Submit Search
Upload
Security And Legal In The Cloud Ats V2
•
2 likes
•
349 views
D
dbarton944
Follow
An exploration of the key security and legal issues of Cloud Computing.
Read less
Read more
Technology
Business
Report
Share
Report
Share
1 of 24
Recommended
Cloud Computing Legal for Pennsylvania Bar Association
Cloud Computing Legal for Pennsylvania Bar Association
Amy Larrimore
2014 ota databreach3
2014 ota databreach3
Meg Weber
Contracting in the Cloud by Tammy Bortz
Contracting in the Cloud by Tammy Bortz
itnewsafrica
Dynamic Log Analysis™ Case Story Hutton Communications
Dynamic Log Analysis™ Case Story Hutton Communications
Clear Technologies
TECHNOLOGY 101 AND THE PRACTICE OF LAW: KEEPING YOUR FIRM SAFE
TECHNOLOGY 101 AND THE PRACTICE OF LAW: KEEPING YOUR FIRM SAFE
James Wier
Halvorsen on Risk Cyber Webinar
Halvorsen on Risk Cyber Webinar
Halvorsen on Risk
Protecting Intellectual Property and Data Loss Prevention (DLP)
Protecting Intellectual Property and Data Loss Prevention (DLP)
Arpin Consulting
Information ownership in the cloud
Information ownership in the cloud
Cloud Legal Project
Recommended
Cloud Computing Legal for Pennsylvania Bar Association
Cloud Computing Legal for Pennsylvania Bar Association
Amy Larrimore
2014 ota databreach3
2014 ota databreach3
Meg Weber
Contracting in the Cloud by Tammy Bortz
Contracting in the Cloud by Tammy Bortz
itnewsafrica
Dynamic Log Analysis™ Case Story Hutton Communications
Dynamic Log Analysis™ Case Story Hutton Communications
Clear Technologies
TECHNOLOGY 101 AND THE PRACTICE OF LAW: KEEPING YOUR FIRM SAFE
TECHNOLOGY 101 AND THE PRACTICE OF LAW: KEEPING YOUR FIRM SAFE
James Wier
Halvorsen on Risk Cyber Webinar
Halvorsen on Risk Cyber Webinar
Halvorsen on Risk
Protecting Intellectual Property and Data Loss Prevention (DLP)
Protecting Intellectual Property and Data Loss Prevention (DLP)
Arpin Consulting
Information ownership in the cloud
Information ownership in the cloud
Cloud Legal Project
Under Lock And Key
Under Lock And Key
Yarko Petriw
Data Loss Prevention: Challenges, Impacts & Effective Strategies
Data Loss Prevention: Challenges, Impacts & Effective Strategies
Seccuris Inc.
10 Tips for CIOs - Data Security in the Cloud
10 Tips for CIOs - Data Security in the Cloud
Peak 10
Tape vaulting audit and encryption usage analysis
Tape vaulting audit and encryption usage analysis
Thomas Bronack
Online terms & conditions
Online terms & conditions
Prof. Jacques Folon (Ph.D)
David Snead - Nailing Down Security Regulations
David Snead - Nailing Down Security Regulations
Source Conference
NetIQ Directory & Resource Administrator Helps Kindred Healthcare Achieve Com...
NetIQ Directory & Resource Administrator Helps Kindred Healthcare Achieve Com...
NetIQ
Positive Hack Days. Christopher Gould. Head in the Clouds…Can we overcome sec...
Positive Hack Days. Christopher Gould. Head in the Clouds…Can we overcome sec...
Positive Hack Days
Everyone is talking Cloud - How secure is your data?
Everyone is talking Cloud - How secure is your data?
Bianca Mueller, LL.M.
Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991
Erik Ginalick
2015 09-22 Is it time for a Security and Compliance Assessment?
2015 09-22 Is it time for a Security and Compliance Assessment?
