Вы находитесь на странице: 1из 5

Sumaya Shakir Sumaya.shakir@gmail.

com September 2012 Cloud Computing Security Risks Background and key information: It finally seems like the Feds are catching up with the Cloud era boom. The US government has released its stand on the data security on cloud technologies at the Security in Government 2012 conference. Important concerns regarding the jurisdictional issues of data storage were raised. The Federal Financial Institutions Examination Council(FFIEC) issued a press release with cloud computing risks and issued guidelines in its FFIEC IT Examination Handbook. The department will be coming up with new cloud guidelines. Separately in Europe, the European Network and Information Security Agency (ENISA) and the Cloud Security Alliance (CSA) have come up with their own assessment of how to addresses cloud risk guidelines. The European commission and European data protection council has issued statements indicating firms offering cloud solutions should offer legal clarity and clear privacy policies. The UK Government Digital Service is formulating its policies to maximize on the potential benefits to the UK economy. The CSA is also working on standards for cloud interface. HP has partnered with VMware in providing cloud platform solutions. The partnership aims at providing infrastructure with strong security and converged cloud solutions to the PCI industry. The companies are selling their solutions that goes beyond addressing the security guidelines put forth by various councils; it will be interesting to see how HPVMware partnership will fair against various commission guidelines. In another initiative HP has partnered with Microsoft for cloud integration. HP has signed new contracts with various government organizations to provide both hardware and software solutions. HP has made new investments in cloud computing in China. Following its China five-year growth plan, HP opened a brand new center called HP Cloud Executive Briefing Center in Tianjin and expanded its R & D in China. In addition, HP has started other big investments in China. With so many countries and their respective Governments on the bandwagon trying to form their own policies and drawing the blueprint of how the cloud infrastructure should look like, the result will be a set of conflicting laws and regulations between borders and countries. To add to the complexity, some governments are leery of working with China. And Chinas stand on how these services will impact its own industry and Government is a question that is yet to be raised. While HP is ahead of the game, it may be missing some key mandates from the Cloud Security Alliance and the various Government policies that could prove as a costly mistake. Moreover setting up a cloud hub in China could be security threat to businesses and organization in the US including the US government especially in the wake of latest allegations in regards to spying from two big Chinese firms ZTE Corp. and Huawei Technologies. Given the sensitive nature of government and payment data, this can soon become an unmanageable nightmare and lead to unimaginable vulnerabilities for the United States or for the western European nations. The issue is in
1

the late formation phase and early interest group formation. The issues are skirting around the cloud circles and in the various CSA congress presentations and has yet to be identified as a full blown threat. The story has been picked up by a few freelance technology journalists. For example, the author for http://www.businesscloud9.com/content/policy-blueprint-cloud-computing-market/11476 has provided enough validation to show the issues surrounding a global cloud dilemma. The main interest groups for this issue will be the consumers and enterprises across the globe that will use the cloud services technology irrespective of geographical boundaries. There is no doubt that the Governments across the globe have to take an active role in formulating the compliance and security protocols and HP being a key leader of cloud services will be impacted by this and needs to be more involved with the formation of any cloud law legislation that will give it a competitive advantage in the non market arena. Cloud Computing Security Risks Issue Summary: Issue Interest Groups Information Security vulnerabilities in Cloud Computing Cloud Security Alliance Consumer and Enterprise Business using Cloud Services Banks, Payments Card Industry(PCI) Government Organizations like US Military UK Government Digital Service, Federal Financial Institutions Examination Council ( FFIEC), European Network and Information Security Agency (ENISA) Jurisdictional issues of data storage Cloud Computing conflicting laws and regulations between borders and countries needs to be resolved Safety of hosting cloud services from China Late issue identification, early interest group formation Currently the story is published by a few technology magazines. Main stream media is yet to pick up the story but eventually in the next few months, this issue will be a hot topic.

Institutions

Issue Life Cycle Media Attention

HPs Business Strategic Political Actions for Security Risks Lobbying


2

HP, Microsoft and other internet companies who are offering services on the Cloud have been lobbying for safer cloud computing laws since 2010. Microsoft general counsel Brad Smith insisted on electronic privacy laws being updated during a Senate Judiciary Committee in Washington in 2010. Since then, there have been continued lobbying efforts for cloud security. HP as part of the Cloud Security Alliance group has been lobbying against the Cybersecurity Act of 2012 and has been successful in protecting the cloud initiatives.

