Sumaya Shakir                                                              Sumaya.shakir@gmail.com                        ...
the late formation phase and early interest group formation. The issues are skirtingaround the cloud circles and in the va...
HP, Microsoft and other internet companies who are offering services on the Cloudhave been lobbying for safer cloud comput...
   Intellectual Property (IP) and the Cloud Concerns regarding valuable intellectual    property, trade secrets or copyri...
HP along with the CSA has developed a number of useful and valuable resources likethe secure best practices for cloud comp...
Upcoming SlideShare
Loading in …5
×

The non market issue of cloud computing hp - cloud security alliance

1,178 views

Published on

Published in: Business
1 Comment
0 Likes
Statistics
Notes
  • Great write up. I am curious to know about the other big players in the cloud space and their approach to cloud security.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

No Downloads
Views
Total views
1,178
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
12
Comments
1
Likes
0
Embeds 0
No embeds

No notes for slide

The non market issue of cloud computing hp - cloud security alliance

  1. 1. Sumaya Shakir Sumaya.shakir@gmail.com September 2012Cloud Computing Security RisksBackground and key information:It finally seems like the Feds are catching up with the Cloud era boom. The USgovernment has released its stand on the data security on cloud technologies at theSecurity in Government 2012 conference. Important concerns regarding thejurisdictional issues of data storage were raised. The Federal Financial InstitutionsExamination Council(FFIEC) issued a press release with cloud computing risks andissued guidelines in its FFIEC IT Examination Handbook. The department will becoming up with new cloud guidelines. Separately in Europe, the European Networkand Information Security Agency (ENISA) and the Cloud Security Alliance (CSA)have come up with their own assessment of how to addresses cloud riskguidelines. The European commission and European data protection council has issuedstatements indicating firms offering cloud solutions should offer legal clarity and clearprivacy policies. The UK Government Digital Service is formulating its policies tomaximize on the potential benefits to the UK economy. The CSA is also working onstandards for cloud interface.HP has partnered with VMware in providing cloud platform solutions. The partnershipaims at providing infrastructure with strong security and converged cloud solutions tothe PCI industry. The companies are selling their solutions that goes beyond addressingthe security guidelines put forth by various councils; it will be interesting to see how HP-VMware partnership will fair against various commission guidelines. In another initiativeHP has partnered with Microsoft for cloud integration. HP has signed new contracts withvarious government organizations to provide both hardware and software solutions. HPhas made new investments in cloud computing in China. Following its China five-yeargrowth plan, HP opened a brand new center called HP Cloud Executive Briefing Centerin Tianjin and expanded its R & D in China. In addition, HP has started other biginvestments in China. With so many countries and their respective Governments on thebandwagon trying to form their own policies and drawing the blueprint of how the cloudinfrastructure should look like, the result will be a set of conflicting laws and regulationsbetween borders and countries. To add to the complexity, some governments are leeryof working with China. And China’s stand on how these services will impact its ownindustry and Government is a question that is yet to be raised.While HP is ahead of the game, it may be missing some key mandates from the CloudSecurity Alliance and the various Government policies that could prove as a costlymistake. Moreover setting up a cloud hub in China could be security threat tobusinesses and organization in the US including the US government especially in thewake of latest allegations in regards to spying from two big Chinese firms ZTE Corp.and Huawei Technologies. Given the sensitive nature of government and payment data,this can soon become an unmanageable nightmare and lead to unimaginablevulnerabilities for the United States or for the western European nations. The issue is in 1
  2. 2. the late formation phase and early interest group formation. The issues are skirtingaround the cloud circles and in the various CSA congress presentations and has yet tobe identified as a full blown threat. The story has been picked up by a few freelancetechnology journalists. For example, the author forhttp://www.businesscloud9.com/content/policy-blueprint-cloud-computing-market/11476has provided enough validation to show the issues surrounding a global cloud dilemma.The main interest groups for this issue will be the consumers and enterprises across theglobe that will use the cloud services technology irrespective of geographicalboundaries. There is no doubt that the Governments across the globe have to take anactive role in formulating the compliance and security protocols and HP being a keyleader of cloud services will be impacted by this and needs to be more involved with theformation of any cloud law legislation that will give it a competitive advantage in the nonmarket arena.Cloud Computing Security RisksIssue Summary: Issue  Security vulnerabilities in Cloud Computing Interest  Cloud Security Alliance Groups  Consumer and Enterprise Business using Cloud Services  Banks, Payments Card Industry(PCI)  Government Organizations like US Military Institutions  UK Government Digital Service,  Federal Financial Institutions Examination Council ( FFIEC),  European Network and Information Security Agency (ENISA) Information  Jurisdictional issues of data storage  Cloud Computing conflicting laws and regulations between borders and countries needs to be resolved  Safety of hosting cloud services from China Issue Life  Late issue identification, early interest group Cycle formation Media  Currently the story is published by a few Attention technology magazines. Main stream media is yet to pick up the story but eventually in the next few months, this issue will be a hot topic.HP’s Business Strategic Political Actions for Security RisksLobbying 2