Raffa Learning Community
Cybersecurity 101: Government Contracts
Cybersecurity 101: Government Contracts
Patton Boggs LLP
2016 01-05 csr css non-confidential slide deck
2016 01-05 csr css non-confidential slide deck
Richard (Dick) Kaufman
Gary Sheehan - Winning a Battle Doesn't Mean We Are Winning the War
Gary Sheehan - Winning a Battle Doesn't Mean We Are Winning the War
centralohioissa
IAM
IAM
Prof. Jacques Folon (Ph.D)
Edith Turuka: Cyber-Security, An Eye Opener to the Society
Edith Turuka: Cyber-Security, An Eye Opener to the Society
Hamisi Kibonde
Information Security For Small Business
Information Security For Small Business
Julius Clark, CISSP, CISA
Data Leakage Prevention - K. K. Mookhey
Data Leakage Prevention - K. K. Mookhey
Network Intelligence India
Ecommerce Chap 10
Ecommerce Chap 10
Pimsat University
Compliance Awareness
Compliance Awareness
Dinesh O Bareja
Cloud computing in Australia - Separating hype from reality
Cloud computing in Australia - Separating hype from reality
Russell_Kennedy
10 questions to ask your cloud provider
10 questions to ask your cloud provider
HighQ
More Related Content
What's hot
Under Lock And Key
Under Lock And Key
Yarko Petriw
Data Loss Prevention: Challenges, Impacts & Effective Strategies
Data Loss Prevention: Challenges, Impacts & Effective Strategies
Seccuris Inc.
10 Tips for CIOs - Data Security in the Cloud
10 Tips for CIOs - Data Security in the Cloud
Peak 10
Tape vaulting audit and encryption usage analysis
Tape vaulting audit and encryption usage analysis
Thomas Bronack
Online terms & conditions
Online terms & conditions
Prof. Jacques Folon (Ph.D)
David Snead - Nailing Down Security Regulations
David Snead - Nailing Down Security Regulations
Source Conference
NetIQ Directory & Resource Administrator Helps Kindred Healthcare Achieve Com...
NetIQ Directory & Resource Administrator Helps Kindred Healthcare Achieve Com...
NetIQ
Positive Hack Days. Christopher Gould. Head in the Clouds…Can we overcome sec...
Positive Hack Days. Christopher Gould. Head in the Clouds…Can we overcome sec...
Positive Hack Days
Everyone is talking Cloud - How secure is your data?
Everyone is talking Cloud - How secure is your data?
Bianca Mueller, LL.M.
Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991
Erik Ginalick
2015 09-22 Is it time for a Security and Compliance Assessment?
2015 09-22 Is it time for a Security and Compliance Assessment?
Raffa Learning Community
Cybersecurity 101: Government Contracts
Cybersecurity 101: Government Contracts
Patton Boggs LLP
2016 01-05 csr css non-confidential slide deck
2016 01-05 csr css non-confidential slide deck
Richard (Dick) Kaufman
Gary Sheehan - Winning a Battle Doesn't Mean We Are Winning the War
Gary Sheehan - Winning a Battle Doesn't Mean We Are Winning the War
centralohioissa
IAM
IAM
Prof. Jacques Folon (Ph.D)
Edith Turuka: Cyber-Security, An Eye Opener to the Society
Edith Turuka: Cyber-Security, An Eye Opener to the Society
Hamisi Kibonde
Information Security For Small Business
Information Security For Small Business
Julius Clark, CISSP, CISA
Data Leakage Prevention - K. K. Mookhey
Data Leakage Prevention - K. K. Mookhey
Network Intelligence India
Ecommerce Chap 10
Ecommerce Chap 10
Pimsat University
Compliance Awareness
Compliance Awareness
Dinesh O Bareja
What's hot
(20)
Under Lock And Key
Under Lock And Key
Data Loss Prevention: Challenges, Impacts & Effective Strategies
Data Loss Prevention: Challenges, Impacts & Effective Strategies
10 Tips for CIOs - Data Security in the Cloud
10 Tips for CIOs - Data Security in the Cloud
Tape vaulting audit and encryption usage analysis
Tape vaulting audit and encryption usage analysis
Online terms & conditions
Online terms & conditions
David Snead - Nailing Down Security Regulations
David Snead - Nailing Down Security Regulations
NetIQ Directory & Resource Administrator Helps Kindred Healthcare Achieve Com...
