Group Members

Praful Gupta(1779553)
Atul ( 1780033)
Jebin Gs (1779960)

What are personal Data
 Protecting your personal data – a fundamental right in

the European Union
 Personal data’ relate to any personal information
which can be used to identify you, directly or
indirectly, such as your name, your telephone number,
your email address, your place and date of birth, etc

For example. they legally prohibited from informing their data is shared with government. And.Sensitivity of personal data  90% of US consumers want to be asked to give permission     for their data to be shared. 88 % of people are worried who has access to their data. 74% of Europeans see disclosing personal information as an increasing part of modern life. Google’s policy states that the company will share data with the government if it has a “good faith belief”. . user must fully understand their agreement with any service provider.

 Due to the data reside in disparate or multiple locations in case of cloud computing jurisdiction has been become as a complex and challenging issue.  This mean that both virtualization of and physical locations of servers storing and processing data may potentially impact what country’s law might govern in the event of a data breach or intrusions into cloud systems.  Jurisdictional matters also determine the country law that is applicable to data .Legal Issues and cloud  Protecting data privacy is no longer optional—it’s the law!  Geographical diversity is inherent in cloud service offerings.

 Their primary concern is that any data housed.Privacy concerns slow cloud adoption  The issue of data privacy and cloud services emerged as one of the top concerns of European IT chiefs. stored or processed by a company that is US based or is wholly owned by a US company would have to be made available for inspection by US authorities under the Patriot Act.  Microsoft confirmed that it might be compelled to hand over European customer data to US authorities and that it might not be able to tell customers about its actions .  while the European Data Protection Directive requires companies to inform users when they disclose personal information.

publicly perform. communicate. or nature of service can change without notice.Terms & Conditions and the Issues iCloud •Terms and Conditions. store. •The right to change data in transmission is reserved Gmail • When you upload or otherwise submit content to our Services. • No guarantee that data stays within the EU and US.’ • Terms and Conditions.” • Terms and Conditions. modify. reproduce. publish. you give Google (and those we work with) a worldwide license to use. • No reference to where data is stored. adaptations or other changes we make so that your content works better with our Services). or nature of service can change without notice. . publicly display and distribute such content. host. though does claim to adhere to the US Safe Harbor laws. create derivative works (such as those resulting from translations. •No guarantee that data stays within the EU and US. Dropbox • ‘We may also remove any content from our Services at our discretion. hence no guarantee it remains in EU or under safe harbor. or nature of service can change without notice.

Cloud Computing  Data outsourcing:  As we are outsourcing our data that is most important to any firm data integrity is a big concern. dat a us er External Audit Cloud us er us er 7 .  Enabling public audit for cloud data storage security is important  For better data integrity user can ask CSP for External Audit Party.

 How to audit Securely by TPA:  1) Without asking for the copy of data by TPA auditing should be done. da ta us er External Audit party Cloud network us er us er 8 .  2) TPA should keep in mind about user data privacy while auditing.Third Party Auditor (TPA)  What is TPA ?  External audit party.  TPA works on request of Cloud customer to audit the CSP data.

System and Threat Model CC: CC which is using cloud for storage of data.   CS: Cloud Server managed by CSP. 9 .  TPA: External Third Party auditors who have the capabilities and expertise to audit tha data upon request of CC.

No firm can compromise with its data .Auditing  What’ is auditing? Audit is basically a declaration task that some regular methods or practice is According to the category of audit.pdf 10 .  “Accountability is Everything”  Reference: http://searchcio. employee data.  Data is very valuable entity of business.techtarget. product data. financial data. the auditor methodically examines data for compliance to established criteria. it can be customer data.

NIST ISACA and ENISA. .Audit Framework  Audit Control Frameworks for the cloud:  When adopting new technology of any kind. ITIL AND ISO 27001 are considered sufficient overall and a worthy starting point organization that have been instrumental in exploring the cloud in relation to security and compliance programs the most active are currently CSA. both system owners and internal auditors must consider not only the business justification for adoption but also the risks inherent to the new technology. These organizations have been leading the development of concepts and guidance sufficient to understand. protect and trust cloud infrastructure.  COBIT.

