Upload File

cloud security - publication

  • Home
  • Law
  • Cloud security - Publication
2
22 | ISSUE 02 PRIVACY BY BIANCA MUELLER Bianca Mueller is a qualified judge from Germany, a German attorney (Rechtsanwältin), and an enrolled solicitor in New Zealand. Bianca routinely presents and publishes both nationally and internationally on a variety of topics, including criminal law, intellectual property, and international law. Bianca can be contacted at [email protected]. Cloud-based IT services are touted as a big money saver. They offer flexibility and scalability, enabling users to pool and allocate IT resources as needed by using a minimum amount of physical IT infrastructure to service demand. Cloud- based IT services also offer the convenience of being able to work remotely and access data from anywhere in the world. Sometimes businesses move to the cloud too fast, and fail to conduct a rigorous risk analysis and evaluation of its return on investment. When planning a cloud deployment it pays to look past the hype and to compare the trade-offs between the different types of cloud environments. DIFFERENT SHADES OF CLOUD The term cloud is often used but widely misunderstood. The cloud comes in different shapes and sizes. The three most common cloud service models are Infrastructure as a Service (data storage), Platform as a Service (web servers, operating system) and Software as a Service (applications, software, web email). These three service structures can be deployed in four different ways: public cloud, private cloud, community cloud, or hybrid cloud. In the public cloud, users access services over the Internet. The infrastructure is shared and data can be located in different locations across the globe (virtualisation). Some of the most well-known public cloud providers are Google, Facebook, and Evernote. A private cloud supplies IT services to a restricted group of users within an organisation over a dedicated network link. The private infrastructure can be located onsite or managed through an external provider. A hybrid cloud is a mix of both public and private cloud elements. The privacy and security implications may vary substantially for each user depending on the type of cloud service environment, and the type of information being used. While the public cloud offers the highest potential for cost savings, it also poses the biggest risks in terms of control over data, regulatory compliance, service- level availability, and security. In some situations, the risks of using standard public cloud solutions may outweigh the cost saving benefits. CYBERSECURITY RISKS One problem with the cloud is that it is not secure. Common threats stem from criminal hacking attacks, spying by government agencies, employee negligence, or access through unsecured mobile devices. Over a month ago a flaw was found in the encryption standard used by the majority of web- based services. The Heartbleed bug compromised a swathe of cloud services enabling hackers to retrieve sensitive data, such as secret keys, ticket keys, passwords, etc. The Heartbleed bug is a significant security issue and even more so because it took two years for it to be discovered. REGULATORY COMPLIANCE IN THE PUBLIC CLOUD Most public cloud infrastructures that are available in New Zealand are hosted offshore which gives rise to privacy, security, and jurisdictional issues. The lack of public cloud providers with New Zealand hosting severely reduces the range of public clould services available to New Zealand- based organisations. All agencies that collect, transmit, or store personal information in New Zealand are bound by the privacy principles of the Privacy Act 1993. Organisations that deal with personal information have to comply with the privacy principles. In this regard there is no difference between using cloud services, fixed-server system, or good old paper. EVERYONE IS TALKING CLOUD – HOW SAFE IS YOUR DATA?

Upload: bianca-mueller-llm

Post on 07-Aug-2015

29 views

Category:

Law


0 download

Report

TRANSCRIPT

Page 1: Cloud security - Publication

22 | ISSUE 02

PRIV

ACY

BY BIANCA MUELLERBianca Mueller is a qualified judge from Germany, a German attorney (Rechtsanwältin), and an enrolled solicitor in New Zealand. Bianca routinely presents and publishes both nationally and internationally on a variety of topics, including criminal law, intellectual property, and international law. Bianca can be contacted at [email protected].

Cloud-based IT services are touted as a big money saver. They offer flexibility and scalability, enabling users to pool and allocate IT resources as needed by using a minimum amount of physical IT infrastructure to service demand. Cloud- based IT services also offer the convenience of being able to work remotely and access data from anywhere in the world.

Sometimes businesses move to the cloud too fast, and fail to conduct a rigorous risk analysis and evaluation of its return on investment. When planning a cloud deployment it pays to look past the hype and to compare the trade-offs between the different types of cloud environments.

DIFFERENT SHADES OF CLOUD

The term cloud is often used but widely misunderstood. The cloud comes in different shapes and sizes. The three most common cloud service models are Infrastructure as a Service (data storage), Platform as a Service (web servers, operating system) and Software as a Service (applications, software, web email).

These three service structures can be deployed in four different ways: public cloud, private cloud, community cloud, or hybrid cloud.

In the public cloud, users access services over

the Internet. The infrastructure is shared and data can be located in different locations across the globe (virtualisation). Some of the most well-known public cloud providers are Google, Facebook, and Evernote.

A private cloud supplies IT services to a restricted group of users within an organisation over a dedicated network link. The private infrastructure can be located onsite or managed through an external provider. A hybrid cloud is a mix of both public and private cloud elements.

The privacy and security implications may vary substantially for each user depending on the type of cloud service environment, and the type of information being used.

