Your SlideShare is downloading. ×
0
Legal nuances to the cloud
Legal nuances to the cloud
Legal nuances to the cloud
Legal nuances to the cloud
Legal nuances to the cloud
Legal nuances to the cloud
Legal nuances to the cloud
Legal nuances to the cloud
Legal nuances to the cloud
Legal nuances to the cloud
Legal nuances to the cloud
Legal nuances to the cloud
Legal nuances to the cloud
Legal nuances to the cloud
Legal nuances to the cloud
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Legal nuances to the cloud

455

Published on

Legal issues in Cloud Computing, like security and privacy of the data, confidentiality and ownership of the data, jurisdiction for resolution of the disputes, service level agreements between the …

Legal issues in Cloud Computing, like security and privacy of the data, confidentiality and ownership of the data, jurisdiction for resolution of the disputes, service level agreements between the parties, compliances like HIPPA, SOX and others, threats induced by attacks, risks in cloud computing and the mitigation strategy

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
455
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
11
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. LEGAL NUANCES TO THE CLOUD CLUBHACK 2012RITAMBHARA AGRAWAL 01 DECEMBER 2012
  • 2. ISSUES, RISKS & MITIGATION • Encryption of • Security & Data Privacy of Data • Define each • Confidentiality Risks Party’s liability • Ownership • Pre-contract due- • Liability • Loss of Data diligence, contra • Attacks ct • Choice of Law • Compliances negotiation, pos • Disclosure of • Contracts trade secrets t-contract • Termination & monitoring, ter • Recovery Exit mination • Data • Jurisdiction • Right to Audit to Segregation check location & • Portability compliances Legal Issues • Sharing of Data with 3rd Party Mitigation 2
  • 3. LEGAL CHALLENGES IN CLOUD SECURITY COMPLIANCES JURISDICTION CONTRACTUAL LEGAL ISSUES TERMINATION LIMITATIONS & EXIT ATTACKS OWNERSHIP 3
  • 4. SECURITY & PRIVACY Security & Privacy Physical Location of the data centers Encryption of Data Multi-tenant architecture Adversity and intrusion Data mining by the service provider Access rights management Different user data are usually stored on a single virtual server Multiple virtual servers run on a single physical server 4
  • 5. SERVICE LEVEL AGREEMENTS Service Level Agreements Non-negotiable SLAs (often click wrap agreements) If the SLA is non-negotiable, higher degree of reporting should be integrated in the Agreement Additional options for termination should be available Little opportunity to conduct due diligence Strong limits on liability are included (including direct liability) Terms often subject to change without prior intimation Risk is usually shifted to user through provider friendly agreements 5
  • 6. MULTIPLE PARTIES Involvement of multiple parties makes onus & liability shift on one another Multiple Parties Liability of sub-contractors is often limited or disclaimed in entirety Lack of contractual privity makes it difficult to make the provider accountable for any breach Liability of provider for the acts of the sub-contractor Right to conduct due diligence and to understand the model of delivery of services should be given to the customer. 6
  • 7. DATA PROTECTION, RIGHTS & USAGE Data Protection & IP Rights Define data clearly, it’s not standard that all data belongs to the customer Specify ownership rights Define rights granted and the restrictions to monitor and access data by the provider Third-party access to the data Non-Disclosure Agreement with the service provider Ensuring no rights are transferred to the service provider Ensure if back up and transfer of data is permitted 7
  • 8. JURISDICTION Cross-Border Data Flow Data flows across various borders Cloud servers located in different countries, location of data is uncertain Complications of conflicting laws Dispute can be subject to various countries legal system Jurisdictional Issues & Dispute Resolution Mechanism 8
  • 9. COMPLIANCES Country and data specific compliances The owner is equally liable as the service provider to ensure compliance of law Compliances HIPPA, SOX, SAS 70 I & II, GLB, PCI DSS, FERPA and State Laws Eg. HIPPA mandates standard practices to ensure security, confidentiality and data integrity for healthcare-related data Default in the respective compliances can bring in legal implications 9
  • 10. TERMINATION & EXIT Termination & Exit Interoperability of data after termination Data portability from one vendor another and bringing it entirely back-in house In case of exit, can the records be successfully accessed? Can data be extracted from the cloud Obligations of each party in case of exit 10
  • 11. ATTACKS Hacking, virus, malware disruptions, browser attacks, tampering, network security attacks, SQL Injection Attacks Inducing threats, like data & network security, data locality, data integrity, data access, data segregation Authorization & authentication, data confidentiality, web application security, data breaches, availability & back-up 11
  • 12. CASE STUDIES- SONY Attacks on Customers Dozen data Sony reusing breaches, ong Sony laid off Failure to PlayStation passwords, ris oing customer many of its protect over Network, Son ks from relations security 100 million y Online attackers fallout & personnel user records Entertainment accessing class-action & Sony their other lawsuits. Pictures accounts also 12
  • 13. CASE STUDIES • Spear-phishing attack leading to breach affecting it’s clients and customer’s data EPSILON • Approximately 60 million customer email addresses were breached • Lesson: The Company outsourcing the job is equally responsible for security of the customer data • Hackers used SQL attack method to access the database that fed the server hosting the site • Exposing 4,50,000 usernames and passwords YAHOO • Yahoo didn’t store the data in cryptographic form and left it in plain text making it vulnerable to attack • Hackers breached the site, stealing more than 6million customer’s passwords, which were very lightly encrypted & posted them on a LINKEDIN Russian hacker forum 13
  • 14. MITIGATION OF RISK • Evaluation of service provider’s security policy Security • Encryption to protect confidentiality & integrity of data • Suspected data breach must be addressed • Identifying relative risks between the parties, like ownership of data, data protection guidelines, trade secrets, indemnities, jurisdiction • Pre-contract due-diligence, negotiable SLA Contract • Planned & unplanned termination of the Agreement & return of data & assets • Liability of each party in the event of breach of contract • Ownership of data • Right to audit to check the compliances Audit • To check the location of the data to ensure compliance of legal & statutory provisions 14
  • 15. Thank you INDIA A-42/6, Sector-62, Noida-201301 Tel: +91-0120-47040722, +91 -0120-4740700 Fax: + 91 11 2741 8595 USA Suite 119, 2 Davis Drive, Research Triangle Park, Durham (NC)-27709 Ph: 1 262 432 1718; Fax: 1 877 895 9706 E-mail: info@intelligere.in www.intelligere.in 15

×