Group Members

Praful Gupta(1779553)
Atul ( 1780033)
Jebin Gs (1779960)

What are personal Data
 Protecting your personal data – a fundamental right in

the European Union
 Personal data’ relate to any personal information
which can be used to identify you, directly or
indirectly, such as your name, your telephone number,
your email address, your place and date of birth, etc

Sensitivity of personal data  90% of US consumers want to be asked to give permission     for their data to be shared. user must fully understand their agreement with any service provider. 74% of Europeans see disclosing personal information as an increasing part of modern life. 88 % of people are worried who has access to their data. And. . Google’s policy states that the company will share data with the government if it has a “good faith belief”. For example. they legally prohibited from informing their data is shared with government.

 Due to the data reside in disparate or multiple locations in case of cloud computing jurisdiction has been become as a complex and challenging issue.  Jurisdictional matters also determine the country law that is applicable to data .  This mean that both virtualization of and physical locations of servers storing and processing data may potentially impact what country’s law might govern in the event of a data breach or intrusions into cloud systems.Legal Issues and cloud  Protecting data privacy is no longer optional—it’s the law!  Geographical diversity is inherent in cloud service offerings.

 Microsoft confirmed that it might be compelled to hand over European customer data to US authorities and that it might not be able to tell customers about its actions .  Their primary concern is that any data housed. stored or processed by a company that is US based or is wholly owned by a US company would have to be made available for inspection by US authorities under the Patriot Act.  while the European Data Protection Directive requires companies to inform users when they disclose personal information.Privacy concerns slow cloud adoption  The issue of data privacy and cloud services emerged as one of the top concerns of European IT chiefs.

though does claim to adhere to the US Safe Harbor laws.’ • Terms and Conditions. host. communicate. reproduce. create derivative works (such as those resulting from translations. publish. or nature of service can change without notice. • No guarantee that data stays within the EU and US. or nature of service can change without notice. adaptations or other changes we make so that your content works better with our Services). or nature of service can change without notice. hence no guarantee it remains in EU or under safe harbor. • No reference to where data is stored. modify. Dropbox • ‘We may also remove any content from our Services at our discretion.Terms & Conditions and the Issues iCloud •Terms and Conditions. store.” • Terms and Conditions. publicly display and distribute such content. publicly perform. you give Google (and those we work with) a worldwide license to use. •The right to change data in transmission is reserved Gmail • When you upload or otherwise submit content to our Services. •No guarantee that data stays within the EU and US. .

Cloud Computing  Data outsourcing:  As we are outsourcing our data that is most important to any firm data integrity is a big concern.  Enabling public audit for cloud data storage security is important  For better data integrity user can ask CSP for External Audit Party. dat a us er External Audit Cloud us er us er 7 .

da ta us er External Audit party Cloud network us er us er 8 .Third Party Auditor (TPA)  What is TPA ?  External audit party.  TPA works on request of Cloud customer to audit the CSP data.  2) TPA should keep in mind about user data privacy while auditing.  How to audit Securely by TPA:  1) Without asking for the copy of data by TPA auditing should be done.

System and Threat Model CC: CC which is using cloud for storage of data.   CS: Cloud Server managed by CSP.  TPA: External Third Party auditors who have the capabilities and expertise to audit tha data upon request of CC. 9 .

According to the category of  “Accountability is Everything”  Reference: http://searchcio. financial data. No firm can compromise with its data .  Data is very valuable entity of business.pdf 10 .techtarget.Auditing  What’ is auditing? Audit is basically a declaration task that some regular methods or practice is followed. the auditor methodically examines data for compliance to established criteria. it can be customer data. product data. employee data.

ITIL AND ISO 27001 are considered sufficient overall and a worthy starting point organization that have been instrumental in exploring the cloud in relation to security and compliance programs the most active are currently CSA.  COBIT. .Audit Framework  Audit Control Frameworks for the cloud:  When adopting new technology of any kind. both system owners and internal auditors must consider not only the business justification for adoption but also the risks inherent to the new technology.NIST ISACA and ENISA. These organizations have been leading the development of concepts and guidance sufficient to understand. protect and trust cloud infrastructure.

