Diane Mueller Cloud Evangelist, ActiveState dianem@activestate.com http://www.activestate.com/stackato

Implications for Cloud Computing & Data Privacy

US Patriot Act

Founded 19972 million developers, 97% of Fortune 1000Development, management, distribution & cloud deployment for dynamic languagesCloud Solution: Stackato – Private PaaSSome of Our Customers

About ActiveState

Drivers for Cloud ComputingUS Patriot Act & Data PrivacyImplications for Cloud Computing

Agenda

Savings of physical IT costsFaster Deployment TimesHigher Levels of Application Availability Reliability & Fault ToleranceAccess AnywhereCapacity scales as needs changeImproved Time to Market

Cloud Computing Drivers

Maintain privacy & confidentialityPreserve intellectual property rightsPotential for intervention by foreign governments Manage operational & commercial risksComply with industry & jurisdictional regulatory requirements

Complex Balancing Act

Information is no longer in your direct custody or control.handed over to a third party to manageresident in a different jurisdiction or multiple jurisdictions

Mass-market cloud services are subject to “take it or leave it” service agreementsInformation and data may not be “portable” – you can’t take it with you

Cloud Computing Privacy Issues

Signed into law in October 2001 Extended in May 2011

grants privileges to access private data in case of suspected terrorist threats significantly increased the surveillance and investigative powers of law enforcement agencies in the United States

Enter the US Patriot Act

http://www.google.com/transparencyreport/governmentrequests/userdata/

Who is complying?

Example: Dropbox

https://www.dropbox.com/privacy

Where your data lives matters

New powers of surveillance and search/seizure extend to records of anyone (including Foreign Nationals) in the US.

Extends to records in the custody of US companies in Foreign CountriesForeign-based subsidiaries of US companiesForeign-based companies with presence in US

US Patriot Act Expands Surveillance

Changes to Rules of Engagement

Cloud Computing is premised on the concept of infrastructure pooling

regardless of geographic location.

Users may not have visibility in relation to the ultimate location of data.

Data may not in fact be pooled in one place

could be spread across a cloud service provider's network.

Data that is housed or passes through the United States is vulnerable to interception by authorities

applies to:

Everyone living and visiting the country, including any foreign national who spends time on U.S. soil as part of a visa arrangement. Companies based in the U.S., whether they are headquartered there or not

Data effected by US Patriot Act

BBC Worldwide HQ in Londonalso has studios and offices in the U.S making these U.S.-based offices vulnerable to the Act.

Example: BBC

National Security Letters can involve a gag orderprevents the organization from ever disclosing receipt of a letter requiring the handover of records.

Vendors cannot provide a guarantee that their customers would be informedThis contravenes the EU Data Protection Directive which requires organisations to inform users when personal information is disclosed.

Gag Orders & the Cloud

Regulatorsmay restrict the international transfer of certain kinds of data, even require certain kinds of data to be kept separate and not be intermixed with other data.

Examples:AustraliaCanadaEUHIPA

Add Industry & Jurisdictional Regulations

MSFT could not guarantee the sovereignty of European customers’ data in its data centers

If the US Patriot Act was invoked, MSFT would be compelled to hand data over to US authorities and would keep the data transfer secret

This contravenes the new EU Data Protection Directive which requires organizations to inform users when personal information is disclosed

Extremely difficult for US HQ companies to refuse to comply with the Patriot’s Act in deference to the EU Directive

Example: Microsoft Warning

Cloud computing fragmenting along national boundary lines

CEO, Reinhard Clemens

"The Americans say that no matter what happens I'll release the data to the government if I'm forced to do so, from anywhere in the world, certain German companies don't want others to access their systems. That's why we're well-positioned if we can

say we're a European provider in a European legal sphere and no American can get to them."

Remains responsible for protecting and safeguarding informationNeeds to make informed choices

Take be a risk-based approachWhat is the sensitivity of the information?What is the risk to the data?What role does the jurisdiction play in that risk?

If the risk is high and the safeguards cannot be assured, then don’t use the service provider

In principle, the original custodian:

Own the infrastructureRun your own cloud in your data centerHost your own servicesMinimize the number of layers between you and the NSL

Minimizes US Patriot Act

effect

If the Risk High: Consider Private Clouds

Why a Private Cloud?

Keep all your data within your own firewalls Avoids the Gag IssueIf the US Gov’t wants information – they have to ask you, not some cloud provider

Keep all your data within secure containersMulti-tenancy Security by IsolationEnsure Privacy within your organization

Encrypt your data when you transmit it beyond your firewallsControl & Manage your own resources

Greater oversight & control Maintaining security of dataGreater control over computational resourcesExclusive to an organizationManaged either by the organization or a third partyHosted in the organization’s data center or outside

Benefits of Private Clouds

Applications (SaaS)

Application Middleware/Platform (PaaS)

Infrastructure (IaaS)

Security comes in Layers on the Cloud

Cloud Computing Infrastructure IaaS Layer:

Gives you an Elastic PlaygroundPooled ResourcingShared Operating SystemShared Services

Security byUnix User Separation

PaaS Layer:gives your applications individual Playgrounds

Everyone gets their own Operating systemNo Shared ServicesSecurity by IsolationSecure Multi-tenancy

PaaS Layer Gives Containerization

Applications need more than just infrastructure!Applications Need Secure EnvironmentsApplications need middleware components: languages, modules, databases, web serversApps don’t deploy themselvesA PaaS automatically configures and deploys the middleware,

so your SaaS apps practically deploy themselves

Why add a PaaS layer?

What’s in to play with in your PaaS Container? Multi-Choice, End-to-End, Portable & Secure Infrastructure-Agnostic

Maintain accountability and ensure securityKeep your & your clients’ data private & secureEnsure that you are notified requests for information based US Patriot ActStill get all the benefits of cloud (elasticity, pooling resources within your organization, with faster time-to-market) on a private cloudMake migration and deployment with private cloud easier with a private PaaS

Wrap-Up

Hybrid Clouds

Private Clouds

Your App

Public Clouds

Enables Application Portability across Clouds

Any Questions?

www.activestate.com/cloud

Twitter: @activestate (#stackato)Blog: www.activestate.com/blog

Email: webinars@activestate.com

#stackato IRC channel on Freenode

Thank you!