While the public cloud offers the highest potential for cost savings, it also poses the biggest risks in terms of control over data, regulatory compliance, service- level availability, and security. In some situations, the risks of using standard public cloud solutions may outweigh the cost saving benefits.

CYBERSECURITY RISKS

One problem with the cloud is that it is not secure. Common threats stem from criminal hacking attacks, spying by government agencies, employee

negligence, or access through unsecured mobile devices.

Over a month ago a flaw was found in the encryption standard used by the majority of web-based services. The Heartbleed bug compromised a swathe of cloud services enabling hackers to retrieve sensitive data, such as secret keys, ticket keys, passwords, etc. The Heartbleed bug is a significant security issue and even more so because it took two years for it to be discovered.

REGULATORY COMPLIANCE IN THE PUBLIC CLOUD

Most public cloud infrastructures that are available in New Zealand are hosted offshore which gives rise to privacy, security, and jurisdictional issues. The lack of public cloud providers with New Zealand hosting severely reduces the range of public clould services available to New Zealand-based organisations.

All agencies that collect, transmit, or store personal information in New Zealand are bound by the privacy principles of the Privacy Act 1993. Organisations that deal with personal information have to comply with the privacy principles. In this regard there is no difference between using cloud services, fixed-server system, or good old paper.

EVERYONE IS TALKING CLOUD – HOW SAFE IS YOUR DATA?

Bianca Mueller
Page 2: Cloud security - Publication

NEWLAW 13 JUNE 2014 | 23

PRIV

ACY

REVI

EW

HOW TO BENEFIT FROM THE CLOUD’S FLEXIBILITY AND COST SAVINGS WHILE STILL PROTECTING YOUR DATA:

Conduct an impact assessment to determine the most appropriate cloud environment. Do not buy into the hype – know your data and decide what can go into the public cloud and what cannot.Do not put all your eggs in one basket. Ensure that you fully understand the technical and contractual risks and how they might affect your particular business. Monitor the cloud provider’s activities, and plan for cloud outages.Back-up, encrypt, and bring your own key!

The only exception is Principle 5 of the Privacy Act, which requires that reasonable security safeguards are taken against loss, misuse, unauthorised access, use, disclosure, or modification, and that if information is disclosed to another party (eg cloud service provider) everything reasonable is done to prevent unauthorised use or disclosure. Compliance with Principle 5 may be challenging in a public cloud environment because most public cloud providers are based overseas and some countries do not provide the same level of privacy protection as New Zealand.

The recently announced overhaul of New Zealand’s privacy laws is likely to increase legal responsibilities for organisations. The revamp of the Privacy Act 1993 is overdue, and is needed to ensure that it reflects technological developments, and is in line with New Zealand’s major trading partners.

Another regulatory compliance issue arises in the public cloud with regards to the retention of business records. As an example, financial records must be kept in New Zealand under the Tax Administration Act 1994 and the Goods and Services Tax Act 1985 for at least seven years. However, most public cloud providers are hosted and managed overseas which means New Zealanders cannot use them to process and store their business records.

Tax payers and cloud service providers may apply for permission from the Commissioner of Inland Revenue to hold records offshore, Providing the storage of those records offshore does not impede the Commissioner’s compliance activities.

So far only eight cloud service providers have received IRD approval to store and hold business records of New Zealand customers outside of New Zealand (Brookers, MYOB, Xero, Reckon New Zealand, Cargo Wise New Zealand, CCH New Zealand, Farm IQ Systems, and Technology One).

Other statuary requirements to keep records in New Zealand are contained in the Companies Act 1993, Employment Relations Act 2000, Electronic Transactions Regulations 2003, and Public Records Act 2005.

An individual or a business may have contractual or statutory obligations to keep particular information confidential. For instance, an employee or contractor who signed a confidentiality agreement may breach that very agreement by uploading confidential work information into their personal Dropbox account.

On the other hand, accountants, lawyers,

general practitioners, and other health professionals are by bound by law to confidentiality. For these professions it may not be advisable to use the public cloud to process data relating to their client or patient (ie to use icloud, Google Drive, Dropbox, Evernote).

CONTRACTING ISSUES – SMALL CONTRACT, BIG LIABILITY?

Users of cloud services should know that they bear the sole responsibility for adequate security, encryption, and back-up of any data, even though the data is hosted by the service provider.

Many publicly available cloud services limit the liability of the hosting provider to a level that is not in line with the potential risks. Read the fine print on any contract and know where your risks and liabilities lie. It may surprise you. NL

If you are expecting this one-day course to equip you against the sharpest of judicial tongues, or to pull off Denny Crane-style antics and annihilate your opposition, then Gary Gotlieb’s Courtroom Confidence workshop as part of the College of Law’s Advanced Business Skills series is not for you.

However, if you would like to know the inner workings of correct court procedures so that your court appearances run smoothly then you are in luck.

Ask any lawyer or barrister about success in court and they will most likely tell you it is all about being well-prepared. But it is not all about knowing your case inside out, it is also about familiarising yourself with how court processes operate, etiquette, knowing who is

responsible for what, dealing with clients in stressful situations, being respectful to court staff, and even allowing yourself some extra time when arriving at court to allow for last-minute courtroom changes so that you do not arrive late and flustered. It all sounds like relatively low-level stuff, but even the more senior attendees at the workshop admitted to being unfamiliar with certain processes.

