View
129
Download
0
Embed Size (px)
DESCRIPTION
Cloud Security Alliance
Citation preview
www.cloudsecurityalliance.org Copyright © 2012 New Zealand Cloud Security Alliance
Rizwan Ahmad
Chair Data Governance, CSA, CEO NZCSA, Senior Lecturer MIT
www.cloudsecurityalliance.org Copyright © 2012 New Zealand Cloud Security Alliance Copyright © 2014 Cloud Security Alliance New Zealand Chapter
Global, not-for-profit organization
Members
Over 49,000 individual members
200 corporate members
70 chapters worldwide
Established with the aim of bringing trust to
the cloud
30 research groups with 25 research
projects
www.cloudsecurityalliance.org Copyright © 2012 New Zealand Cloud Security Alliance Copyright © 2014 Cloud Security Alliance New Zealand Chapter
Over 300 hundred members
Main focus is research in
Data governance
Privacy
Cloud Assurance
Cloud Auditing
www.cloudsecurityalliance.org Copyright © 2012 New Zealand Cloud Security Alliance
Sir Winston Churchill
www.cloudsecurityalliance.org Copyright © 2012 New Zealand Cloud Security Alliance Copyright © 2014 Cloud Security Alliance New Zealand Chapter
Preservation of sovereignty is a Noble
cause
Enshrined in constitutions, Legislation and
Patriotism
To preserve peace
To protect territory against the hostile elements
To protect its citizens
To guarantee freedom
www.cloudsecurityalliance.org Copyright © 2012 New Zealand Cloud Security Alliance Copyright © 2014 Cloud Security Alliance New Zealand Chapter
Countries take various steps to preserve
sovereignty of the state without infringing
the rights of his/her own citizens through
Proactive actions
Reactive actions
www.cloudsecurityalliance.org Copyright © 2012 New Zealand Cloud Security Alliance Copyright © 2014 Cloud Security Alliance New Zealand Chapter
Legal or not Legal?
Sovereignty of State
Reactive
Police Military
Proactive
Intelligence Agencies
Counter Operational
www.cloudsecurityalliance.org Copyright © 2012 New Zealand Cloud Security Alliance Copyright © 2014 Cloud Security Alliance New Zealand Chapter
Government develops legislative measures
to enhance these agencies by National
security laws meant to protect citizen’s
Fundamental rights
Freedom
Democracy
Country
www.cloudsecurityalliance.org Copyright © 2012 New Zealand Cloud Security Alliance
www.cloudsecurityalliance.org Copyright © 2012 New Zealand Cloud Security Alliance Copyright © 2014 Cloud Security Alliance New Zealand Chapter
Various covert and overt operations are
under fire
These operations reflect national security
but overrides fundamental rights
(Globalization)
Operations take strength from legislation
www.cloudsecurityalliance.org Copyright © 2012 New Zealand Cloud Security Alliance Copyright © 2014 Cloud Security Alliance New Zealand Chapter
These programs and legislations are not
new
www.cloudsecurityalliance.org Copyright © 2012 New Zealand Cloud Security Alliance Copyright © 2014 Cloud Security Alliance New Zealand Chapter
Country National Security Laws Tolerance
USA Foreign Intelligence Security Act (FISA) PATRIOT ACT
Justifies PRISM Zero tolerance for Foreigners US Citizens safe
UK Regulation of Investigatory Powers Act
2000 section 22(2) Telecommunications Act 1984 section 94
Tempora Program targets Citizens and Non Citizens
Sweden Act 2008:717 on signals intelligence
within defence intelligence operations
Act 2009:966 on the Intelligence Court Decree 2009:968
Gathering information Has some weakness
France Code de la Sécurité Intérieure Book 2,
Title IV of this Code.
