Legal/technical strategies addressing data risks as perimeter shifts to Cloud


Published on

SOURCE Barcelona 2011 - David Snead & Nadeem Bukhari

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Legal/technical strategies addressing data risks as perimeter shifts to Cloud

  1. 1. Legal & technicalstrategies addressing data risks as security controls shift to the Cloud David Snead & Nadeem Bukhari
  2. 2. • Issue Based • Sectoral Based• Proactive • Reactive• National • Generally state implementation based • Narrowly tailored -2-
  3. 3. Legislative and Regulatory Targets• Breach – both benign and malicious• Breach notification• Mitigation• Security policies• Contracting parties, third parties and vendors -3-
  4. 4. • Data governance laws are here to stay• Expectation that in some format data breach will be extended to cover not just telecoms• General data breach requirements in some EU Member States already• Accountability and transparency principles• Broad scope of definition of personal data• Cloud and jurisdictional challenges• The role of controllers and processors -4-
  5. 5. Sectoral / Country Specific Sectoral• Sectoral standards • GLB• Encryption • HIPAA / HITECH• Implementation of EU • CFAA directives • ECPA -5-
  6. 6. Country specific regulationData transferDisposition of data on terminationAccess to data -6-
  7. 7. In what country is the provider located?Who in the company should be involved?What should be included in the outsourcing contracts?What kind of backup / disaster recovery should be considered?Where is the provider’s infrastructure?Is special permission needed for outsourcing?What kind of sensitive information should not be outsourced?Will other providers be used?Are appropriate data protection measures in place for all countries?Where will the data be physically located?What happens if there is a breach? -7-
  8. 8. Security• Define “breach”• Determine when a breach happens• Assume there will be data breach laws• Review any laws that my currently exist• Understand who will be responsible for security• Create enforceable contract terms• Remember post termination issues• Understand that you may not be made whole -8-
  9. 9. Vendor has provided Sol Vidro with a copy of its current security policy(Policy) as it applies to the services to be performed by Vendor pursuant tothis Agreement. Vendor represents and warrants that this security policyrepresents best of breed security procedures in its industry. Vendor shallgive Sol Vidro no less than sixty days prior written notices of any changes inthe Policy that impact the services provided to Sol Vidro. Should Sol Vidrodetermine that these changes materially impact the security of theservices, Sol Vidro shall have the right to terminate this Agreement. Insuch a case, Vendor shall provide reasonable assistance to Sol Vidro totransition its services to another provider. -9-
  10. 10. Data Transfer• How is the data transmitted?• Understand concepts like: controller, processor, transfer and aggregation.• Limit uses• Require flow down and flow up contract terms• Evaluate whether “Safe Harbor” is appropriate• Create methods to address data leakage - 10 -
  11. 11. Sol Vidro is providing payroll data to Vendorsolely for the purpose of processing the data asset out in Exhibit A to this Agreement. Vendormay only provide access to this data to thirdparties upon written notice and receipt of SolVidro’s express consent. Sol Vidro’s consent maybe withheld. - 11 -
  12. 12. Disposition of data upon termination• Review data retention laws• Specify terms for deletion / transfer• Set out obligations for security posttermination - 12 -
  13. 13. Upon termination or expiration of this Agreement, Vendor shalldelete all data and provide Sol Vidro with written confirmationof this deletion. Vendor shall also instruct any entities whohave had access to the data to also delete it and provideVendor with written certification of this deletion. The securityobligations set out in this Agreement relating to the data shallsurvive termination or expiration of this Agreement until suchtime as the data is completely deleted by Vendor and/orVendor’s suppliers. Vendor shall require this provision, or onesimilarly protective of Sol Vidro’s rights in all its contracts withsuppliers or other vendors who provide aspects of the Services. - 13 -
  14. 14. Access to data• Understand how transmission is outsourced / subcontracted• Review your obligations to provide access to police• Review your provider’s obligations to provide access• Research your laws about third party police access• Set out notification and consent provisions• Determine your legal obligations to provide access to parties in your contracting chain - 14 -
  15. 15. Vendor shall provide Sol Vidro with no less than ten days prior written notice ofany governmental request for access to the data. For the purposes of thisparagraph only, the term “governmental” includes any law enforcement orsimilar entity. Should Vendor be prohibited by law from providing this notice,Vendor shall strictly limit any disclosure of the data to that which is required bythe law and the written document upon which disclosure is based. Under nocircumstances shall Vendor provide access without a written request ofdisclosure which cites the law requiring such disclosure. Vendor shall requirethis provision, or one similarly protective of Sol Vidro’s rights in all its contractswith suppliers or other vendors who provide aspects of the Services. Vendoragrees, upon written request, to provide access, including, but not limited totransmission, of data provided by Sol Vidro to Vendor. - 15 -
  16. 16. Do you know where sensitive information resides and how to protect it?Can you lower costs AND improve your security posture by rationalizing yoursecurityCan you enforce IT policies and remediate deficiencies?Can you control who has access to your information?Do you know how the services will be usedHow does termination affect you?Have you researched breach notification?Have you researched high risk regulatory areas? - 16 -
