Protecting Data Privacy During Public Audit in Cloud Computing

Group Members:Praful Gupta(1779553)Atul ( 1780033)Jebin Gs (1779960)

What are personal DataProtecting your personal data – a

fundamental right in the European UnionPersonal data’ relate to any personal

information which can be used to identify you, directly or indirectly, such as your name, your telephone number, your email address, your place and date of birth, etc

Sensitivity of personal data90% of US consumers want to be asked to give

permission for their data to be shared.88 % of people are worried who has access to their data.74% of Europeans see disclosing personal information as

an increasing part of modern life.

user must fully understand their agreement with any service provider.

For example, Google’s policy states that the company will share data with the government if it has a “good faith belief”. And, they legally prohibited from informing their data is shared with government.

Legal Issues and cloudProtecting data privacy is no longer optional—it’s the law!Geographical diversity is inherent in cloud service

offerings.Due to the data reside in disparate or multiple locations in

case of cloud computing jurisdiction has been become as a complex and challenging issue.

This mean that both virtualization of and physical locations of servers storing and processing data may potentially impact what country’s law might govern in the event of a data breach or intrusions into cloud systems.

Jurisdictional matters also determine the country law that is applicable to data

Privacy concerns slow cloud adoption

The issue of data privacy and cloud services emerged as one of the top concerns of European IT chiefs.

Their primary concern is that any data housed, stored or processed by a company that is US based or is wholly owned by a US company would have to be made available for inspection by US authorities under the Patriot Act.

while the European Data Protection Directive requires companies to inform users when they disclose personal information.

Microsoft confirmed that it might be compelled to hand over European customer data to US authorities and that it might not be able to tell customers about its actions

iCloud

•Terms and Conditions, or nature of service can change without notice.•No guarantee that data stays within the EU and US.•The right to change data in transmission is reserved

Gmail

• When you upload or otherwise submit content to our Services, you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content.”• Terms and Conditions, or nature of service can change without notice.• No reference to where data is stored, hence no guarantee it remains in EU or under safe harbor.

Dropbox

• ‘We may also remove any content from our Services at our discretion.’• Terms and Conditions, or nature of service can change without notice.• No guarantee that data stays within the EU and US, though does claim to adhere to the US Safe Harbor laws.

Terms & Conditions and the Issues

7

Cloud Computing

Data outsourcing: As we are outsourcing our data that is

most important to any firm data integrity is a big concern.

Enabling public audit for cloud data storage security is important

For better data integrity user can ask CSP for External Audit Party.

Cloud network

dataus

er

user

user

External Audit party

8

Third Party Auditor (TPA)What is TPA ?External audit party.TPA works on request of Cloud customer to

audit the CSP data.How to audit Securely by TPA:1) Without asking for the copy of data by

TPA auditing should be done.2) TPA should keep in mind about user data

privacy while auditing.

Cloud network

dataus

er

user

user

External Audit party

9

System and Threat ModelCC: CC which is using cloud for storage of data.

CS: Cloud Server managed by CSP.TPA: External Third Party auditors who

have the capabilities and expertise to audit tha data upon request of CC.

10

AuditingWhat’ is auditing? Audit is basically a declaration task that some regular methods or practice is followed. According to the category of audit, the auditor methodically examines data for compliance to established criteria.

Data is very valuable entity of business, it can be customer data, employee data, product data, financial data. No firm can compromise with its data .

“Accountability is Everything”

Reference: http://searchcio.techtarget.com/searchCIO/downloads/AuditTheDataOrElse.pdf

Audit FrameworkAudit Control Frameworks for the cloud:When adopting new technology of any kind, both system

owners and internal auditors must consider not only the business justification for adoption but also the risks inherent to the new technology.

COBIT, ITIL AND ISO 27001 are considered sufficient overall and a worthy starting point organization that have been instrumental in exploring the cloud in relation to security and compliance programs the most active are currently CSA,NIST ISACA and ENISA. These organizations have been leading the development of concepts and guidance sufficient to understand, protect and trust cloud infrastructure.

Frameworks: ENISA Cloud Risk Assessment: ENISA is the European network and information security agency. It is purely advisory

organization. Building trust in the cloud data protection in large scale, environment and Engineering. Entities using COBIT: ISACA is the organization responsible for the control framework

COBIT. A readily recognized set of control frameworks for IT systems to meet COSO/SOX requirements and ISO27001 ISMS (Information Security management system).

It defines control objectives that can be refined with risk assessment to describe a specific control put comes. It is a mature framework that has been assessed by many to set standards for the government of Information security.