Assertion. Assessment and Assurance API:  The cloud audit/A6 group is a relatively new organization and a public effort to address audit and compliance of cloud services merged with CSA in 2011. it endeavors to create a common method for providers of cloud computing services to automate audit functions of their infrastructure regardless of platform technology.  Entities using COBIT: ISACA is the organization responsible for the control framework COBIT.  CLOUD AUDIT /A6: The Automated Audit. It is purely advisory organization. .  It defines control objectives that can be refined with risk assessment to describe a specific control put comes. This work has become well referenced and considered.  CSA Guidance: The cloud security alliance published security guidance for critical areas of focus in cloud computing. environment and Engineering. A readily recognized set of control frameworks for IT systems to meet COSO/SOX requirements and ISO27001 ISMS (Information Security management system).  Building trust in the cloud data protection in large scale.Frameworks:  ENISA Cloud Risk Assessment:  ENISA is the European network and information security agency. The goal of this group is to allow cloud consumers to be able to check (audit/assess) remote infrastructure via a common interfaced namespace. It is a mature framework that has been assessed by many to set standards for the government of Information security.

Main focus of audit:  Gaps between SP and organization. .  Data.  Insufficient allocation of resources.  Security and Confidentiality  Discrepancies in contracts.  Cost.  Poor quality testing.

Guidance from these organizations. . identity management.  Strong understanding of network scope.  Cloud hosted/based systems cannot be protected in the same way as traditional corporate IT systems infrastructure. Physical security. and virtual server technology may require as sophisticated way of technology previously unnecessary for Auditors.  Auditors need more technical knowledge :New control or enhanced reliance on security services such as log/event monitoring.

 Customer must have the right to access the providers data center and systems for audit purposes.  Transfer of data outside EEA is easy if SP is US-EU Safe Harbor certified. .Cloud Service Myths  Data privacy and Security law compliance is the providers responsibility.

. amended in 2005 • Allows FBI access to certain business records with a court order • Also provides for use of National Security Letters (form of administrative subpoena) to obtain records • The law limits the ability of cloud providers to reveal that they received an order.COMPELLED DISCLOSURE TO THE GOVERNMENT USA PATRIOT ACT • Originally enacted in 2001.

Peregrine Systems. which shook up the security’s market across the nation. This was created to increase the accountability and transparency. • This is a federal law that was enacted in the United States in reaction to the fact that many European countries were dealing with accounting and corporate scandals including WorldCom. and huge companies were collapsing.SARBANES-OXLEY LAW • Created in 2002. This legislation for secure reporting systems was created in 2002 to raise the reporting requirements on public companies and their accounting firms. and therefore strengthen public confidence in their performance. These scandals were costing billions of dollars to their investors. also known as the Corporate and Auditing Accountability and Responsibility Act. . Adelphia. Tyco International and Enron.

FEDERAL INFORMATION SECURITY MANAGEMENT ACT  The Federal Information Security Management Act (FISMA) is United States legislation that defines a comprehensive framework to protect government information.  FISMA assigns responsibilities to various agencies to ensure the security of data in the federal government. FISMA was signed into law part of the Electronic Government Act of 2002. . operations and assets against natural or manmade threats. and the head of each agency. timely and efficient manner. The act requires program officials. with the intent of keeping risks at or below specified acceptable levels in a cost-effective. to conduct annual reviews of information security programs.

It’s necessary to ensure that. and decide if they want to give permission for health information to be shared . The purpose of the Act is to prevent fraud and abuse in the delivery of sensitive healthcare information. have corrections added. Congress and effective as of July 1. patients are also allowed to request copies of their medical records. patient data is on lockdown. conversations you have with your provider about your treatment. even while using a secure Internet service to store data.  HIPAA.  This rule give patients control over how their health information is used–including information put in your medical record.HEALTH INFORMATION PRIVACY ACCOUNTABILTY ACT  When it comes to health. privacy is of utmost importance. It’s also the law. the Health Insurance Portability and Accountability Act (also known as the Standards for Privacy of Individually Identifiable Health Information). Under the act. etc. 1997.S. was passed in 1996 by the U. clinical billing information.

It contains provisions which intend to protect consumer information of the customers. It focuses on maintaining  Control of privacy data and it also prescribes an risk assessment to apply appropriate servers. It is similar to HIPAA. data processing and storage of data.GRAHAM/LEACH/BLILEY ACT  This act for banking safeguards and privacy protections was created to enable consolidation in financial services industry . .

The regular security audit should be from an independent body or federal agency. standardization and certification schemes.  Further efforts need to be put in research. and in adaptations of the legal and regulatory frameworks for raising the level of trust in cloud computing services.  Supervisory authorities in the area of data protection and privacy protection must continue with developing guidelines and raising awareness regarding data protection and privacy issues.CONCLUSION AND RECOMMENTATION  The public auditability for cloud data storage security is of critical importance so that users can resort to an external audit party to check the integrity of outsourced data when needed. . RECOMMENTATIONS  Demand Transparency by making sure that the cloud provider can supply detailed information on its security architecture and is willing to accept regular security audit.