  3. 3. HP, Microsoft and other internet companies who are offering services on the Cloudhave been lobbying for safer cloud computing laws since 2010. Microsoft generalcounsel Brad Smith insisted on electronic privacy laws being updated during a SenateJudiciary Committee in Washington in 2010. Since then, there have been continuedlobbying efforts for cloud security.HP as part of the Cloud Security Alliance group has been lobbying against theCybersecurity Act of 2012 and has been successful in protecting the cloud initiatives.The above graph shows HP’s spending on lobbying for various causes including tradelegislations, cloud security, data security and privacy regulations, patent approvals, freetrade, broadband subsidies and defense funding. HP is one of the biggest spenders onlobbying efforts. It hires lobbying firms like Palmetto Group, Mehlman Vogel CastagnettiInc, Sternhell Group, Innovative Federal Strategies and Akin, Gump et al . HP hasspent $3,750,000 so far in 2012 on various lobbying.There are a number of individual cloud computing legislations that HP along withMicrosoft, Google, Facebook and other companies have been lobbying like the policyissues in cloud computing, Electronic Communications Privacy Act (ECPA) and thenumber of other policies regarding, Cloud Physical Location and Access Issues Jurisdictional issues affecting the Cloud. Example: “safe harbor law - a European law enacted in reaction to the U.S. Patriot Act. Another example is the Trade Agreements Act of 1979 (TAA) prohibits government contractors from using cloud serveices that are set up in countries that don’t have trade agreements with United States. Privacy, Security and the Cloud Concerns around data stored in the Cloud is less protected than other in other contexts. fundamental concern about the security of essential business and government information and processes maintained in the Cloud. Law Enforcement and the Cloud Concerns with privacy issues in law enforcement context and legal protections against unreasonable search and seizure of data stored in a Cloud context. Example: Congress is currently reviewing a proposed update to the Electronic Communications Privacy Act 3
  4. 4.  Intellectual Property (IP) and the Cloud Concerns regarding valuable intellectual property, trade secrets or copyrighted material in a Cloud environment. Example: The Digital Millennium Copyright Act provides a safe harbor to cloud service providers from infringement liability for copyright violations if they adhere to guidelines and immediately block access or remove copyrighted materials from their website upon notification. Global Competition and the Cloud: U.S. companies can compete for a share of global cloud market but U.S. put them at a competitive disadvantage. Example: U.S. Patriot ActSen. Amy Klobuchar has introduced a new bill called the “Cloud Computing Act of2012” (S.3569), that is supposed to “ improve the enforcement of criminal and civil lawwith respect to cloud computing.”The proposed bill’s main purpose is to give “cloud computing services” protectionsunder the CFAA. HP as part of the CSA alliance is lobbying for this bill.Eric Goldman, Internet Law professor from Santa Clara University has written an articleon forbes.com regarding the Cloud Computing Act . The article can be found athttp://www.forbes.com/sites/ericgoldman/2012/10/02/the-proposed-cloud-computing-act-of-2012-and-how-internet-regulation-can-go-awry/Forming CoalitionsHP is part of the Cloud Security Alliance group to promote the use of best practicesfor providing security assurance within Cloud Computing. All the top companies likeGoogle, MicroSoft and even US Department of Defense are members of this alliancegroup. The Alliance aims to provide education on the uses of Cloud Computing. TheCloud Security Alliance is led by a broad coalition of industry practitioners, corporations,associations and other key stakeholders. 4
  5. 5. HP along with the CSA has developed a number of useful and valuable resources likethe secure best practices for cloud computing, tools for managing governance, risk andcompliance, cloud user certification and cloud security knowledge certification, registryof cloud services amongst other cloud security standards.Public Advocacy & Awareness RaisingFor the last 8 years, every year HP has used events like HP Protect to raise awarenessand increase visibility on security infrastructure, potential security risks and breaches,security landscape, cloud security information, security and compliance standards byhosting a two day event where it invites experts, architects, and gurus under one roof. Itthen makes public all the lectures, information shared during the summit to the generalpopulation.HP along with CSA has provided a number of toolkits, handbooks, standards, guides toeducate various businesses and public interested in cloud security. HP provides thisinformation on its website and also on CSA website.HP also attends other security conferences like the RSA and shares itsknowledge/research with the community. It has also set up community forums,knowledge base, FAQs, social media and blogs to reach out the general public on itsefforts on Cloud Computing Security.Summary HP’s Political Strategy for addressing Cloud Security IssuesLobbying  Cloud Physical Location and Access Issues  Privacy, Security and the Cloud  Law Enforcement and the Cloud Electronic Communications Privacy Act  Intellectual Property (IP) and the Cloud The Digital Millennium Copyright Act  Global Competition and the Cloud: U.S. Patriot Act  Cloud Computing Act of 2012Coalition  Cloud Security AlliancePublic Advocacy  Protect 2012& Raising  RSAAwareness  HP website – community groups, forums, blogs, social mediaConclusionHP is taking cloud computing seriously and is using every avenue to be as close aspossible to meeting the mandates of the Cloud Security Alliance and the variousGovernment policies in order to avoid any costly mistakes. It is staying close bylobbying to the various legislations related to cloud computing. 5

×