Cloud Computing Legal Issues


Published on

Analyzing Cloud computing legal issues.Focusing international aspects.

  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Cloud Computing Legal Issues

  1. 1. Legal issues of Cloud Computing Ikuo Takahashi
  2. 2. Risk analysis 2 possibility Compliance Subpoena E-discovery 1 2 Loss of governance Jurisdiction 3 Quoted form ENISA “Cloud Computing-Benefits, risks and recommendations for information security” Data protection
  3. 3. Lessons from risk assessment • Important – implementation of security management system – compliance issues – In Japan, lega l issues are not disputed as such important issue. • MIC (Ministry of Internal affairs and Communications) ”Smart Cloud Research Committee” report • METI “Japan’s competitiveness and cloud computing Research Committee” report
  4. 4. Analysis of compliance issues • Within one country boundary – Governance issues – Data Protection Law/Information Security Law – International standards – General Information Security Issues – Controls of Information security • International elements(Transborder issues) – Four rules • Complexities in civil case • Access authority and territorial nature • Prohibition of transborder data flow by sovereign • Difficulties of Law enforcement 4
  5. 5. Inbound-(1) Loss of governance • Customer’s Information security is strongly influenced by CSP on many issues – Conflict with CSP’s policy of security testing – No guarantee of out source of sub-contractor. – Difficulties in audit and assessment
  6. 6. Inbound-(2) Compliance risk • In US – FISMA,HIPAA,SOX,PCI-DSS,SAS 70 • In Japan – Personal information Protection Law – Information Security law (case ) – International standards – General information security issues
  7. 7. Inbound-(2)-A Personal Information Protection Law Issue• Data may be processed by external party (SPI model) – Issues data is handled by external party • Depending on model – Data is located in user’s site and processed by external provider in some model. – (Japan)Personal Information Protection law Article 22 • “Data processor shall exercise necessary and appropriate supervision to the external contractor “ • “necessary and appropriate supervision” • Guidelines – Criteria to choose third party – Periodically review the standards – Agreement shall mention about security measures – Services, reports and records shall be regularly monitored and reviewed – Data Lifecycle management • Erase after termination 7
  8. 8. Inbound-(2)-B Information Security Law • Litigation for Compensation based on Privacy – US law v. Japan law • Japan – Yahoo BB case(Osaka High C. Judgement,June 21.2007),TBC case(Tokyo D.C.Feb.8,2007) – Comepnsation-50 dollars per person • US law-Twitter case – Data leakage in January,April,2009 – FTC order Data processor to implement Information security management system(FTC Act) – No monetary compensation • Notification law to Data subject – The Security Breach Information Act (S.B. 1386) – EU directives – “Basic policy about protection of personal information”(April 2,2004 Cabinet decision) and guidelines issued by Ministries 8
  9. 9. Inbound-(2)-C International Standard • ”CSA Cloud Controls Matrix V1” – Control areas • “compliance” “Data governance” “Facility security” “Human resources management” “Information security” “Legal” “Operation Management” “Risk assessment” “Resiliency” “Security Architecture” – Controls discussed by each SPI model • Standards asnd Laws – COBIT(Control Objectives for Information and related Technology) – HIPAA(Health Insurance Portability and Accountability Act) – ISO/IEC 27002-2005 – NIST SP800-53 – PCI DSS 9
  10. 10. Inbound-(2)-D General information security issues • Network Security Issues – D-DoS, Targetted attacks, others • Business health of cloud security providers – Search and Seizure against Core IP Networks(later) • Virtualization technology issues – Side channel attacks – Huge damage if virtual machine monitor is hacked – Attack to vulnerability of virtual machine – Physical error may cause attack – Attacks as cache sharing, exploiting predictability of memory 10
  11. 11. Additional- Core IP Networks case • March and April,2009 – FBI conducted search and seizure against Data center located in Texas (Crydon Technology & Core IP Networks) • Seized servers and Reuters by no knock warrant. • Damage to co-tenant users – “Damage caused by Patriot act”(reported by Japan) or “Care about business health of CSP” • FBI Defends Disruptive Raids on Texas Data Centers” ( • “a number of conspirators, some of who may have connections to Faulkner, conspired to obtain agreements from AT&T and Verizon to purchase connectivity services with the telecoms. “ • Lessons from SJG case(DOJ “Searching & Seizing Computers and Obtaining Electronic Evidence in Criminal Investigation”3rd ed. 2009) 11
  12. 12. Inbound (2)-E Internal control • Cloud control from aspect of risk management – Management of third party contract – Auditors shall assess whether business exercise supervision properly if ask external party to process information relating to financial report. • How to control the CSP’s Information security management level? • How to monitor the CSP’s security management activity? • How to choose CSP ? Criteria? • Investor relations and cloud computing – Business report – Internal control report – Securities report
  13. 13. Inbound-(3) Cloud Forensic Subpoena・e-discovery – In Common law countries, parties shall “card face up on the table” in litigation. – Is it possible to prove that data stored in the cloud are all and nothing is hidden. • Forensic issue – Transparency needed(Trace-Past data transition) – Business shall produce data stored in Cloud with proving that such data are all and nothing is hidden.
