEFORE you upload it to Dropbox..And then Dropbox™ employees would only have access to the encrypted data, and that would be all they could turn over to the government.BUT how many of you (or your employees are actually doing this today)?This is why it’s so important for data to be encrypted when living in the cloud. http://drmtlaw.com/areas-of-practice/general-practice/dropbox/
  • The think to remember…The cloud is not an abstract concept; rather it’s a collection of physical data centers. It was previously widely assumed that the location of the data centerwas crucial in determining national sovereignty of data. in the past corporations compliance officersfocused on data location, but now they moving on to consider broader multinational implications about data protection.
  • http://blog.privacylawyer.ca/#uds-search-resultsI, for example, am an American living in Canada, working for a Canadian company, I spend significant time in the US and other countries, I use a whole host of cloud services from the afore mentioned dropbox to salesforce to google docs to linkedin to evernote – much to the chagrin of our IT manager I’m sure. Data about me, my company is scattered across the globe as Corporate emails fly from my iphone to my office on a daily basis residing temporarily on different “clouds” It’s not where you live that matters, it’s where your data lives.
  • As a U.S. law, the Patriot Act applies to everyone living and visiting the country, including any foreign national who spends time on U.S. soil as part of a visa arrangement. The Act also applies to companies based in the U.S., whether they are headquartered there — such as Apple, Google or Microsoft — or are a subsidiary of a larger non-US company.For example, although the BBC has its headquarters in London, it also has studios and offices in the U.S., making these U.S.-based offices vulnerable to the Act.
  • As a U.S. law, the Patriot Act applies to everyone living and visiting the country, including any foreign national who spends time on U.S. soil as part of a visa arrangement. The Act also applies to companies based in the U.S., whether they are headquartered there — such as Apple, Google or Microsoft — or are a subsidiary of a larger non-US company.For example, although the BBC has its headquarters in London, it also has studios and offices in the U.S., making these U.S.-based offices vulnerable to the Act.http://www.bbcworldwide.com/media/19346/bbc%20worldwide%20annual%20review%202009-10.pdf
  • The FBI, CIA or the U.S. Department of Defense can issue National Security Letters to an organization, requiring that they provide data records pertaining to an individual. This can involve a gag order, which prevents the organization from ever disclosing receipt of a letter requiring the handover of records.Remember: Any data which is housed, stored or processed by a company, which is a U.S. based company or is wholly owned by a U.S. parent company, is vulnerable to interception and inspection by U.S. authorities. 
  • Taking this one step further, industry regulators in many international jurisdictions may restrict the international transfer of certain kinds of data, and in some cases even require certain kinds of data to be kept separate and not be intermixed with other data. Examples of existing regulation that may impact on cloud service providers include:Australia — the National Privacy Principles contained in the Privacy Act 1988 (Cth), regulate collection, use and disclosure of personally identifiable information pertaining to individuals, and impose conditions on the transfer of personal information to foreign jurisdictions. In addition, Australian Financial Institutions are further subject to Australian Prudential Regulatory Authority standards. These include APRA 231, which regulates the way in which Australian Financial Institutions outsource material business activities and focus on risk management, including risks relating to the transfer of data. Recent discussion papers suggest further reform, including in the area of cross-border transfer of data;EU — the Stored Communications Act in the European Union (EU) places strict limits on the way data relating to EU citizens is collected and stored; U.S. — In the United States, the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT) Act of 2001, allows the FBI to seize and review data stored in or transmitted within the United States. Australiathe National Privacy Principles contained in the Privacy Act 1988 (Cth), regulate collection, use and disclosure of personally identifiable information pertaining to individuals, and impose conditions on the transfer of personal information to foreign jurisdictions. In addition, Australian Financial Institutions are further subject to Australian Prudential Regulatory Authority standards. These include APRA 231, which regulates the way in which Australian Financial Institutions outsource material business activities and focus on risk management, including risks relating to the transfer of data. Recent discussion papers suggest further reform, including in the area of cross-border transfer of data;EU— the Stored Communications Act in the European Union (EU) places strict limits on the way data relating to EU citizens is collected and stored;
  • In principle the best way to think about data privacy and liability for maintaining that privacy is ask yourself who is the original custodian?The original custodianRemains responsible for protecting and safeguarding the personal informationNeeds to make informed choices about how to handle the data, including what services and service providers to use for its processingTake be a risk-based approachWhat is the sensitivity of the information?What is the risk to the data?What role does the jurisdiction play in that risk?If the risk is high and the safeguards cannot be assured, then don’t use the cloud service provider
  • http://www.aidanfinn.com/?p=11187A private cloud is one in which the computing environment is operated exclusively for an organization. It may be managed either by the organization or a third party, and may be hosted within the organization’s data center or outside of it. A private cloud gives the organization greater control over the infrastructure and computational resources than does a public cloud.customizable cloud of computing and storage resources that can be configured and re-configured when and as you wishGet all the benefits of cloud (elasticity, pooling resources within your organization, with faster time-to-market) on a private cloud
  • http://resource.onlinetech.com/benefits-of-private-cloud-computing-compliant-cost-effective/Think about what 12% would mean to your bottom lineAccording to a 2011 study by the Aberdeen Group, the private cloud saves a total of 12% combined annual cost savings over public clouds on a per-application basis. When it comes to computing costs, everything adds up fast – including personnel and training, process and technology, hardware, software, services and support.Companies that implemented private clouds also incurred 38 percent fewer costs related to security and compliance events in the past year compared to public cloud users. Public cloud users suffered from an overall 25 percent of incidents related to audit deficiencies, data loss or data exposure, and unauthorized access.