Anti-Terror Act 2006 CNCIS
Targeted surveillance Extends powers to gather telecom data directly from providers
www.cloudsecurityalliance.org Copyright © 2012 New Zealand Cloud Security Alliance Copyright © 2014 Cloud Security Alliance New Zealand Chapter
Country National Security Laws Tolerance
Germany G-10 Law Warrantless automated wiretaps of
domestic and international
Communications
Netherlands Dutch Intelligence and Security Act 2002 Does not permit wiretap
European
Union
Directive 95/46/EC, Article 13
Exemption to data protection
European
Union
Convention for the Protection of
Individuals with regard to Automatic
Processing of Personal Data
Exemption in Article 9 and Article
16
International Convention on Cybercrime
Article 27 and 30
www.cloudsecurityalliance.org Copyright © 2012 New Zealand Cloud Security Alliance Copyright © 2014 Cloud Security Alliance New Zealand Chapter
Country User Data
Requests
Percentage of
requests where
some data
produced
Users/Accounts
Specified
Total > 27477 64% > 42648
United States 10,574 83% 18,254
France 2,750 51% 3,378
Germany 2,660 40% 3,255
India 2,513 66% 4,401
United Kingdom 1,397 69% 3,142
Brazil 1,085 49% 1,471
Italy 896 42% 1,084
Australia 780 70% 944
Singapore 755 68% 847
Spain 545 53% 761
Poland 502 23% 740
www.cloudsecurityalliance.org Copyright © 2012 New Zealand Cloud Security Alliance
Survey on PRISM
www.cloudsecurityalliance.org Copyright © 2012 New Zealand Cloud Security Alliance Copyright © 2014 Cloud Security Alliance New Zealand Chapter
56% 31%
10%
3%
Survey 207 responses
Less
No impact
Cancelled
More
www.cloudsecurityalliance.org Copyright © 2012 New Zealand Cloud Security Alliance Copyright © 2014 Cloud Security Alliance New Zealand Chapter
47%
32%
11%
10%
Survey Results of 440 responses
Poor
Fair
No Idea
Excellent
www.cloudsecurityalliance.org Copyright © 2012 New Zealand Cloud Security Alliance Copyright © 2014 Cloud Security Alliance New Zealand Chapter
36%
64%
Survey Results 220 responses
Yes
No
www.cloudsecurityalliance.org Copyright © 2012 New Zealand Cloud Security Alliance Copyright © 2014 Cloud Security Alliance New Zealand Chapter
41%
46%
13%
Survey Results 423 responses
Patriot Act Repealed
Patriot Act Modified
Patriot Act is Fine
www.cloudsecurityalliance.org Copyright © 2012 New Zealand Cloud Security Alliance Copyright © 2014 Cloud Security Alliance New Zealand Chapter
91%
9%
Survey Results 438
Yes
No
www.cloudsecurityalliance.org Copyright © 2012 New Zealand Cloud Security Alliance Copyright © 2014 Cloud Security Alliance New Zealand Chapter
User rights are aggravated by
Lack of transparency manifested by the cloud
service providers and governments
Inadequate cloud security standards
Evolving nature of cloud computing
Risks
Jurisdictional laws and conflicts
www.cloudsecurityalliance.org Copyright © 2012 New Zealand Cloud Security Alliance
Universal principles
www.cloudsecurityalliance.org Copyright © 2012 New Zealand Cloud Security Alliance Copyright © 2014 Cloud Security Alliance New Zealand Chapter
Article II 3(b), (c), (d) and (e) United Nations
Guidelines for Consumer Protection
(b) The promotion and protection of the economic
interests of consumers;
(c) Access of consumers to adequate information to
enable them to make informed choices according to
individual wishes and needs;
(d) Consumer education, including education on the
environmental, social and economic impacts of
consumer choice
(e) Availability of effective consumer redress.
www.cloudsecurityalliance.org Copyright © 2012 New Zealand Cloud Security Alliance Copyright © 2014 Cloud Security Alliance New Zealand Chapter
Transparency
•What information is disclosed by CSP
Legal Protection
•What legal protection is offered?
Compliance
•What standards and laws?
Accountability
•How grievance is addressed?
Cloud Governance
www.cloudsecurityalliance.org Copyright © 2012 New Zealand Cloud Security Alliance Copyright © 2014 Cloud Security Alliance New Zealand Chapter
Right to know reforms…..
Disclosure of information to inform cloud
user that impact his data rights related to
Jurisdiction
Legal issues
Data protection laws
Compliance to relevant policies, law enforcement
Redress, complains
www.cloudsecurityalliance.org Copyright © 2012 New Zealand Cloud Security Alliance Copyright © 2014 Cloud Security Alliance New Zealand Chapter
Assess legal and jurisdictional risks
Contracts must be enforceable
Flexible contracts to allow cloud user
requirements
Choice of court
Arbitration
Ensure data protection under cloud user
laws
www.cloudsecurityalliance.org Copyright © 2012 New Zealand Cloud Security Alliance Copyright © 2014 Cloud Security Alliance New Zealand Chapter
Cloud Service provider displays compliance
to
Relevant provisions of laws
Security standards, best practices
Legal protection not to show data to third party
Transparency, legal protection and compliance to
standards show accountability
www.cloudsecurityalliance.org Copyright © 2012 New Zealand Cloud Security Alliance Copyright © 2014 Cloud Security Alliance New Zealand Chapter
Cloud service provider displays information
to show
Accountability processes
Breach of security
Electronic dispute resolution
Liability
Choice of court
www.cloudsecurityalliance.org Copyright © 2012 New Zealand Cloud Security Alliance Copyright © 2014 Cloud Security Alliance New Zealand Chapter
Four Elements
Transparency
ISO 27001 CCM
SSAE 16 SOC2 Type 2/ ISAE 3402
STAR Registry (CAIQ, CCM)
Disclosure of laws
Breach notification
Legal Protection
Choice of court
Flexible contracts
Enforceable contracts
Compliance
Standards
Contracts
User laws
Accountability Liability
Dispute resolution
www.cloudsecurityalliance.org Copyright © 2012 New Zealand Cloud Security Alliance Copyright © 2014 Cloud Security Alliance New Zealand Chapter
Foundation for data governance
Need your cooperation to build strong
research
Presenting a proposal for new standards
on data sovereignity
www.cloudsecurityalliance.org Copyright © 2012 New Zealand Cloud Security Alliance Copyright © 2014 Cloud Security Alliance New Zealand Chapter
Join Hands for Cloud and
Cyber Security to Secure
Community
www.cloudsecurityalliance.org Copyright © 2012 New Zealand Cloud Security Alliance
Thankyou