Group Members

Praful Gupta(1779553)
Atul ( 1780033)
Jebin Gs (1779960)

What are personal Data
 Protecting your personal data – a fundamental right in

the European Union
 Personal data’ relate to any personal information
which can be used to identify you, directly or
indirectly, such as your name, your telephone number,
your email address, your place and date of birth, etc

And. they legally prohibited from informing their data is shared with government. 88 % of people are worried who has access to their data. For example. user must fully understand their agreement with any service provider. . Google’s policy states that the company will share data with the government if it has a “good faith belief”.Sensitivity of personal data  90% of US consumers want to be asked to give permission     for their data to be shared. 74% of Europeans see disclosing personal information as an increasing part of modern life.

 Jurisdictional matters also determine the country law that is applicable to data .Legal Issues and cloud  Protecting data privacy is no longer optional—it’s the law!  Geographical diversity is inherent in cloud service offerings.  Due to the data reside in disparate or multiple locations in case of cloud computing jurisdiction has been become as a complex and challenging issue.  This mean that both virtualization of and physical locations of servers storing and processing data may potentially impact what country’s law might govern in the event of a data breach or intrusions into cloud systems.

 Microsoft confirmed that it might be compelled to hand over European customer data to US authorities and that it might not be able to tell customers about its actions . stored or processed by a company that is US based or is wholly owned by a US company would have to be made available for inspection by US authorities under the Patriot Act.  Their primary concern is that any data housed.  while the European Data Protection Directive requires companies to inform users when they disclose personal information.Privacy concerns slow cloud adoption  The issue of data privacy and cloud services emerged as one of the top concerns of European IT chiefs.

publicly perform. • No guarantee that data stays within the EU and US. Dropbox • ‘We may also remove any content from our Services at our discretion. reproduce. hence no guarantee it remains in EU or under safe harbor. you give Google (and those we work with) a worldwide license to use.’ • Terms and Conditions. • No reference to where data is stored. or nature of service can change without notice.” • Terms and Conditions. •No guarantee that data stays within the EU and US. . •The right to change data in transmission is reserved Gmail • When you upload or otherwise submit content to our Services. store. though does claim to adhere to the US Safe Harbor laws. publish. communicate.Terms & Conditions and the Issues iCloud •Terms and Conditions. adaptations or other changes we make so that your content works better with our Services). modify. or nature of service can change without notice. create derivative works (such as those resulting from translations. or nature of service can change without notice. host. publicly display and distribute such content.

 Enabling public audit for cloud data storage security is important  For better data integrity user can ask CSP for External Audit Party. dat a us er External Audit Cloud us er us er 7 .Cloud Computing  Data outsourcing:  As we are outsourcing our data that is most important to any firm data integrity is a big concern.

 How to audit Securely by TPA:  1) Without asking for the copy of data by TPA auditing should be done.  TPA works on request of Cloud customer to audit the CSP data.Third Party Auditor (TPA)  What is TPA ?  External audit party.  2) TPA should keep in mind about user data privacy while auditing. da ta us er External Audit party Cloud network us er us er 8 .

9 .  TPA: External Third Party auditors who have the capabilities and expertise to audit tha data upon request of CC.System and Threat Model CC: CC which is using cloud for storage of data.   CS: Cloud Server managed by CSP.

 “Accountability is Everything”  Reference: http://searchcio. employee data.Auditing  What’ is auditing? Audit is basically a declaration task that some regular methods or practice is followed. product data.pdf 10 .com/searchCIO/downloads/AuditTheDataOrElse. it can be customer data. the auditor methodically examines data for compliance to established criteria. No firm can compromise with its data . financial data. According to the category of audit.techtarget.  Data is very valuable entity of business.

both system owners and internal auditors must consider not only the business justification for adoption but also the risks inherent to the new technology.  COBIT. These organizations have been leading the development of concepts and guidance sufficient to understand. . protect and trust cloud infrastructure.NIST ISACA and ENISA.Audit Framework  Audit Control Frameworks for the cloud:  When adopting new technology of any kind. ITIL AND ISO 27001 are considered sufficient overall and a worthy starting point organization that have been instrumental in exploring the cloud in relation to security and compliance programs the most active are currently CSA.