  • all the benefits of cloud (elasticity, pooling resources within your organization, with faster time-to-market) on a private cloudA private cloud computing platform is a stack of network, server and storage hardware dedicated to you for the purpose of cloud computing on which you deploy an cloud computing infrastructure platforms such as OpenStack, CloudStack, vCloud, or Hyper-VWhen a cloud computing infrastructure platform is utilized, the stack of hardware becomes a customizable cloud of computing and storage resources that can be configured and re-configured when and as you wish. Giving you the ability to elasticallyconfigure and re-configure your server resources with a  private cloud computing platformIn the old school of computing, what you needed to do is watch the server, storage and network resources. When one application or service appeared to be causing a bottleneck, provide it more resources. You also hadto remember to reduce the number of resources allocated to a server that doesn’t need it. If you don’t, it sits idle and unavailable for another server that might demand it.With cloud computing resources are automatically allocated to change the cloud configuration in real-time so resources are where they need to be when they need to be there! In the blink of an eye and automatically, it needs to turn cloud servers off that aren’t being used and turn them back on when they are needed. This means that a small, extremely smart piece of software constantly monitors your server, storage, memory and network resources and compare that to work-loads. It estimates and forecast which servers need more resources. After estimating, it then needs to automatically, in real-time, re-allocate resources so that you are always using your cloud computing resources in the most efficient manner. Costthe ultimate savings of idle capacity can be passed on to you instead of some 3rd party cloud provider.The cost for a well designed private cloud computing platform is less than a dedicated server on a per server basis. So, not only is it more flexible and can deliver a lower total cost of ownership, a managed Private Cloud can be outright cheaper. That’s the benefit of private cloud computing.
  • From Gartner: PaaS is a common reference to the layer of cloud technology architecture that contains all application infrastructure services, which are also known as "middleware" in other contexts. PaaS is the middle layer of the software stack "in the cloud."

OSCON 2012 US Patriot Act Implications for Cloud Computing - Diane Mueller, ActiveState OSCON 2012 US Patriot Act Implications for Cloud Computing - Diane Mueller, ActiveState Presentation Transcript

  • Implications for Cloud Computing & Data PrivacyDiane MuellerCloud Evangelist, ActiveStatedianem@activestate.comhttp://www.activestate.com/stackato
  • Founded 19972 million developers, 97% of Fortune 1000Development, management, distribution & clouddeployment for dynamic languagesCloud Solution: Stackato – Private PaaSSome of Our Customers
  • Drivers for Cloud ComputingUS Patriot Act & Data PrivacyImplications for Cloud Computing
  • Savings of physical IT costsFaster Deployment TimesHigher Levels of Application AvailabilityReliability & Fault ToleranceAccess AnywhereCapacity scales as needs changeImproved Time to Market
  • Maintain privacy & confidentialityPreserve intellectual property rightsPotential for intervention by foreign governmentsManage operational & commercial risksComply with industry & jurisdictional regulatoryrequirements
  • Information is no longer in your direct custody or control. handed over to a third party to manage resident in a different jurisdiction or multiple jurisdictionsMass-market cloud services are subject to “take itor leave it” service agreementsInformation and data may not be “portable” – youcan’t take it with you
  • Signed into law in October 2001Extended in May 2011 grants privileges to access private data in case of suspected terrorist threats significantly increased the surveillance and investigative powers of law enforcement agencies in the United States
  • http://www.google.com/transparencyreport/governmentrequests/userdata/
  • https://www.dropbox.com/privacy
  • New powers of surveillance and search/seizureextend to records of anyone (including ForeignNationals) in the US.Extends to records in the custody of US companies in Foreign Countries Foreign-based subsidiaries of US companies Foreign-based companies with presence in US
  • Cloud Computing is premised on the concept of infrastructure pooling regardless of geographic location.Users may not have visibility in relation to the ultimate location of data.Data may not in fact be pooled in one place could be spread across a cloud service providers network.