The above graph shows HPs spending on lobbying for various causes including trade legislations, cloud security, data security and privacy regulations, patent approvals, free trade, broadband subsidies and defense funding. HP is one of the biggest spenders on lobbying efforts. It hires lobbying firms like Palmetto Group, Mehlman Vogel Castagnetti Inc, Sternhell Group, Innovative Federal Strategies and Akin, Gump et al . HP has spent $3,750,000 so far in 2012 on various lobbying. There are a number of individual cloud computing legislations that HP along with Microsoft, Google, Facebook and other companies have been lobbying like the policy issues in cloud computing, Electronic Communications Privacy Act (ECPA) and the number of other policies regarding, Cloud Physical Location and Access Issues Jurisdictional issues affecting the Cloud. Example: safe harbor law - a European law enacted in reaction to the U.S. Patriot Act. Another example is the Trade Agreements Act of 1979 (TAA) prohibits government contractors from using cloud serveices that are set up in countries that dont have trade agreements with United States. Privacy, Security and the Cloud Concerns around data stored in the Cloud is less protected than other in other contexts. fundamental concern about the security of essential business and government information and processes maintained in the Cloud. Law Enforcement and the Cloud Concerns with privacy issues in law enforcement context and legal protections against unreasonable search and seizure of data stored in a Cloud context. Example: Congress is currently reviewing a proposed update to the Electronic Communications Privacy Act
3

Intellectual Property (IP) and the Cloud Concerns regarding valuable intellectual property, trade secrets or copyrighted material in a Cloud environment. Example: The Digital Millennium Copyright Act provides a safe harbor to cloud service providers from infringement liability for copyright violations if they adhere to guidelines and immediately block access or remove copyrighted materials from their website upon notification. Global Competition and the Cloud: U.S. companies can compete for a share of global cloud market but U.S. put them at a competitive disadvantage. Example: U.S. Patriot Act

Sen. Amy Klobuchar has introduced a new bill called the Cloud Computing Act of 2012 (S.3569), that is supposed to improve the enforcement of criminal and civil law with respect to cloud computing. The proposed bills main purpose is to give cloud computing services protections under the CFAA. HP as part of the CSA alliance is lobbying for this bill. Eric Goldman, Internet Law professor from Santa Clara University has written an article on forbes.com regarding the Cloud Computing Act . The article can be found at http://www.forbes.com/sites/ericgoldman/2012/10/02/the-proposed-cloud-computingact-of-2012-and-how-internet-regulation-can-go-awry/ Forming Coalitions HP is part of the Cloud Security Alliance group to promote the use of best practices for providing security assurance within Cloud Computing. All the top companies like Google, MicroSoft and even US Department of Defense are members of this alliance group. The Alliance aims to provide education on the uses of Cloud Computing. The Cloud Security Alliance is led by a broad coalition of industry practitioners, corporations, associations and other key stakeholders.

HP along with the CSA has developed a number of useful and valuable resources like the secure best practices for cloud computing, tools for managing governance, risk and compliance, cloud user certification and cloud security knowledge certification, registry of cloud services amongst other cloud security standards. Public Advocacy & Awareness Raising For the last 8 years, every year HP has used events like HP Protect to raise awareness and increase visibility on security infrastructure, potential security risks and breaches, security landscape, cloud security information, security and compliance standards by hosting a two day event where it invites experts, architects, and gurus under one roof. It then makes public all the lectures, information shared during the summit to the general population. HP along with CSA has provided a number of toolkits, handbooks, standards, guides to educate various businesses and public interested in cloud security. HP provides this information on its website and also on CSA website. HP also attends other security conferences like the RSA and shares its knowledge/research with the community. It has also set up community forums, knowledge base, FAQs, social media and blogs to reach out the general public on its efforts on Cloud Computing Security. Summary HPs Political Strategy for addressing Cloud Security Issues Cloud Physical Location and Access Issues Privacy, Security and the Cloud Law Enforcement and the Cloud Electronic Communications Privacy Act Intellectual Property (IP) and the Cloud The Digital Millennium Copyright Act Global Competition and the Cloud: U.S. Patriot Act Cloud Computing Act of 2012 Coalition Cloud Security Alliance Lobbying Public Advocacy & Raising Awareness Protect 2012 RSA HP website community groups, forums, blogs, social media

Conclusion HP is taking cloud computing seriously and is using every avenue to be as close as possible to meeting the mandates of the Cloud Security Alliance and the various Government policies in order to avoid any costly mistakes. It is staying close by lobbying to the various legislations related to cloud computing.
5