NetIQ Directory & Resource Administrator Helps Kindred Healthcare Achieve Com...
Positive Hack Days. Christopher Gould. Head in the Clouds…Can we overcome sec...
Positive Hack Days. Christopher Gould. Head in the Clouds…Can we overcome sec...
Everyone is talking Cloud - How secure is your data?
Everyone is talking Cloud - How secure is your data?
Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991
2015 09-22 Is it time for a Security and Compliance Assessment?
2015 09-22 Is it time for a Security and Compliance Assessment?
Cybersecurity 101: Government Contracts
Cybersecurity 101: Government Contracts
2016 01-05 csr css non-confidential slide deck
2016 01-05 csr css non-confidential slide deck
Gary Sheehan - Winning a Battle Doesn't Mean We Are Winning the War
Gary Sheehan - Winning a Battle Doesn't Mean We Are Winning the War
IAM
IAM
Edith Turuka: Cyber-Security, An Eye Opener to the Society
Edith Turuka: Cyber-Security, An Eye Opener to the Society
Information Security For Small Business
Information Security For Small Business
Data Leakage Prevention - K. K. Mookhey
Data Leakage Prevention - K. K. Mookhey
Ecommerce Chap 10
Ecommerce Chap 10
Compliance Awareness
Compliance Awareness
Similar to Security And Legal In The Cloud Ats V2
Cloud computing in Australia - Separating hype from reality
Cloud computing in Australia - Separating hype from reality
Russell_Kennedy
10 questions to ask your cloud provider
10 questions to ask your cloud provider
HighQ
William A. Tanenbaum Association of Benefit Administrators April 2015
William A. Tanenbaum Association of Benefit Administrators April 2015
William Tanenbaum
Mining IT Summit Nov 6 2014
Mining IT Summit Nov 6 2014
Lisa Abe-Oldenburg, B.Comm., JD.
Archiving and e-Discovery for Novell GroupWise
Archiving and e-Discovery for Novell GroupWise
Novell
Privacy, Data Security and Anti-Spam Compliance
Privacy, Data Security and Anti-Spam Compliance
Dan Michaluk
HEALTHCARE, THE CLOUD, AND ITS SECURITY
HEALTHCARE, THE CLOUD, AND ITS SECURITY
SilverlineCRM
12 02-14 information security managers - unannotated
12 02-14 information security managers - unannotated
wdsnead
MYTHBUSTERS: Can You Secure Payments in the Cloud?
MYTHBUSTERS: Can You Secure Payments in the Cloud?
Kurt Hagerman
MISA Cloud Workshop_ ipc privacy in the cloud
MISA Cloud Workshop_ ipc privacy in the cloud
MISA Ontario Cloud SIG
Data Privacy: The Hidden Beast within Mergers & Acquisitions
Data Privacy: The Hidden Beast within Mergers & Acquisitions
TrustArc
Data Confidentiality, Security and Recent Changes to the ABA Model Rules
Data Confidentiality, Security and Recent Changes to the ABA Model Rules
saurnou
Information Security Assessment Offering
Information Security Assessment Offering
eeaches
Trends in Law Practice Management – Calculating the Risks
Trends in Law Practice Management – Calculating the Risks
Nicole Garton
Security Management in Cloud Computing by Shivani Gogia - Aravali College of ...
Security Management in Cloud Computing by Shivani Gogia - Aravali College of ...
acemindia
Cloud Computing: What You Don't Know Can Hurt You
Cloud Computing: What You Don't Know Can Hurt You
Patrick Fowler
3433 IBM messaging security why securing your environment is important-feb2...
3433 IBM messaging security why securing your environment is important-feb2...
Robert Parker
IBM Messaging Security - Why securing your environment is important : IBM Int...