  • Data that is housed or passes through the United States is vulnerable to interception by authorities applies to: Everyone living and visiting the country, including any foreign national who spends time on U.S. soil as part of a visa arrangement. Companies based in the U.S., whether they are headquartered there or not
  • BBC Worldwide HQ in Londonalso has studios and offices in the U.Smaking these U.S.-based offices vulnerable to the Act.
  • National Security Letters can involve a gag order prevents the organization from ever disclosing receipt of a letter requiring the handover of records.Vendors cannot provide a guarantee that theircustomers would be informedThis contravenes the EU Data Protection Directivewhich requires organisations to inform users whenpersonal information is disclosed.
  • Regulators Examples: may restrict the Australia international transfer of Canada certain kinds of data, EU even require certain HIPA kinds of data to be kept separate and not be intermixed with other data.
  • MSFT could not guarantee the sovereignty of Europeancustomers’ data in its data centersIf the US Patriot Act was invoked, MSFT would be compelled to hand data over to US authorities and would keep the data transfer secretThis contravenes the new EU Data Protection Directivewhich requires organizations to inform users whenpersonal information is disclosedExtremely difficult for US HQ companies to refuse tocomply with the Patriot’s Act in deference to the EUDirective
  • CEO, Reinhard Clemens"The Americans say that no matter what happens Ill release the data to the government if Im forced to do so, from anywherein the world, certain German companies dont want others to access their systems. Thats why were well-positioned if we can say were a European provider in a European legal sphere and no American can get to them."
  • Remains responsible for protecting andsafeguarding informationNeeds to make informed choicesTake be a risk-based approach What is the sensitivity of the information? What is the risk to the data? What role does the jurisdiction play in that risk?If the risk is high and the safeguards cannot beassured, then don’t use the service provider
  • Own the infrastructureRun your own cloud inyour data centerHost your own servicesMinimize the number oflayers between you andthe NSL Minimizes US Patriot Act effect
  • Keep all your data within your own firewalls Avoids the Gag Issue If the US Gov’t wants information – they have to ask you, not some cloud providerKeep all your data within secure containers Multi-tenancy Security by Isolation Ensure Privacy within your organizationEncrypt your data when you transmit it beyond yourfirewallsControl & Manage your own resources
  • Greater oversight & controlMaintaining security of dataGreater control over computational resourcesExclusive to an organizationManaged either by the organization or a third partyHosted in the organization’s data center or outside
  • Applications (SaaS)Application Middleware/Platform (PaaS) Infrastructure (IaaS)
  • IaaS Layer: Gives you an Elastic Playground Pooled Resourcing Shared Operating System Shared Services Security by Unix User Separation
  • PaaS Layer: gives your applications individual Playgrounds Everyone gets their own Operating system No Shared Services Security by Isolation Secure Multi-tenancy
  • Applications need more than just infrastructure! Applications Need Secure Environments Applications need middleware components: languages, modules, databases, web servers Apps don’t deploy themselves A PaaS automatically configures and deploys the middleware, so your SaaS apps practically deploy themselves
  • Maintain accountability and ensure securityKeep your & your clients’ data private & secureEnsure that you are notified requests forinformation based US Patriot ActStill get all the benefits of cloud (elasticity, poolingresources within your organization, with fastertime-to-market) on a private cloudMake migration and deployment with private cloudeasier with a private PaaS
  • Hybrid Clouds Public CloudsPrivate Clouds Your App
  • www.activestate.com/cloud Twitter: @activestate (#stackato) Blog: www.activestate.com/blog Email: webinars@activestate.com #stackato IRC channel on Freenode