CSA Guidance: The cloud security alliance published security guidance for critical areas of focus in cloud computing. This work has become well referenced and considered. 

CLOUD AUDIT /A6: The Automated Audit, Assertion, Assessment and Assurance API:  The cloud audit/A6 group is a relatively new organization and a public effort to address

audit and compliance of cloud services merged with CSA in 2011, it endeavors to create a common method for providers of cloud computing services to automate audit functions of their infrastructure regardless of platform technology. The goal of this group is to allow cloud consumers to be able to check (audit/assess) remote infrastructure via a common interfaced namespace.

Main focus of audit:

Gaps between SP and organization.Security and ConfidentialityDiscrepancies in contracts.Cost.Data.Poor quality testing. Insufficient allocation of resources.

Guidance from these organizations.Cloud hosted/based systems cannot be

protected in the same way as traditional corporate IT systems infrastructure.

Auditors need more technical knowledge :New control or enhanced reliance on security services such as log/event monitoring, identity management, Physical security, and virtual server technology may require as sophisticated way of technology previously unnecessary for Auditors.

Strong understanding of network scope.

Cloud Service MythsData privacy and Security law compliance

is the providers responsibility.Customer must have the right to access the

providers data center and systems for audit purposes.

Transfer of data outside EEA is easy if SP is US-EU Safe Harbor certified.

COMPELLED DISCLOSURE TO THE GOVERNMENT USA PATRIOT ACT• Originally enacted in 2001, amended in 2005• Allows FBI access to certain business records with a court order• Also provides for use of National Security Letters (form of administrative subpoena) to obtain records• The law limits the ability of cloud providers to reveal that they received an order.

SARBANES-OXLEY LAW• Created in 2002, also known as the Corporate and Auditing

Accountability and Responsibility Act. This legislation for secure reporting systems was created in 2002 to raise the reporting requirements on public companies and their accounting firms. This was created to increase the accountability and transparency, and therefore strengthen public confidence in their performance.

•  This is a federal law that was enacted in the United States in reaction to the fact that many European countries were dealing with accounting and corporate scandals including WorldCom, Adelphia, Peregrine Systems, Tyco International and Enron. These scandals were costing billions of dollars to their investors, and huge companies were collapsing, which shook up the security’s market across the nation.

FEDERAL INFORMATION SECURITY MANAGEMENT ACT

The Federal Information Security Management Act (FISMA) is United States legislation that defines a comprehensive framework to protect government information, operations and assets against natural or man-made threats. FISMA was signed into law part of the Electronic Government Act of 2002.

FISMA assigns responsibilities to various agencies to ensure the security of data in the federal government. The act requires program officials, and the head of each agency, to conduct annual reviews of information security programs, with the intent of keeping risks at or below specified acceptable levels in a cost-effective, timely and efficient manner. 

HEALTH INFORMATION PRIVACY ACCOUNTABILTY ACT

When it comes to health, privacy is of utmost importance. It’s necessary to ensure that, even while using a secure Internet service to store data, patient data is on lockdown. It’s also the law.

HIPAA, the Health Insurance Portability and Accountability Act (also known as the Standards for Privacy of Individually Identifiable Health Information), was passed in 1996 by the U.S. Congress and effective as of July 1, 1997. The purpose of the Act is to prevent fraud and abuse in the delivery of sensitive healthcare information.

This rule give patients control over how their health information is used–including information put in your medical record, conversations you have with your provider about your treatment, clinical billing information, etc. Under the act, patients are also allowed to request copies of their medical records, have corrections added, and decide if they want to give permission for health information to be shared

GRAHAM/LEACH/BLILEY ACT

This act for banking safeguards and privacy protections was created to enable consolidation in financial services industry .It contains provisions which intend to protect consumer information of the customers. It is similar to HIPAA. It focuses on maintaining

Control of privacy data and it also prescribes an risk assessment to apply appropriate servers, data processing and storage of data.

CONCLUSION AND RECOMMENTATIONThe public auditability for cloud data storage security is of critical

importance so that users can resort to an external audit party to check the integrity of outsourced data when needed.

RECOMMENTATIONSDemand Transparency by making sure that the cloud provider can

supply detailed information on its security architecture and is willing to accept regular security audit. The regular security audit should be from an independent body or federal agency.

Further efforts need to be put in research, standardization and certification schemes, and in adaptations of the legal and regulatory frameworks for raising the level of trust in cloud computing services.

Supervisory authorities in the area of data protection and privacy protection must continue with developing guidelines and raising awareness regarding data protection and privacy issues.