IBM Messaging Security - Why securing your environment is important : IBM Int...
Leif Davidsen
Transforming cloud security into an advantage
Transforming cloud security into an advantage
Moshe Ferber
Security and privacy in cloud computing.pptx
Security and privacy in cloud computing.pptx
TRSrinidi
Similar to Security And Legal In The Cloud Ats V2
(20)
Cloud computing in Australia - Separating hype from reality
Cloud computing in Australia - Separating hype from reality
10 questions to ask your cloud provider
10 questions to ask your cloud provider
William A. Tanenbaum Association of Benefit Administrators April 2015
William A. Tanenbaum Association of Benefit Administrators April 2015
Mining IT Summit Nov 6 2014
Mining IT Summit Nov 6 2014
Archiving and e-Discovery for Novell GroupWise
Archiving and e-Discovery for Novell GroupWise
Privacy, Data Security and Anti-Spam Compliance
Privacy, Data Security and Anti-Spam Compliance
HEALTHCARE, THE CLOUD, AND ITS SECURITY
HEALTHCARE, THE CLOUD, AND ITS SECURITY
12 02-14 information security managers - unannotated
12 02-14 information security managers - unannotated
MYTHBUSTERS: Can You Secure Payments in the Cloud?
MYTHBUSTERS: Can You Secure Payments in the Cloud?
MISA Cloud Workshop_ ipc privacy in the cloud
MISA Cloud Workshop_ ipc privacy in the cloud
Data Privacy: The Hidden Beast within Mergers & Acquisitions
Data Privacy: The Hidden Beast within Mergers & Acquisitions
Data Confidentiality, Security and Recent Changes to the ABA Model Rules
Data Confidentiality, Security and Recent Changes to the ABA Model Rules
Information Security Assessment Offering
Information Security Assessment Offering
Trends in Law Practice Management – Calculating the Risks
Trends in Law Practice Management – Calculating the Risks
Security Management in Cloud Computing by Shivani Gogia - Aravali College of ...
Security Management in Cloud Computing by Shivani Gogia - Aravali College of ...
Cloud Computing: What You Don't Know Can Hurt You
Cloud Computing: What You Don't Know Can Hurt You
3433 IBM messaging security why securing your environment is important-feb2...
3433 IBM messaging security why securing your environment is important-feb2...
IBM Messaging Security - Why securing your environment is important : IBM Int...
IBM Messaging Security - Why securing your environment is important : IBM Int...
Transforming cloud security into an advantage
Transforming cloud security into an advantage
Security and privacy in cloud computing.pptx
Security and privacy in cloud computing.pptx
Recently uploaded
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
Dilum Bandara
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
BookNet Canada
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
Curtis Poe
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
Lonnie McRorey
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
null - The Open Security Community
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
Kalema Edgar
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
Addepto
How to write a Business Continuity Plan
How to write a Business Continuity Plan
Databarracks
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
Manik S Magar
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
2toLead Limited
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
Slibray Presentation
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
Fwdays
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Mark Simos
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
comworks
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
Alex Barbosa Coqueiro
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
UiPathCommunity
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
Lars Bell
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
charlottematthew16
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
Stephanie Beckett
Recently uploaded
(20)
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
How to write a Business Continuity Plan
How to write a Business Continuity Plan
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
Security And Legal In The Cloud Ats V2
1.
Security and Legal Issues in an Era of Cloud Computing
1 (c) 2011 UHY LLP
2.
Why is Cloud Computing Attractive?
• Elasticity – rapid provisioning and scalability • Efficiency – pay as you go • On demand self service • Resource pooling – shared expertise • Ubiquitous availability – internet connectivity © 2011 UHY LLP 2 Nelson Mullins Riley & Scarborough LLP
3.