  14. 14. Transborder Issues • What laws are applied ? – Basic example • Wikileaks case – Elements • Who • Where • What(nature) – Four rules • Complexities in Civil case • Access authority and territorial nature • Prohibition of transborder data flow by sovereign • Difficulties of Law enforcement
  15. 15. Transborder-(1) Example WikiLeaks case – Julian Paul Assange • Manager of WikiLeaks site - revealing confidential information • No definite address(house in Iceland) • Server Located in Sweden • Data located all over the World – Confidential information-more than75000 are revealed • July 25,2010 • Including US army and Intelligent agency’s information • Violation of federal law • Where • What kind of issue 15
  16. 16. Transborder-(2) Elements considered • Where – Principle of laws differ on each country • Who – Territorial principle is strictly applied to nation’s enforcement nature. • Nature of legal issue – Criminal Law(territorial principle, nationality principle, protective principle) – Civil Law(International private Law(JP) v.Revolution of conflicts of law(US)) – Public Law(not only administrative law but also public nature law) 16
  17. 17. Transborder-(3) four rules • R1-Even in civil case,there are so many complexities about application of law. • R2-Laws of country able to access stored data may be applied even if parties contract specify applicable law. • R3-Soveregn state may prohibit the transborder data flow outside jurisdiction by the use of sovereign. • R4-If data administrator located outside Jurisdiction,it is very difficult to enforce legal request. 17
  18. 18. Transborder-(3) -Rule1 • R1-Even in civil case, there are so many complexities about application of law. • Example – (1)Personal data of Information subject(living in Japan) is processed by data controller(business-located in Japan).Data controller uses cloud service(SaaS) by which stored data in US data center and managed in US. – (2)Data center had negligence and data is leaked from data center – (3)Information subject filed a litigation against Data Controller and Data Center • In Japan (Compensatory damage permissible) • In US (Compensatory damage –not permissible) • Enforcement of foreign judgment? 18
  19. 19. Transborder-(3) –Rule 2 • R2-Laws of country which can access stored data may be applied even if parties contract specify applicable law – Legal access by Law enforcement agency • In Japan, LEA must get warrant even to traffic data • In US, classification between traffic data and contents. No Knock warrant – e-Discovery in civil case • If disclosure order conflict with protective legal duty in original country, what shall we do? – Marc Rich case » US-Marc Rich was paying in contempt-of-court fines for not turning over certain documents » Switzerland-Documents should not be produced 19
  20. 20. Transborder-(3) -3 Prohibition of transborder data flow by sovereign • R3-Soveregn state may prohibit the transborder data flow outside jurisdiction by the use of sovereign – (1)Data Protection Law – (2)Administrative Supervision – (3)National Security 20
  21. 21. Transborder-(3) -3 Prohibition of transborder data flow by sovereign 1-Data Protection • Personal data cannot flow from the 27 EU member states and three EEA member countries (Norway, Liechtenstein and Iceland) to that third country if the third country does not provide adequate level of protection of data protection • Adequate level of protection – Argentina, Australia, Canada, Switzerland, Faeroe Islands, Guensey , Isle of Man, Jersey, US(Air Passenger Name Records, Safe harbor ) – _en.htm » Nov,7.2010 21
  22. 22. Transborder-(3) -3 Prohibition of transborder data flow by sovereign 2-Administrative supervision • Administrative agency may transborder data flow in the area with reasonable administrative supervision. – (JP)”Guideline about Medical Information system’s information security management ver.4.1(Feb.2010) issued by Ministry of Health labor and welfare) • “Security Management guideleine when ASP・SaaS provider handle with Medical Information” issued by Ministry of Internal affairs and communication. – Table3-8 Requirements to ASP/SaaS provider at emergency response such as disasters. – “Provider shall locate application, platform, server and storage in the place which national law may apply in order to produce legal requested references to agency smoothly. “ 22
