+ Follow

OSCON 2012 US Patriot Act Implications for Cloud Computing - Diane Mueller, ActiveState

by OSCON Byrum on Jul 23, 2012

1,125 views

Presented by Diane Mueller, ActiveState @pythondj ...

Presented by Diane Mueller, ActiveState @pythondj

Are you unsure what the security and privacy implications are for sensitive corporate data? US Patriot Act is causing many of us to hesitate on leveraging the cloud.

Organizations are thinking long and hard about the legal and regulatory implications of cloud computing. When it comes to actual corporate data, no matter what the efficiency gains are, legal departments are often directing IT departments to steer clear of any service that eliminates their ability to keep potential sensitive information out of the hands of Federal prosecutors.

Despite all the hype about every application moving into the cloud, some practical patterns are starting to emerge in the types of data corporations are willing to move to the cloud.

Covered in this session:
(a) Introduction to the US Patriot Act and Data Privacy issues Implications for on Cloud Computing Jurisdictional Issues
(b) Best Practices & Practical Patterns Classes of applications that best leverage the cloud
(c)What types of applications should stay on-premise Private Cloud Model(s) Building a Compliant Cloud Strategy

For more information:

email me at dianem {at} activestate {period} com

or ping me on twitter at @pythondj

visit http://activestate.com/stackato

Accessibility

View text version

Upload Details

Uploaded via SlideShare as Microsoft PowerPoint

Usage Rights

File a copyright complaint

1 Embed 1

http://pinterest.com

Statistics

Likes: 2
Downloads: 17
Comments: 1
Embed Views: 1
Views on SlideShare: 1,124
Total Views: 1,125

OSCON 2012 US Patriot Act Implications for Cloud Computing - Diane Mueller, ActiveState Presentation Transcript

Implications for Cloud Computing & Data PrivacyDiane MuellerCloud Evangelist, ActiveStatedianem@activestate.comhttp://www.activestate.com/stackato

Founded 19972 million developers, 97% of Fortune 1000Development, management, distribution & clouddeployment for dynamic languagesCloud Solution: Stackato – Private PaaSSome of Our Customers

Drivers for Cloud ComputingUS Patriot Act & Data PrivacyImplications for Cloud Computing

Savings of physical IT costsFaster Deployment TimesHigher Levels of Application AvailabilityReliability & Fault ToleranceAccess AnywhereCapacity scales as needs changeImproved Time to Market

Maintain privacy & confidentialityPreserve intellectual property rightsPotential for intervention by foreign governmentsManage operational & commercial risksComply with industry & jurisdictional regulatoryrequirements

Information is no longer in your direct custody or control. handed over to a third party to manage resident in a different jurisdiction or multiple jurisdictionsMass-market cloud services are subject to “take itor leave it” service agreementsInformation and data may not be “portable” – youcan’t take it with you

Signed into law in October 2001Extended in May 2011 grants privileges to access private data in case of suspected terrorist threats significantly increased the surveillance and investigative powers of law enforcement agencies in the United States

http://www.google.com/transparencyreport/governmentrequests/userdata/

https://www.dropbox.com/privacy

New powers of surveillance and search/seizureextend to records of anyone (including ForeignNationals) in the US.Extends to records in the custody of US companies in Foreign Countries Foreign-based subsidiaries of US companies Foreign-based companies with presence in US

Cloud Computing is premised on the concept of infrastructure pooling regardless of geographic location.Users may not have visibility in relation to the ultimate location of data.Data may not in fact be pooled in one place could be spread across a cloud service providers network.

Data that is housed or passes through the United States is vulnerable to interception by authorities applies to: Everyone living and visiting the country, including any foreign national who spends time on U.S. soil as part of a visa arrangement. Companies based in the U.S., whether they are headquartered there or not

BBC Worldwide HQ in Londonalso has studios and offices in the U.Smaking these U.S.-based offices vulnerable to the Act.

National Security Letters can involve a gag order prevents the organization from ever disclosing receipt of a letter requiring the handover of records.Vendors cannot provide a guarantee that theircustomers would be informedThis contravenes the EU Data Protection Directivewhich requires organisations to inform users whenpersonal information is disclosed.

Regulators Examples: may restrict the Australia international transfer of Canada certain kinds of data, EU even require certain HIPA kinds of data to be kept separate and not be intermixed with other data.

MSFT could not guarantee the sovereignty of Europeancustomers’ data in its data centersIf the US Patriot Act was invoked, MSFT would be compelled to hand data over to US authorities and would keep the data transfer secretThis contravenes the new EU Data Protection Directivewhich requires organizations to inform users whenpersonal information is disclosedExtremely difficult for US HQ companies to refuse tocomply with the Patriot’s Act in deference to the EUDirective

CEO, Reinhard Clemens"The Americans say that no matter what happens Ill release the data to the government if Im forced to do so, from anywherein the world, certain German companies dont want others to access their systems. Thats why were well-positioned if we can say were a European provider in a European legal sphere and no American can get to them."

Remains responsible for protecting andsafeguarding informationNeeds to make informed choicesTake be a risk-based approach What is the sensitivity of the information? What is the risk to the data? What role does the jurisdiction play in that risk?If the risk is high and the safeguards cannot beassured, then don’t use the service provider

Own the infrastructureRun your own cloud inyour data centerHost your own servicesMinimize the number oflayers between you andthe NSL Minimizes US Patriot Act effect

Keep all your data within your own firewalls Avoids the Gag Issue If the US Gov’t wants information – they have to ask you, not some cloud providerKeep all your data within secure containers Multi-tenancy Security by Isolation Ensure Privacy within your organizationEncrypt your data when you transmit it beyond yourfirewallsControl & Manage your own resources

Greater oversight & controlMaintaining security of dataGreater control over computational resourcesExclusive to an organizationManaged either by the organization or a third partyHosted in the organization’s data center or outside

Applications (SaaS)Application Middleware/Platform (PaaS) Infrastructure (IaaS)

IaaS Layer: Gives you an Elastic Playground Pooled Resourcing Shared Operating System Shared Services Security by Unix User Separation

PaaS Layer: gives your applications individual Playgrounds Everyone gets their own Operating system No Shared Services Security by Isolation Secure Multi-tenancy

Applications need more than just infrastructure! Applications Need Secure Environments Applications need middleware components: languages, modules, databases, web servers Apps don’t deploy themselves A PaaS automatically configures and deploys the middleware, so your SaaS apps practically deploy themselves

Maintain accountability and ensure securityKeep your & your clients’ data private & secureEnsure that you are notified requests forinformation based US Patriot ActStill get all the benefits of cloud (elasticity, poolingresources within your organization, with fastertime-to-market) on a private cloudMake migration and deployment with private cloudeasier with a private PaaS

Hybrid Clouds Public CloudsPrivate Clouds Your App

www.activestate.com/cloud Twitter: @activestate (#stackato) Blog: www.activestate.com/blog Email: webinars@activestate.com #stackato IRC channel on Freenode