  17. 17. Do things go wrong?  2010 - Google engineer broke into the Gmail and Google Voice accounts of several children. Parents of the children complained. +100´s more US Public  2011 - 20 million Gmail accounts hacked, allowing for sector org´s user information to be gathered.  ~3 hours of outage affected multiple availability zones in the services "US East" region.  people were shocked by how many web sites and services rely on EC2  $9.75 million to settle investigations by 41 state attorneys general.  the incident was reported by TJX officials around a month after an extensive fraud had occurred. - 17 -
  18. 18. Cloud Security Control In Control of SecuritySoftware as a Services (SaaS) PROVIDERPlatform as a Services (PaaS) API USERInfrastructure as a Service (IaaS) - 18 -
  19. 19. When things go wrong: HR SaaS? "Your use of the Service is at your sole risk. The service is provided on an „as is‟ and „as available‟ basis." "You expressly understand and agree that HR SaaS Companyxyz shall not be liable for any direct, indirect...losses...unauthorized access to or alteration of data” - 19 -
  20. 20. Nothing is 100% Secure CLIENT ABC INSTANCE CLIENT XYZ INSTANCE VM1 VM2 VM2SaaS PaaS IaaS APP/ API APP/API ... APP/API ... OS OS ... OS ... HYPERVISOR Operating System (Linux, Windows.... 60% of Virtual Servers less secure than their physical counterparts (Gartner 2010) Yes, Hypervisors Are Vulnerable. (Gartner 2011) - 20 -
  21. 21. Audit Log Trends “Cyber attacks can get costly if not resolved quickly….companies using SIEM were better able to quickly detect and contain cyber crimes than those companies not using SIEM” (Ponemon 2011) Worldwide revenue for SIEM was $663.3 million in 2008 and is expected to grow to $1.4 billion in 2013” (IDC 2010) Audit trail collection, preservation and reporting regulatory and compliance demands e.g. PCI DSS, FISMA, FDA 21 CRF Part 11, EU DRD, SoX, SEC 14a, ISO27001,.. “Audit trails/ logging issues” top 5 internal/ external audit findings. (Deloitte 2011) - 21 - Credit for image: jscreationzs
  22. 22. Audit Trails Security Changing audit trails knowledge is in the mainstream - NEVER DELETE THE LOGS! NOT near real-time protection false sense of security  “system logs need to be protected, because if the data can be modified or data in them deleted, their existence may create a false sense of security.” ISO27001 Linux Log Eraser 1.0 - Linux Log Eraser is a set of shell scripts that will cleanly search for specific data in log files and wipe itwtmpclean Record Wiper 0.6.7 - wtmpClean is a tool for Unix which clears a given user from the wtmpdatabase;; bowz4p.c, chusr.c cloak.c, cloak2.c, displant.c,, invisible.c,lastlogin.c, logcloak.c, logrzap2.c, logsunwtmptmp.c, logutmpeditor.c, logwedit.c, logzap2.c,marryv11.c, mme.c, pimpslap.c, remove.c, rclean.c, sysfog.c, utcl.c, vanish.c, vanish2.tgz, wipe-1.00.tgz, wzap.c, zap.c, zap2.c - 22 -
  23. 23. Digital Evidence Audit Trails Digital Evidence  American Express Travel Related Services Co. Inc. vs Vee Vinhee  Lorraine v. Markel American Insurance Company  California v Khaled BS10008 – Evidential Weight and Legal Admissibility of Electronic Information NIST SP 800-92 - Guide to Computer Security Log Management  “In cases where logs may be needed as evidence, organizations may wish to acquire copies of the original log files” - 23 -
  24. 24. The Depth of Secure Logging: Trust in UntrustedEnvironments M.Bellare and B.Yee – Forward integrity for secure audit logs (1997) DATA + Metadata = #MAC Bruce Schneier/ John Kelsey - Secure Audit Logs to Support Computer Forensics (1999) #MAC DATA + Metadata = #MAC J.Holt – Logcrypt: Forward security and public verification for secure audit logs (2006) Rafael Accorsi – Safekeeping Digital Evidence with #MAC DATA + Metadata = #MAC Secure Logging Protocols: State of the Art and Challenges (2009)  Transmission Phase - Origin authentication, message confidentiality, message integrity, message uniqueness, reliable #MAC DATA + Metadata = #MAC delivery  Storage Phase - Entry accountability, entry integrity, entry … confidentiality Jeff Jonas (IBM Chief Scientist) / Markle Foundation - Implementing a Trusted Information Sharing Environment: Using Immutable Audit Logs to Increase Security, Trust, and Accountability (2006)  “Immutable audit logs (IALs) will be a critical component for the information sharing environment” - 24 -
  25. 25. Implement and insist on secure audit logs? CLIENT ABC INSTANCE CLIENT XYZ INSTANCE VM1 VM2 VM2SaaS PaaS IaaS APP/ API APP/API ... APP/API ... OS OS ... OS ... HYPERVISOR Operating System (Linux, Windows.... - 25 -
  26. 26. Secure Logging SaaS users are at the mercy of the service providers contracts PaaS users should ensure audit event logging and preservation capabilities are build into the applications. IaaS users should deploy audit log collection, analysis and preservations tools.  Collect logs from firewalls, monitoring systems, applications, databases, operating systems  Ensure delivery of logs cannot be spoofed  Ensure audit log time cannot be refuted  Protect the integrity of the data as soon as you can. Use cryptographic data integrity tools  Remember to comply with data retention legislation... I.e. Securely delete the data.  Consider complying to BS10008 Evidential Weight and legal admissibility of information stored - 26 -
  27. 27. For the Pen Testers Include testing of audit logs, monitoring systems and incident response in your proposals Be stealthy, turn off auditing systems, change audit logs, note response times… Include secure logging remediation in your reportsAccess Controls and Encryption are not data integrity controls - 27 -