 CLOUD AUDIT /A6: The Automated Audit.Frameworks:  ENISA Cloud Risk Assessment:  ENISA is the European network and information security agency. The goal of this group is to allow cloud consumers to be able to check (audit/assess) remote infrastructure via a common interfaced namespace. Assertion. Assessment and Assurance API:  The cloud audit/A6 group is a relatively new organization and a public effort to address audit and compliance of cloud services merged with CSA in 2011. . A readily recognized set of control frameworks for IT systems to meet COSO/SOX requirements and ISO27001 ISMS (Information Security management system). It is a mature framework that has been assessed by many to set standards for the government of Information security. it endeavors to create a common method for providers of cloud computing services to automate audit functions of their infrastructure regardless of platform technology.  It defines control objectives that can be refined with risk assessment to describe a specific control put comes. It is purely advisory organization.  CSA Guidance: The cloud security alliance published security guidance for critical areas of focus in cloud computing.  Building trust in the cloud data protection in large scale. This work has become well referenced and considered.  Entities using COBIT: ISACA is the organization responsible for the control framework COBIT. environment and Engineering.

 Cost.  Data.Main focus of audit:  Gaps between SP and organization.  Security and Confidentiality  Discrepancies in contracts.  Poor quality testing. .  Insufficient allocation of resources.

 Auditors need more technical knowledge :New control or enhanced reliance on security services such as log/event monitoring.  Strong understanding of network scope.  Cloud hosted/based systems cannot be protected in the same way as traditional corporate IT systems infrastructure. identity management. and virtual server technology may require as sophisticated way of technology previously unnecessary for Auditors. Physical security. .Guidance from these organizations.

 Customer must have the right to access the providers data center and systems for audit purposes.Cloud Service Myths  Data privacy and Security law compliance is the providers responsibility. .  Transfer of data outside EEA is easy if SP is US-EU Safe Harbor certified.

amended in 2005 • Allows FBI access to certain business records with a court order • Also provides for use of National Security Letters (form of administrative subpoena) to obtain records • The law limits the ability of cloud providers to reveal that they received an order. .COMPELLED DISCLOSURE TO THE GOVERNMENT USA PATRIOT ACT • Originally enacted in 2001.

and therefore strengthen public confidence in their performance. also known as the Corporate and Auditing Accountability and Responsibility Act. Peregrine Systems.SARBANES-OXLEY LAW • Created in 2002. These scandals were costing billions of dollars to their investors. . This legislation for secure reporting systems was created in 2002 to raise the reporting requirements on public companies and their accounting firms. This was created to increase the accountability and transparency. Tyco International and Enron. and huge companies were collapsing. Adelphia. which shook up the security’s market across the nation. • This is a federal law that was enacted in the United States in reaction to the fact that many European countries were dealing with accounting and corporate scandals including WorldCom.

and the head of each agency. . with the intent of keeping risks at or below specified acceptable levels in a cost-effective. to conduct annual reviews of information security programs. FISMA was signed into law part of the Electronic Government Act of 2002.FEDERAL INFORMATION SECURITY MANAGEMENT ACT  The Federal Information Security Management Act (FISMA) is United States legislation that defines a comprehensive framework to protect government information.  FISMA assigns responsibilities to various agencies to ensure the security of data in the federal government. timely and efficient manner. operations and assets against natural or manmade threats. The act requires program officials.

even while using a secure Internet service to store data. It’s necessary to ensure that. 1997. have corrections added. and decide if they want to give permission for health information to be shared . was passed in 1996 by the U. clinical billing information. privacy is of utmost importance. etc. patient data is on lockdown.HEALTH INFORMATION PRIVACY ACCOUNTABILTY ACT  When it comes to health. patients are also allowed to request copies of their medical records.S. Congress and effective as of July 1. It’s also the law. Under the act. the Health Insurance Portability and Accountability Act (also known as the Standards for Privacy of Individually Identifiable Health Information). conversations you have with your provider about your treatment. The purpose of the Act is to prevent fraud and abuse in the delivery of sensitive healthcare information.  HIPAA.  This rule give patients control over how their health information is used–including information put in your medical record.

It is similar to HIPAA. It focuses on maintaining  Control of privacy data and it also prescribes an risk assessment to apply appropriate servers.It contains provisions which intend to protect consumer information of the customers.GRAHAM/LEACH/BLILEY ACT  This act for banking safeguards and privacy protections was created to enable consolidation in financial services industry . . data processing and storage of data.

standardization and certification schemes.  Further efforts need to be put in research. RECOMMENTATIONS  Demand Transparency by making sure that the cloud provider can supply detailed information on its security architecture and is willing to accept regular security audit.CONCLUSION AND RECOMMENTATION  The public auditability for cloud data storage security is of critical importance so that users can resort to an external audit party to check the integrity of outsourced data when needed. The regular security audit should be from an independent body or federal agency.  Supervisory authorities in the area of data protection and privacy protection must continue with developing guidelines and raising awareness regarding data protection and privacy issues. and in adaptations of the legal and regulatory frameworks for raising the level of trust in cloud computing services. .