It is purely advisory organization. environment and Engineering. it endeavors to create a common method for providers of cloud computing services to automate audit functions of their infrastructure regardless of platform technology.Frameworks:  ENISA Cloud Risk Assessment:  ENISA is the European network and information security agency.  Building trust in the cloud data protection in large scale. A readily recognized set of control frameworks for IT systems to meet COSO/SOX requirements and ISO27001 ISMS (Information Security management system).  CSA Guidance: The cloud security alliance published security guidance for critical areas of focus in cloud computing. Assertion.  Entities using COBIT: ISACA is the organization responsible for the control framework COBIT.  CLOUD AUDIT /A6: The Automated Audit.  It defines control objectives that can be refined with risk assessment to describe a specific control put comes. It is a mature framework that has been assessed by many to set standards for the government of Information security. . This work has become well referenced and considered. The goal of this group is to allow cloud consumers to be able to check (audit/assess) remote infrastructure via a common interfaced namespace. Assessment and Assurance API:  The cloud audit/A6 group is a relatively new organization and a public effort to address audit and compliance of cloud services merged with CSA in 2011.

 Security and Confidentiality  Discrepancies in contracts.  Insufficient allocation of resources. .  Data.Main focus of audit:  Gaps between SP and organization.  Cost.  Poor quality testing.

 Strong understanding of network scope. . identity management. and virtual server technology may require as sophisticated way of technology previously unnecessary for Auditors.Guidance from these organizations.  Cloud hosted/based systems cannot be protected in the same way as traditional corporate IT systems infrastructure. Physical security.  Auditors need more technical knowledge :New control or enhanced reliance on security services such as log/event monitoring.

.Cloud Service Myths  Data privacy and Security law compliance is the providers responsibility.  Customer must have the right to access the providers data center and systems for audit purposes.  Transfer of data outside EEA is easy if SP is US-EU Safe Harbor certified.

amended in 2005 • Allows FBI access to certain business records with a court order • Also provides for use of National Security Letters (form of administrative subpoena) to obtain records • The law limits the ability of cloud providers to reveal that they received an order.COMPELLED DISCLOSURE TO THE GOVERNMENT USA PATRIOT ACT • Originally enacted in 2001. .

These scandals were costing billions of dollars to their investors. also known as the Corporate and Auditing Accountability and Responsibility Act. which shook up the security’s market across the nation. Peregrine Systems.SARBANES-OXLEY LAW • Created in 2002. Tyco International and Enron. Adelphia. and huge companies were collapsing. This legislation for secure reporting systems was created in 2002 to raise the reporting requirements on public companies and their accounting firms. • This is a federal law that was enacted in the United States in reaction to the fact that many European countries were dealing with accounting and corporate scandals including WorldCom. and therefore strengthen public confidence in their performance. . This was created to increase the accountability and transparency.

. to conduct annual reviews of information security programs.FEDERAL INFORMATION SECURITY MANAGEMENT ACT  The Federal Information Security Management Act (FISMA) is United States legislation that defines a comprehensive framework to protect government information. The act requires program officials. with the intent of keeping risks at or below specified acceptable levels in a cost-effective. FISMA was signed into law part of the Electronic Government Act of 2002. and the head of each agency. timely and efficient manner.  FISMA assigns responsibilities to various agencies to ensure the security of data in the federal government. operations and assets against natural or manmade threats.

the Health Insurance Portability and Accountability Act (also known as the Standards for Privacy of Individually Identifiable Health Information). 1997. It’s necessary to ensure that.  This rule give patients control over how their health information is used–including information put in your medical record. conversations you have with your provider about your treatment. and decide if they want to give permission for health information to be shared . The purpose of the Act is to prevent fraud and abuse in the delivery of sensitive healthcare information.HEALTH INFORMATION PRIVACY ACCOUNTABILTY ACT  When it comes to health.  HIPAA. was passed in 1996 by the U. Under the act. privacy is of utmost importance. patients are also allowed to request copies of their medical records.S. patient data is on lockdown. have corrections added. It’s also the law. clinical billing information. etc. Congress and effective as of July 1. even while using a secure Internet service to store data.

It is similar to HIPAA.It contains provisions which intend to protect consumer information of the customers.GRAHAM/LEACH/BLILEY ACT  This act for banking safeguards and privacy protections was created to enable consolidation in financial services industry . . data processing and storage of data. It focuses on maintaining  Control of privacy data and it also prescribes an risk assessment to apply appropriate servers.

RECOMMENTATIONS  Demand Transparency by making sure that the cloud provider can supply detailed information on its security architecture and is willing to accept regular security audit.CONCLUSION AND RECOMMENTATION  The public auditability for cloud data storage security is of critical importance so that users can resort to an external audit party to check the integrity of outsourced data when needed. and in adaptations of the legal and regulatory frameworks for raising the level of trust in cloud computing services. . The regular security audit should be from an independent body or federal agency. standardization and certification schemes.  Further efforts need to be put in research.  Supervisory authorities in the area of data protection and privacy protection must continue with developing guidelines and raising awareness regarding data protection and privacy issues.

Master your semester with Scribd & The New York Times

Special offer for students: Only $4.99/month.

Master your semester with Scribd & The New York Times

Cancel anytime.