With over 40 years of legal practice, Gary Gotlieb is arguably one of country’s most experienced barristers. He captivated the workshop attendees who were PDS, private practice, and in-house lawyers at varying levels of experience and practice areas.

“The biggest thing you have is your reputation,” is one of the first

things Gary says to us. We cover conduct in court and

with clients – having empathy for all involved in learning the new Civil and Criminal Procedure Rules, never making an assumption about a how a judge works, using registrars to ensure you are doing admin correctly, always being mindful of saving the court time, always having a copy of the Lawyers and Conveyancers Act to hand, dealing with self-represented litigants, demonstrating good collegiality among counsel, not being afraid to request an adjournment if there is an unexpected change of tack.

We then move on to procedures, where Gary had invited two senior court staff to join us to discuss the correct administrative procedures for filling out court forms and filing that

will ultimately make the experience smoother for everyone involved. Everything to ensure that you do not end up on the naughty list of slack lawyers – there is one, you know!

Courtroom Confidence is suitable for all types of lawyer, even the more experienced ones who may not have had much recent court time.

The next Courtroom Confidence workshop is scheduled for 26 June 2014 and is eligible for seven CPD hours.

Other Advanced Business Skills Series Workshops include: Investigative Interviewing, Practical Tax for Lawyers: GST and Land, Practical Tax for Lawyers: Tax Disputes and Dealing with the IRD, and Legal Project Management. For more information please visit www.collaw.ac.nz

THE COLLEGE OF LAW: ADVANCED BUSINESS SKILLS SERIES – COURTROOM CONFIDENCE

REVIEWED BY ANGELA JACOBSEN


Navigating the Changing Cloud Security Landscape · Navigating the Changing Cloud Security Landscape Dell cloud security white paper | September 2013 As cloud security threat levels

SECURITY CLOUD

Cloud Security Alliance Guide to Cloud Security

Cloud Security Certification - Certified Cloud Security

Securing a Large Project with Private Cloud Computing · Cloud Computing Security Challenges • Addressing Security via Private Cloud ... Cloud Computing Security Challenges •

Security Challenges in Cloud Integration - Cloud Security Alliance, Austin Chapter

Federated Cloud Security Architecture for Secure and … · Federated Cloud Security Architecture 171 2 Cloud Security We briefly review cloud security [40] and related prior work

Planning Guide: Cloud Security - Intel · 5 Intel IT Center Planning Guide | Cloud Security The Cloud Security Alliance, an industry group promoting cloud computing security …

IBM Cloud Security for the Cloud · IBM Cloud Security for the Cloud Amr Ismail Security Solutions Sales Leader – Middle East & Pakistan

Nailing Cloud Security With Pre-Cloud Security Thinking?

National Cyber Security Centre (NCSC) Cloud Security ... · Cloud Security Principle 4: Governance 23 Cloud Security Principle 5: Operational Security 25 Cloud Security Principle

Google Cloud Security Whitepapersservices.google.com/fh/files/misc/security_whitepapers_march2018.pdf1 Google Cloud Security Whitepapers Google Cloud Infrastructure Security Design

Enterprise Cloud Security option · Enterprise Cloud Security option ... waf

Cloud Security ("securing the cloud")

Scaling the Cloud - Cloud Security

NIST SPECIAL PUBLICATION 1800-19C Trusted Cloud · NIST SP 1800-19C: Trusted Cloud: Security Practice Guide for VMware Hybrid Cloud IaaS Environments iii 57 workloads. When complete,

Cloud Security - Security Aspects of Cloud Computing

Cloud security: Accelerating cloud adoption

Security kaizen cloud security

Cloud security

CLOUD SECURITY SPOTLIGHT - Alert Logic · concerned about cloud security, up 11 percentage points from last year’s cloud security survey. The top three cloud security challenges

Cloud Insights Security : Cloud Insights...Cloud Insights Security Product and customer data security is of utmost importance at NetApp. Cloud Insights follows security best practices

Cloud Security Strategies - eba.europa.euFabio+Gianotti+-+Cloud+Security+Strategies.pdf · Cloud Security Strategies ... Different approaches to cloud adoption due to ... • Evaluation

Transforming Security Part 1: Cloud & Virtualization · Transforming Security Part 1: Cloud ... Practitioners Vendors Cloud Infrastructure ... Transforming Security Part 1: Cloud

CLOUD STORAGE SECURITY INTRODUCTION - SNIA Security Concerns with Cloud Understanding how Cloud services provide for the ... cloud computing environment, ... Cloud Storage Security

Cloud Security & Cloud Encryption Explained

Professional Cloud security Manager - wiselearner.com Cloud Security Manager.pdf · Understanding Cloud Computing Vulnerabilities Vulnerability Vulnerabilities and Cloud Risk Cloud

NIST SPECIAL PUBLICATION 1800-19B Trusted Cloud...NIST SPECIAL PUBLICATION 1800-19B Trusted Cloud Security Practice Guide for VMware Hybrid Cloud Infrastructure as a Service (IaaS)