You are on page 1of 22

Group Members

Praful Gupta(1779553)
Atul ( 1780033)
Jebin Gs (1779960)

What are personal Data
 Protecting your personal data – a fundamental right in

the European Union
 Personal data’ relate to any personal information
which can be used to identify you, directly or
indirectly, such as your name, your telephone number,
your email address, your place and date of birth, etc

. 74% of Europeans see disclosing personal information as an increasing part of modern life. user must fully understand their agreement with any service provider.Sensitivity of personal data  90% of US consumers want to be asked to give permission     for their data to be shared. And. Google’s policy states that the company will share data with the government if it has a “good faith belief”. For example. they legally prohibited from informing their data is shared with government. 88 % of people are worried who has access to their data.

 Jurisdictional matters also determine the country law that is applicable to data .  Due to the data reside in disparate or multiple locations in case of cloud computing jurisdiction has been become as a complex and challenging issue.  This mean that both virtualization of and physical locations of servers storing and processing data may potentially impact what country’s law might govern in the event of a data breach or intrusions into cloud systems.Legal Issues and cloud  Protecting data privacy is no longer optional—it’s the law!  Geographical diversity is inherent in cloud service offerings.

 Their primary concern is that any data housed.  Microsoft confirmed that it might be compelled to hand over European customer data to US authorities and that it might not be able to tell customers about its actions . stored or processed by a company that is US based or is wholly owned by a US company would have to be made available for inspection by US authorities under the Patriot Act.Privacy concerns slow cloud adoption  The issue of data privacy and cloud services emerged as one of the top concerns of European IT chiefs.  while the European Data Protection Directive requires companies to inform users when they disclose personal information.

•The right to change data in transmission is reserved Gmail • When you upload or otherwise submit content to our Services. reproduce. create derivative works (such as those resulting from translations. . modify. • No guarantee that data stays within the EU and US. you give Google (and those we work with) a worldwide license to use. Dropbox • ‘We may also remove any content from our Services at our discretion. store. though does claim to adhere to the US Safe Harbor laws. host. publicly perform. communicate.Terms & Conditions and the Issues iCloud •Terms and Conditions. hence no guarantee it remains in EU or under safe harbor. or nature of service can change without notice.” • Terms and Conditions. or nature of service can change without notice. • No reference to where data is stored.’ • Terms and Conditions. or nature of service can change without notice. publish. publicly display and distribute such content. adaptations or other changes we make so that your content works better with our Services). •No guarantee that data stays within the EU and US.

dat a us er External Audit Cloud us er us er 7 .  Enabling public audit for cloud data storage security is important  For better data integrity user can ask CSP for External Audit Party.Cloud Computing  Data outsourcing:  As we are outsourcing our data that is most important to any firm data integrity is a big concern.

da ta us er External Audit party Cloud network us er us er 8 .  TPA works on request of Cloud customer to audit the CSP data.  How to audit Securely by TPA:  1) Without asking for the copy of data by TPA auditing should be done.Third Party Auditor (TPA)  What is TPA ?  External audit party.  2) TPA should keep in mind about user data privacy while auditing.

System and Threat Model CC: CC which is using cloud for storage of data.   CS: Cloud Server managed by CSP. 9 .  TPA: External Third Party auditors who have the capabilities and expertise to audit tha data upon request of CC.

techtarget.pdf 10 . No firm can compromise with its data . According to the category of audit.  Data is very valuable entity of business. it can be customer data. financial data.Auditing  What’ is auditing? Audit is basically a declaration task that some regular methods or practice is followed.  “Accountability is Everything”  Reference: http://searchcio. employee product data. the auditor methodically examines data for compliance to established criteria.

protect and trust cloud infrastructure.Audit Framework  Audit Control Frameworks for the cloud:  When adopting new technology of any kind. . These organizations have been leading the development of concepts and guidance sufficient to understand. both system owners and internal auditors must consider not only the business justification for adoption but also the risks inherent to the new technology.NIST ISACA and ENISA. ITIL AND ISO 27001 are considered sufficient overall and a worthy starting point organization that have been instrumental in exploring the cloud in relation to security and compliance programs the most active are currently CSA.  COBIT.

