Upload
mabel-oliver
View
217
Download
3
Tags:
Embed Size (px)
Citation preview
1
Security and Legal Issues in Cloud Adoption
John NicholsonStrategic Negotiator, Infosys
President, DC Chapter, Cloud Security Alliance
• Cloud Computing – Today and the Future• How Secure is Data in the Cloud?• e-Discovery and Subpoenas in the Cloud• Contracting for Cloud Services• Best Practices for Data in the Cloud
Agenda
2
Cloud Computing – Today and the Future
3
4
Cloud Has Arrived
$40B2011
$149B2014
$241B2020
Source: Forrester Research 2012, Infosys-IDC research 2012, Forbes
• Democratization of compute and storage• Unlimited scalability• Pay-as-you-go commercial models• New business possibilities• Catalyst for speed agility and innovation
OUTSOURCING – CLOUD Biggest disruptor since global delivery model
5
Modular Global Sourcing
• Global delivery model• Modularization of IT• Elasticity of skills
Monolithic IT Black Box
‘Cloud inside’Global sourcing
• Elasticity of skills and computing• Extreme scalability and agility• Convergence of Cloud computing,
Software applications and business operations – Emergence of business platforms
Evolution of Cloud
6
Source: Forrester Research 2012, Infosys-IDC research 2012, Forbes
34% of IT budgets now being allocated for Cloud computing solutions
Hybrid Cloud60% of enterprise IT will be on Cloud in 4 years
Private Cloud investments are accelerating
KEY CONCERNS(addressed by different bodies)
STANDARDSInteroperability, lock-in,
transparency
TECHNOLOGY Security and data privacy
REGULATIONS Privacy, compliance
JURISDICTIONData location, sovereignty,
discovery, law enforcement, national security
How Secure is the Cloud?
7
Security Challenges with Cloud-Based Services
8
• Available solutions in the market are still silo-based• Security challenges exist when enterprises integrate private cloud with public cloud for
“bursting” and other on-demand computing requirements. • Challenges exist across 4 key pillars of security
• Most Cloud Providers believe customers buy Cloud services because of lower cost and faster access to Cloud resources, and not security
• Majority of Cloud Providers believe it is their customer’s responsibility to secure the Cloud and not their responsibility
• Most Cloud Providers do not believe their services substantially protect and secure confidential information of their customers
• Most Cloud Providers do not have dedicated security personnel
• But 1/3 of Cloud Providers considering security solutions in next 2 years
Ponemon Survey of 127 Cloud Providers, April 2011
9
• Half (51% SaaS / 49% IaaS) evaluating security before deployment.(41% in 2010).
• Half confident in security of those services (53% SaaS / 50% IaaS).
• 50% did risk assessments before putting DBs / other IT assets in cloud (44% in 2010).
• 50% confident they know all cloud services in use in their org (45% in 2010).
• In other news, 50% of respondents are probably wrong.
• 29% confident in ability to identify and authenticate users before granting access to cloud resources or infrastructure (34% in 2010).
• However, 60% confident in the ability to identify and authenticate users in on-premise environment.
• 64% positive about a hybrid identity & access management (IAM) solution that can support both the cloud and on-premise applications.
Ponemon 2013 “State of Cloud Security” Survey of 700 IT decision makers
10
• ISO 27001 Certification• Be sure to review the Statement of Applicability
• Check against Cloud Security Alliance Cloud Controls Matrix
• Service Organization Controls (“SOC”) Audits
• Customers used to require SAS 70 Type 2, which has been replaced by SSAE 16 SOC 1 Type 2
• SOC 1 tests controls at a service organization relevant to user entities internal control over financial reporting, but it used to be the only option
• SOC 2 tests controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy
How Can You Measure/Require Security in the Cloud?
11
• SEC treats security incidents/data breaches like anything else that could affect share price – if it’s “material” it must be disclosed or your company could face penalties.
• U.S. State data breach notification laws require disclosure of certain types of data breaches within certain time periods, or your company could face penalties.
• If you’re dealing with PHI, you have to disclose data breaches to either the FTC or HHS within certain time periods, or your company could face penalties.
• Various global data protection laws require disclosure of data breaches of personal information within certain time periods, or your company could face penalties.
