©2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice
©2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice
CYBER SECURITY AND CLOUD INFRASTRUCTURE AS A SERVICE (IAAS) –
LEGAL & REGULATORY
DAVID SPINKS
March 2011
2
INTO THE (CLOUD) FUTUREWITH HP
SOURCING MODELS
TRADITIONAL CONFIGURED
SERVICES
MANAGED HOSTING
ENTERPRISE CLOUD SERVICES
ADVANCED CLOUD
AUTOMATED HOSTING
UTILITY SERVICES
TECHNOLOGY ISLAND
SYSTEMS INTEGRATION
SERVICES ECOSYSTEM
AG
ILIT
Y
Acceptance of standard security policies and procedures
Better be prepared to compromise yet aware of potential legal issues
Contracts ... review at an early stage to provide an understanding of what the gaps might be.
ABC of Cloud Security, Legal and Regulatory
Acceptance and Compromise
Single security policy &
procedures
Shared set of Internal Controls
Shared independent assurance
No physical rights of accessLittle or no flexibility on RTO/RPOAccess to log filesLimited security reporting
Better be prepared
Legal disclosure
Better be prepared
BSI BIP 0008 is a code of practice that provides guidance to ensure, as far as possible, that electronic documents and scanned images will be accepted as evidence by the courts.
http://www.thecabinetoffice.co.uk/page28.html
C - Contracts Advice from E-Discovery processes standards:
3.9. Cloud Computing or Third-Party Systems
It has become increasingly popular to store data in locations away from the primary business for security, cost-efficiency or disaster recovery purposes. These sources should be identified if they house data potentially relevant to the dispute. Examples of this include cloud computing, SaaS, off-site company storage facilities, co-location data centres, third party data warehousing, or third party tape storage (i.e., Iron Mountain, Recall, etc.).
If a cloud solution is being utilized to store potentially relevant information you will likely need to put a 3rd party hold in place. Additionally you should interview the 3rd party provider to identify where and how the data is stored. 3rd party providers are likely to have back-ups of the data so it is important to ask about retention and rotation of back-ups. You should also ask what their policy is for swapping out servers. You may find out that there is an old server sitting around that contains relevant data. Another area to consider is whether the potentially relevant information is comingled with any other data. Finally, ask where the servers are located. This information will identify if there are any challenges in collecting data from another country.
The Electronic Discovery Reference Model
C - Contracts
Ask for examples of independent assurance reportsSpeak to independent auditorsSeek client references
Copy of BCP and IT DR Plans & Plan Tests are these also in scope for assurance auditsCopies of ISO 27001 certificateDetails of SAS 70 internal controlsCopy of BS25999 certificateCopy of ISO 20000 certificateCopy of ISO 14000 certificate
Check the scope!
So what are the cloud security hot buttons?
Identity and access management need to get this working anyway!
Business continuity and IT DR acceptance of standard RTO and RPO.
Encryption (key management) will be a client responsibility this issue is related to IdM!
Flexibility in contracts and please kill off the “old school” purchasing and contracts departments!
Solutions and Best Practice :
Conclusions
Flexibility required
Ensure you are prepared
Examine Contracts
Cloud is immature and experiences are limited
Legal and regulatory issues (e-Discovery Jury is still out!)
Watch this space ....
Finally
http://www.cloudsecurityalliance.org/
http://www.hp.com/hpinfo/newsroom/press/2009/090331xa.html
Q and A