Cloud vs. Private
• Risks are the same: Data Security – Confidentiality – Integrity – Availability • Risk can be: – Accepted (no action taken) – Transferred (bonding, insurance) – Mitigated (create controls) • Cannot outsource responsibility © 2011 UHY LLP 3 Nelson Mullins Riley & Scarborough LLP
4.
What to consider
……… Same How would we be harmed if…… – our data became publicly available? – unauthorized access to our data? – Process or function gave improper results? – unauthorized changes to the data? – data or process was unavailable for hours, days? © 2011 UHY LLP 4 Nelson Mullins Riley & Scarborough LLP
5.
Security in the Cloud
• “In the Cloud, step one is trusting, and that's not security — that's hope.” ‐ Andrew Walls, Gartner Group © 2011 UHY LLP 5 Nelson Mullins Riley & Scarborough LLP
6.
Security Benefits of Cloud Computing
• Economies of Scale – security resources are cheaper when implemented on a larger scale • Focused Expertise – more experts available • Standardized vulnerability management – pre‐hardened – regularly updated patches and security settings • Market differentiator – your business can market security capabilities of your cloud provider © 2011 UHY LLP 6 Nelson Mullins Riley & Scarborough LLP
7.
Security in the Cloud
Key Difference = CONTROL • Loss of Direct access ‐ In the Cloud you are at least one step removed • Multi‐tenancy – not an issue in private computing, no shared devices or services • Commingling – will your data be mixed in with other clients? How will it be segregated? • Resource Pooling – how will resource conflicts be resolved? Who gets first response? © 2011 UHY LLP 7 Nelson Mullins Riley & Scarborough LLP
8.
Security in the Cloud
• CP failure or acquisition – if your CP goes out of business or gets acquired by a competitor, where do you stand? • Hypervisor compromise – If control of hypervisor is compromised, ALL virtual machines are at risk • Ineffective data deletion – if you change providers does your data get destroyed? Unintentional destruction? • Legal snafus – if Company A has their data subpoenaed and your data is also on the same device, what happens to your data? © 2011 UHY LLP 8 Nelson Mullins Riley & Scarborough LLP
9.
Recent Cloud “Events”
• Gmail outage Feb 2011 – 140,000 accounts lost • Epsilon mail services breach – April 2011 – Over 50 companies affected – Millions of email addresses (passwords?) compromised • Amazon web services outage – April 2011 – Reddit, Hootsuite, Foursquare down – Human error on applying a patch © 2011 UHY LLP 9 Nelson Mullins Riley & Scarborough LLP
10.
Legal and Contract Issues
• Who? • What? • When? • Where? • How? © 2011 UHY LLP 10 Nelson Mullins Riley & Scarborough LLP
11.
Legal and Contract Issues
• Who? Responsible, Perform, Initiate • What? Service (private, public, community), Options • When? Alerts, reporting, audits • Where? Data, facilities, call center, legal jurisdiction • How? Measures, KPIs, escalation, penalties, alerts © 2011 UHY LLP 11 Nelson Mullins Riley & Scarborough LLP
12.
Due Diligence
1. Is vendor viable? 2. Identity of data center operator and location ‐ outside your home state? Outside of the US.? 3. Are subcontractors used? 4. How is client data segregated? 5. What technological/electronic measures are used to protect client data? 6. Is PCI or HIPAA compliance guaranteed? How? 7. Can operations deal with suspension of services? 8. How hard would it be to transition to a new vendor? 9. Confirm compliance with applicable bar (legal ethics) © 2011 UHY LLP 12 Nelson Mullins Riley & Scarborough LLP
13.
Encryption vs. Destruction
Payment Card Industry Data Security Standard (PCI‐DSS) Immediate, secure destruction of sensitive data PCI mandates the use of strong encryption of "cardholder data" during transmission over open or public networks. State and FACTA Secure Destruction Laws Secure destruction when no longer needed HIPAA Security Encryption on a par with destruction Breach Notification Intrusion detection © 2011 UHY LLP 13 Nelson Mullins Riley & Scarborough LLP
14.