As a Customer, You Need to Know
12
e-Discovery and Subpoenas in the Cloud
13
Access to Cloud Data• Subpoenas for data in the US
• Not a lot of case law directly addressing discovery of corporate email held by Cloud Providers
• Instructive analogs found in:• Cases involving 3rd-party email providers under Stored Communications Act ("SCA") and
• Cases addressing the concept of "control" under US Federal regulations
• US Civil Subpoenas
• Basic test under FRCP: “possession, custody, or control”
• U.S. courts construe “control” broadly - Party often deemed to have control if it has the legal right, authority or practical ability to obtain the materials sought upon demand
• However, courts generally presume 3rd parties cannot be compelled to disclose electronic communications pursuant to a civil subpoena
• Courts tend to focus on whether email account holders who are parties in the underlying litigation can be ordered to authorize access to their email accounts, despite the SCA
14
Discovery Obligation Comes Back to You
• The fact that court does not force a Cloud Provider to turn over your information simply brings the issue to your doorstep.
• U.S. discovery system encourages extensive production of information.
• Having data held by a Cloud Provider can make compliance with discovery obligations more challenging.
15
Inadvertent Loss/Destruction
• What happens if a Cloud Provider loses / inadvertently deletes your information? • Currently uncommon for a Cloud agreement to reference e-discovery type requirements
• Difficult to claim Cloud Provider is responsible if there’s nothing in the contract on point • Legal analysis for a “spoilation claim” normally focuses on “possession, custody or control”
over the data, which would generally point back to you – even for hosted services• Cloud Provider is not (normally) party to the litigation; court will typically focus its efforts
on the parties appearing in court• If court finds you responsible (i.e., it did not produce information in its possession, custody or
control) then court can order sanctions • Sanctions can range from fines to a terminating order that ends the case in the other
party’s favor
16
Inadvertent Loss/Destruction
• If data was lost due to Cloud Provider’s actions (or inactions), you will need to argue that you were not at fault
• Likely require going beyond merely establishing who deleted the data
• Need to show you acted diligently in selecting Cloud Provider, negotiating terms, putting controls in place and notifying the provider in a timely manner — and that despite all of those efforts, data was lost through no fault of yours
• Even so, minimal (if any) case law guidance on whether this argument would be adequate
• More likely, if the other party has been prejudiced by the loss of data, a sanction of some type is likely to balance the playing field
• Recovery of fines from Cloud Provider unlikely• Based on standard limitation of liability approaches in most cloud contracts, you may not be
able to recover damages from Cloud Provider
17
The “Democratization” Wrinkle
• Employees may be using cloud services without the knowledge of the company (e.g., Google docs, Dropbox) or social media (e.g., Facebook)
• When employees leave, you may lose access to those password protected accounts
• BUT, if you end up in litigation you may have had a duty to preserve that information and/or produce it
• Cloud Providers may not store information in easily accessible, legally compliant (i.e., “reasonably usable”) format
• Facebook and other social media services are not e-discovery friendly• Obtaining information without employee’s password/cooperation may require
litigation against that Cloud Provider
18
The International Wrinkle
• What happens if a lawsuit is in the US but the other party’s headquarters is in another country? Or what if the data is in a country where the rules are different?
• U.S. Supreme Court has held that U.S. courts may order production of documents governed by foreign blocking laws
• Violation of French blocking statute to deliver documents in the U.S. has resulted in criminal sanctions in France
• AccessData Corp. v. ALSTE Technologies GMBH, 2010 WL 318477 (D. Utah Jan. 21, 2010)• ALSTE argued German privacy laws prevented collection of company emails located in Germany
• U.S. court held German law did not bar disclosure of information relevant to the litigation
• U.S. court required ALSTE to proceed with e-discovery
• Failure to produce the data after the court’s ruling would likely result in severe sanctions
• However, German Data Protection authorities have sanctioning powers, as well
• Companies with data spread across different jurisdictions may have to make difficult choices if cloud-based data is implicated in litigation
19
Contracting for Cloud Services
20
• Different than traditional ITO/BPO contracting
• Must understand Cloud Provider’s business model• Standard service to all customers
• Consistent, repeatable processes
• Customers must accept a standard delivery model to take advantage of the cost savings
• Cloud Providers insist on their own contract template • They need standardized contracts to match their standardized delivery model
Guiding Principles for Contracting with Cloud Providers
21
Outsourcing vs. Cloud contracting
22
Topic Outsourcing Cloud ServicesContract Template Use Customer’s template
Each deal customized
Cloud Providers insist on their contract documents
Contract Negotiation Almost everything negotiable
Service delivery solution customized
Provisions impacting uniformity and scalability of the cloud service are not negotiable.
Service delivery solution standardized
Contract Leverage Size of deal matters. Competition matters.