 Entities using COBIT: ISACA is the organization responsible for the control framework COBIT. This work has become well referenced and considered. The goal of this group is to allow cloud consumers to be able to check (audit/assess) remote infrastructure via a common interfaced namespace. A readily recognized set of control frameworks for IT systems to meet COSO/SOX requirements and ISO27001 ISMS (Information Security management system). It is a mature framework that has been assessed by many to set standards for the government of Information security. it endeavors to create a common method for providers of cloud computing services to automate audit functions of their infrastructure regardless of platform technology.  Building trust in the cloud data protection in large scale.  It defines control objectives that can be refined with risk assessment to describe a specific control put comes. environment and Engineering.Frameworks:  ENISA Cloud Risk Assessment:  ENISA is the European network and information security agency. Assertion. . It is purely advisory organization.  CSA Guidance: The cloud security alliance published security guidance for critical areas of focus in cloud computing.  CLOUD AUDIT /A6: The Automated Audit. Assessment and Assurance API:  The cloud audit/A6 group is a relatively new organization and a public effort to address audit and compliance of cloud services merged with CSA in 2011.

.Main focus of audit:  Gaps between SP and organization.  Cost.  Security and Confidentiality  Discrepancies in contracts.  Poor quality testing.  Insufficient allocation of resources.  Data.

 Auditors need more technical knowledge :New control or enhanced reliance on security services such as log/event monitoring.Guidance from these organizations. identity management. Physical security.  Strong understanding of network scope. and virtual server technology may require as sophisticated way of technology previously unnecessary for Auditors.  Cloud hosted/based systems cannot be protected in the same way as traditional corporate IT systems infrastructure. .

Cloud Service Myths  Data privacy and Security law compliance is the providers responsibility.  Customer must have the right to access the providers data center and systems for audit purposes. .  Transfer of data outside EEA is easy if SP is US-EU Safe Harbor certified.

COMPELLED DISCLOSURE TO THE GOVERNMENT USA PATRIOT ACT • Originally enacted in 2001. . amended in 2005 • Allows FBI access to certain business records with a court order • Also provides for use of National Security Letters (form of administrative subpoena) to obtain records • The law limits the ability of cloud providers to reveal that they received an order.

• This is a federal law that was enacted in the United States in reaction to the fact that many European countries were dealing with accounting and corporate scandals including WorldCom. . Tyco International and Enron. Adelphia. These scandals were costing billions of dollars to their investors.SARBANES-OXLEY LAW • Created in 2002. also known as the Corporate and Auditing Accountability and Responsibility Act. and therefore strengthen public confidence in their performance. This legislation for secure reporting systems was created in 2002 to raise the reporting requirements on public companies and their accounting firms. which shook up the security’s market across the nation. and huge companies were collapsing. This was created to increase the accountability and transparency. Peregrine Systems.

with the intent of keeping risks at or below specified acceptable levels in a cost-effective. to conduct annual reviews of information security programs.  FISMA assigns responsibilities to various agencies to ensure the security of data in the federal government.FEDERAL INFORMATION SECURITY MANAGEMENT ACT  The Federal Information Security Management Act (FISMA) is United States legislation that defines a comprehensive framework to protect government information. The act requires program officials. . FISMA was signed into law part of the Electronic Government Act of 2002. timely and efficient manner. and the head of each agency. operations and assets against natural or manmade threats.

It’s necessary to ensure that. patient data is on lockdown.S. and decide if they want to give permission for health information to be shared . the Health Insurance Portability and Accountability Act (also known as the Standards for Privacy of Individually Identifiable Health Information). The purpose of the Act is to prevent fraud and abuse in the delivery of sensitive healthcare information. Under the act. etc. was passed in 1996 by the U. 1997. patients are also allowed to request copies of their medical records. Congress and effective as of July 1. It’s also the law. privacy is of utmost importance. even while using a secure Internet service to store data.  This rule give patients control over how their health information is used–including information put in your medical record. clinical billing information.HEALTH INFORMATION PRIVACY ACCOUNTABILTY ACT  When it comes to health. conversations you have with your provider about your treatment. have corrections added.  HIPAA.

.GRAHAM/LEACH/BLILEY ACT  This act for banking safeguards and privacy protections was created to enable consolidation in financial services industry . It is similar to HIPAA. It focuses on maintaining  Control of privacy data and it also prescribes an risk assessment to apply appropriate servers. data processing and storage of data.It contains provisions which intend to protect consumer information of the customers.

CONCLUSION AND RECOMMENTATION  The public auditability for cloud data storage security is of critical importance so that users can resort to an external audit party to check the integrity of outsourced data when needed. .  Supervisory authorities in the area of data protection and privacy protection must continue with developing guidelines and raising awareness regarding data protection and privacy issues.  Further efforts need to be put in research. RECOMMENTATIONS  Demand Transparency by making sure that the cloud provider can supply detailed information on its security architecture and is willing to accept regular security audit. and in adaptations of the legal and regulatory frameworks for raising the level of trust in cloud computing services. The regular security audit should be from an independent body or federal agency. standardization and certification schemes.