Data Security
Vital to select a vendor with adequate security: 1. Agreement should include minimum security and infrastructure practices; 2. Require that security practices be regularly updated; 3. Customer must have the right to perform regular audits to confirm compliance; 4. Third party verification and/or certification (e.g., ISO, SOC, PCI). © 2011 UHY LLP 14 Nelson Mullins Riley & Scarborough LLP
15.
Privacy Considerations
Information Privacy. If vendor has access to sensitive data (SSN, account #, patient information, etc.), agreement should cover: • Requirement to maintain all legal, technical and procedural compliance with consumer privacy laws; • Social Security number laws; secure destruction and security procedures laws; • Security breach notification laws (along with verification of incident response policy and reimbursement of costs arising from security breach); and • Address user privacy and whether vendor has the right to retain and/or use data. © 2011 UHY LLP 15 Nelson Mullins Riley & Scarborough LLP
16.
SLAs and Performance
Identify concrete service level requirements: • SLA definitions • Availability/Uptime (e.g. 99.9%) • Performance Standards per Transaction (load and response times) • Scalability/Redundancy (address peak traffic capacity issues) • Error correction time – Definition of “error” • Problem Resolution and Notification (detail resolution of hosting issues, root cause analysis) • Quality of service • Root Cause Analysis • Specify Penalties for Non‐performance (liquidated damages/credits and termination rights) • SLAs/KPIs unique to your business needs © 2011 UHY LLP 16 Nelson Mullins Riley & Scarborough LLP
17.
Managing Liability
• Indemnification provisions – address breach of security / confidentiality obligations, negligence criteria (confidential data and IP infringement); • Require vendor to have adequate cyber‐risk insurance • Exclude indemnification obligations and damages arising from breach of confidentiality / security provisions from cap on liability and exclusions of consequential damages. © 2011 UHY LLP 17 Nelson Mullins Riley & Scarborough LLP
18.
Transition from Current Provider
• Include a transition assistance provision requiring the vendor to assist customer with transition to a new vendor. • Require the return or secure destruction of all data held by vendor. • Have right to verify compliance. • Transition period may last from 30 days to 6 months. © 2011 UHY LLP 18 Nelson Mullins Riley & Scarborough LLP
19.
Suggested Actions
• Understand the risks – Educate yourself – Bring in experts – Look at the big picture • Mitigate the risks – Contract and SLAs – Third party audit (ISO, SSAE 16, SOC 2, SOC 3) © 2011 UHY LLP 19 Nelson Mullins Riley & Scarborough LLP
20.
Mitigating the Risks
• Contract – Find an attorney well versed in Cloud issues – Be sure your contract addresses all your concerns • Confidentiality, Integrity, Availability clause • Change clause • Audit clause • Data ownership, location, transfer clauses – Enlist your own security experts during negotiation © 2011 UHY LLP 20 Nelson Mullins Riley & Scarborough LLP
21.
Audits ‐ Lack of Standards © 2011 UHY LLP
21 Nelson Mullins Riley & Scarborough LLP
22.
Summary of the Risks
• Cloud Computing lacks a broadly accepted standard for secure access and data handling • Cloud Computing is not intended to be location specific– where is your data? If you don’t know where your data is, you cannot hope to secure it. • Cloud Computing is often pursued without adequate concern for security arrangements • Cloud Computing presents new legal / contract issues • Cloud Computing lacks a standard for third‐party audit © 2011 UHY LLP 22 Nelson Mullins Riley & Scarborough LLP
23.
MISSION STATEMENT
To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing. © 2011 UHY LLP 23 Nelson Mullins Riley & Scarborough LLP
24.
Additional Resources
Questions? • https://cloudsecurityalliance.org/ • http://www.aicpa.org/SOC/ • http://www.isaca.org David Barton Amanda Witt Principal Of Counsel UHY LLP Nelson Mullins Riley & Scarborough LLP dbarton@uhy‐us.com amanda.witt@nelsonmullins.com 24