  23. 23. Transborder-(3) -3 Prohibition of transborder data flow by sovereign 3 National security – Foreign Exchange and Foreign Trade Act(article 25) • “shall obtain, pursuant to the provisions of Cabinet Order, permission from the Minister of Economy, Trade and Industry” – as those considered to undermine the maintenance of international peace and security – Article 25 section3”Ministry of METI may request him/her to obtain permission of electronic communication in order to be received in specified country ” • Cyber Espionage(economic spy in the network) – Big issue – (JP) Japanese government processed information of residents at Supplementary Income Payments(Teigaku- Kyufukin) by Salesforce. – We do not know where such resident’s data were processed. 23
  24. 24. Transborder-Rule 4 Difficulties of Law enforcement • R4-If data administrator located outside Jurisdiction, it is very difficult to enforce legal request. – Example ;Wiki Leaks case • Criminal-International cooperation framework • Dual criminality is needed to International cooperation framework • Federal code-national secrecy protection – Difficult to enforce – Even injunction » UK cannot get injunction in Australia or New Zealand (Spy Catcher case) 24
  25. 25. Behind Scenes 25 Network Network Security Beyond Boundary Sovereign Privacy ??? Human Factor Potential factors behind surface
  26. 26. 26 Cloud Computing and IT security framework
  27. 27. Cloud computing & PDCA 27 Plan Do Action Check Procedure Integrate cloud computing security, business continuity and disaster recovery into the customer’s own policy and procedures.(Guidance 1.0 P.58)
  28. 28. Identify general threat Identify threats to assets Cloud Risk Assessment organization Policies Planning Risk assessment Controls implementation Assessment & audit Controls Assessment & audit
  29. 29. Controls • Risks –caused by uncertainty (risks and uncertainty) • Avoiding,reducing,sharing,accepting • Reducing, sharing-(technology, fair agreement) – Evaluation of subject and vendor selection – Evaluation of technology and vendor selection – Risk sharing by agreement with vendors 29 Risks risks Uncertainty Trust Subject Tech. Fair agreement
  30. 30. Evaluation of subject and vendor selection • Who(subject),What services(kind),How much(cost),How good(quality) • Objective evaluation • references – ”CSA Cloud Controls Matrix V1” • Control areas ”compliance””Data governance””Facility security””Human resources management””Information security” “Legal” “Operation Management” “Risk assessment” “Resiliency” “Security Architecture” • Controls discussed by each SPI model 30
  31. 31. Cloud Service Provider • Guideline on standard to choose external parties – Service subject(Service provider) • Financial health • Reputation in the market • Information security management • Members of directors • Evaluation of past performances • Third party’s list, roles, responsibilities ,interface information – Risk management • Assessment of provider’s risk level • Assessment of provider’s information management policy • Review of procedure and process • Business continuity plan • Attitude of compliance, possibility of data life cycle management, insurance against information loss 31
  32. 32. Objective evaluation-accountability • Contracts are not your only governance tool but should encompass the broad due diligence required of a cloud provider.(CSA Guidance p.15) • Due Diligence – Domains • Service provider • Type of service • Condition of service • Service level agreement 32
  33. 33. Who -how to control cloud service provider • Legal control – Effectiveness of SLA(control provider by legal agreement) • Data isolation • Data access by provider • Article of technical measures • Ownership of data • Monitoring right • Compliance • Ensuring smooth termination – Data access after termination – Transform data to other platform 33
  34. 34. Controls • After assessment of risks, choice of service, controls should be implemented and monitored/audited properly . – Do not forget, the security of the cloud computing environment isn’t mutually exclusive of your organizations internal policies, procedures, standards, guidelines and processes. (G p.46)。 • Definition and documentation as a first step; How data is stored ,processed, accessed and managed. • Ensured that cloud service provider implement,operate and maintaion properly – SAS70 report is helpful. 34
  35. 35. Technology controls • Traditional Issues – encryption – Key management – Identity management – アプリケーションセキュリティなど • モデル選択 35 IaaS PaaS SaaS Private cloud User’s responsibility Hybrid cloud Public cloud Risks such as Data isolation and leakage
  36. 36. Process to choose controls • Reduce risks of identified information assets • Completing risk control matrix • Approval of residual risks
  37. 37. Assessment & Audit • SLO(Service Level Objectives) • SLA(SLA: :Service Level Agreement) – Framework for assessment and audit • Difficulties in Audit – Limitation of SAS70