Size and competition matter much less
Contract Negotiation Timing
4-8 months, but can be 12 months or more
Generally < 3 months and frequently faster
Term 3-5 years, with Renewal Options 1-3 years, with evergreen extension unless either party terminates 30-90 days before anniversary
Outsourcing vs. Cloud contracting
23
Topic Outsourcing Cloud ServicesContract Modification Modified only via written contract
amendmentGoverned by online terms (service descriptions) or “then current” policies found on web pages (security and privacy)
Control Over Supplier Personnel
Key Supplier Positions, background checks, and ability to remove personnel
Largest contracts may include one Key Supplier Position, but little else
Subcontractors Significant restrictions on use of subcontractors
No restrictions - Subcontractors may be essential to the provider’s ability to deliver the services
Security Fully negotiable (for a price) Non-negotiable
Governance Detailed, multi-committee governance structure
None
Outsourcing vs. Cloud contracting
24
Topic Outsourcing Cloud ServicesService Levels Customized and numerous Standardized and very few
Service Level Credits Customized. Based on percentage of monthly revenue – generally 5-15%
Can be significant – even up to 100% of monthly charges (but dollars are smaller and credits tied to the charges for the failed service)
Data Location Customer knows where its data is
Limits on moving data center
Customer does not know where data is
Fewer restrictions on data center location
Charges Complex combination of transition charges, plus ongoing fixed and variable charges
Minimal transition cost. Charges based on simple metric such as “per user” or “per seat” or similar units
Audits Extensive audit rights, particularly in dedicated environments
None (although Supplier may agree to provide SSAE 16)
Outsourcing vs. Cloud contracting
25
Topic Outsourcing Cloud ServicesCustomer’s Termination Rights (cause and other)
Cause, Service Level Failures, Change of Control, Force Majeure Events, Change in Laws, Supplier’s Liability Cap, Regulatory Approval, Insolvency
For Supplier’s material breach
Supplier’s Termination Rights and Right to Suspend
For cause and right to suspend for failure to pay.
Starting position is Supplier may terminate or suspend “for any reason” or for “breach of Acceptable Use Policy” or if Provider believes Customer’s use threatens providers network or ability to provide services
Can limit right to suspend only “to the extent” necessary to address the breach of the AUP, or to address the breach
Outsourcing vs. Cloud contracting
26
Topic Outsourcing Cloud ServicesTermination for Convenience
Yes, but generally includes termination charges necessary to make supplier whole for things like transition discounts, infrastructure investments, etc.
Yes, after initial commitment on 30-90 days notice. Termination charges may be appropriate for certain deals, but are less standard.
Termination Assistance Requires fairly extensive cooperation between customer, existing service provider and replacement service provider
Specified period of assistance (3 – 12 months), sometimes with right to acquire hardware, software, contracts and people
Very limited cooperation required
Existing Cloud Provider provides a copy of all data resident in cloud environment for transfer to replacement service provider
No right to acquire assets
Best Practices for Data in the Cloud
27
Best Practices for Data in the CloudWhen drafting your RFP / evaluating potential Cloud Providers / negotiating with the selected Cloud Provider
1. Know where your data is/will be stored• Request data center locations and consider including in contract
• Request geographic limits if appropriate (e.g., “stored in the US”)
2. Protect data • ISO 27001 certification, SOC 2, Cloud Security Alliance Cloud Controls Matrix
3. Ensure you can use your data• Customer should have the right to access data at all times
• Make sure data can be exported in a useable format
• Contract should specify Disengagement Assistance requirements
28
Best Practices for Data in the Cloud
4. Determine if Cloud Provider can comply with data retention/destruction policies• Including litigation holds
5. Subpoena / e-Discovery Requirements• Require notice of subpoenas received by Cloud Provider that could impact your
data
• Specify that Cloud Provider will assist with e-Discovery efforts and specify costs
6. Cyber Liability Insurance
29
INFOSYS: CLOUD ECOSYSTEM INTEGRATOR
30
Ecosystem of Partners
Professional Services for the Cloud
Business Platforms – Services in the Cloud
Infosys Cloud Ecosystem Hub
190+ engagements
12+ Business Platforms
Industry leading IP
30+ Partners
THANK YOU
www.infosys.comThe contents of this document are proprietary and confidential to Infosys Limited and may not be disclosed in
whole or in part at any time, to any third party without the prior written consent of Infosys Limited.
© 2012 Infosys Limited. All rights reserved. Copyright in the whole and any part of this document belongs to Infosys Limited. This work may not be used, sold, transferred, adapted, abridged, copied or reproduced in
whole or in part, in any manner or form, or in any media, without the prior written consent of Infosys Limited.