Legal Nuances to the Cloud by Ritambhara Agrawal

  • 3,635 views
Uploaded on

This presentation highlights the key legal risks and their implications in cloud computing. Cloud is inherently multi-jurisdictional, encompassing, remote hosting and processing of the data. This …

This presentation highlights the key legal risks and their implications in cloud computing. Cloud is inherently multi-jurisdictional, encompassing, remote hosting and processing of the data. This gives rise to multiple legal issues including security and privacy of the data, IP Rights, data portability, contractual limitations, risk mitigation and jurisdictional disputes.

As the cloud involves remote hosting and data accessibility by multiple parties, security and privacy remains the biggest concern for the companies. Businesses should look at issues ranging from physical location of the data centers, protection of the data against any adversity and intrusion, and access rights management.

The cloud servers are often located in different countries, which results in trans- border Data Flow. Each country has its own set of legal rules and regulations regarding data protection and privacy policies and the same can bring in complications in form of conflicting laws and jurisdictional disputes. Issues pertaining to IP rights, trade secrets and ownership of the data placed in the cloud require utmost attention. Termination and exit clauses are critical to the contract in the clouds. Interoperability of the data in the event of termination of services of a vendor is an important aspect to be considered in the contracts.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
3,635
On Slideshare
0
From Embeds
0
Number of Embeds
3

Actions

Shares
Downloads
30
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. LEGAL NUANCES TO THE CLOUD CLUBHACK 2012RITAMBHARA AGRAWAL 01 DECEMBER 2012
  • 2. ISSUES, RISKS & MITIGATION • Encryption of • Security & Data Privacy of Data • Define each • Confidentiality Risks Party’s liability • Ownership • Pre-contract due- • Liability • Loss of Data diligence, contra • Attacks ct • Choice of Law • Compliances negotiation, pos • Disclosure of • Contracts trade secrets t-contract • Termination & monitoring, ter • Recovery Exit mination • Data • Jurisdiction • Right to Audit to Segregation check location & • Portability compliances Legal Issues • Sharing of Data with 3rd Party Mitigation 2
  • 3. LEGAL CHALLENGES IN CLOUD SECURITY COMPLIANCES JURISDICTION CONTRACTUAL LEGAL ISSUES TERMINATION LIMITATIONS & EXIT ATTACKS OWNERSHIP 3
  • 4. SECURITY & PRIVACY Security & Privacy Physical Location of the data centers Encryption of Data Multi-tenant architecture Adversity and intrusion Data mining by the service provider Access rights management Different user data are usually stored on a single virtual server Multiple virtual servers run on a single physical server 4
  • 5. SERVICE LEVEL AGREEMENTS Service Level Agreements Non-negotiable SLAs (often click wrap agreements) If the SLA is non-negotiable, higher degree of reporting should be integrated in the Agreement Additional options for termination should be available Little opportunity to conduct due diligence Strong limits on liability are included (including direct liability) Terms often subject to change without prior intimation Risk is usually shifted to user through provider friendly agreements 5
  • 6. MULTIPLE PARTIES Involvement of multiple parties makes onus & liability shift on one another Multiple Parties Liability of sub-contractors is often limited or disclaimed in entirety Lack of contractual privity makes it difficult to make the provider accountable for any breach Liability of provider for the acts of the sub-contractor Right to conduct due diligence and to understand the model of delivery of services should be given to the customer. 6
  • 7. DATA PROTECTION, RIGHTS & USAGE Data Protection & IP Rights Define data clearly, it’s not standard that all data belongs to the customer Specify ownership rights Define rights granted and the restrictions to monitor and access data by the provider Third-party access to the data Non-Disclosure Agreement with the service provider Ensuring no rights are transferred to the service provider Ensure if back up and transfer of data is permitted 7
  • 8. JURISDICTION Cross-Border Data Flow Data flows across various borders Cloud servers located in different countries, location of data is uncertain Complications of conflicting laws Dispute can be subject to various countries legal system Jurisdictional Issues & Dispute Resolution Mechanism 8
  • 9. COMPLIANCES Country and data specific compliances The owner is equally liable as the service provider to ensure compliance of law Compliances HIPPA, SOX, SAS 70 I & II, GLB, PCI DSS, FERPA and State Laws Eg. HIPPA mandates standard practices to ensure security, confidentiality and data integrity for healthcare-related data Default in the respective compliances can bring in legal implications 9
  • 10. TERMINATION & EXIT Termination & Exit Interoperability of data after termination Data portability from one vendor another and bringing it entirely back-in house In case of exit, can the records be successfully accessed? Can data be extracted from the cloud Obligations of each party in case of exit 10
  • 11. ATTACKS Hacking, virus, malware disruptions, browser attacks, tampering, network security attacks, SQL Injection Attacks Inducing threats, like data & network security, data locality, data integrity, data access, data segregation Authorization & authentication, data confidentiality, web application security, data breaches, availability & back-up 11
  • 12. CASE STUDIES- SONY Attacks on Customers Dozen data Sony reusing breaches, ong Sony laid off Failure to PlayStation passwords, ris oing customer many of its protect over Network, Son ks from relations security 100 million y Online attackers fallout & personnel user records Entertainment accessing class-action & Sony their other lawsuits. Pictures accounts also 12
  • 13. CASE STUDIES • Spear-phishing attack leading to breach affecting it’s clients and customer’s data EPSILON • Approximately 60 million customer email addresses were breached • Lesson: The Company outsourcing the job is equally responsible for security of the customer data • Hackers used SQL attack method to access the database that fed the server hosting the site • Exposing 4,50,000 usernames and passwords YAHOO • Yahoo didn’t store the data in cryptographic form and left it in plain text making it vulnerable to attack • Hackers breached the site, stealing more than 6million customer’s passwords, which were very lightly encrypted & posted them on a LINKEDIN Russian hacker forum 13
  • 14. MITIGATION OF RISK • Evaluation of service provider’s security policy Security • Encryption to protect confidentiality & integrity of data • Suspected data breach must be addressed • Identifying relative risks between the parties, like ownership of data, data protection guidelines, trade secrets, indemnities, jurisdiction • Pre-contract due-diligence, negotiable SLA Contract • Planned & unplanned termination of the Agreement & return of data & assets • Liability of each party in the event of breach of contract • Ownership of data • Right to audit to check the compliances Audit • To check the location of the data to ensure compliance of legal & statutory provisions 14
  • 15. Thank you INDIA A-42/6, Sector-62, Noida-201301 Tel: +91-0120-47040722, +91 -0120-4740700 Fax: + 91 11 2741 8595 USA Suite 119, 2 Davis Drive, Research Triangle Park, Durham (NC)-27709 Ph: 1 262 432 1718; Fax: 1 877 895 9706 E-mail: info@intelligere.in www.intelligere.in 15