Legalities Over the Cloud and Who Owns your Data

When trying to figure out who has rights to your data there are three things to consider: you, the cloud provider, and the region your data is held in. A lot of the issues become issues because of the varying laws; where your data is held might be in different country than the country you uploaded from. So, even after you figure out what your agreement is with a Cloud provider they can be subject to the particular laws of another country; fore instance America has a set of laws known as the Patriot Act which grants the US government access under certain conditions. So even after you figure out who owns the data, and what that means, you might not have control over who is accessing the data.

When you decide on a Cloud provider there are a number of things that you want to look at. One of them being the terms of service that will, most likely, define how a provider views your data, and what they can do with it. The terms of service will be restricted by your regions governing principles. Fore-instance in England they have the ‘Copyright and Rights in Databases Regulations 1997’ to help clear up some of the vagaries of this new technological development. The law defines two types of data one that is protected by copyright law, and ones that aren’t but are still regulated in their way. The existence of the law is a step in the right direction towards clarifying ownership of the information that is being stored in the Cloud.

Although to confuse this issue even further is the fact that some of your information may be stored in your own database but you are using a Cloud service to handle it from time to time. Or your Cloud provider is servicing out to another Cloud provider; so they may host your information in a storage unit that isn’t their own. Each of these situations has unique problems and each part of this chain of concerns depends on user agreements and the particular governing bodies. So there is no single solution to answer the question of who owns your data, and as this issue becomes generally understood hopefully we will see some best practices winning out. Although I wouldn’t necessarily say there is no way to find out. There are some things that can be done to better understand what is happening. Unfortunately one of those things is reading over all your relevant user agreements, and as one source claims it would take roughly 250 working hours to read all the user/privacy agreements most of us come across in one year. So you have to balance your need to know with your time, but be warned the details are important.

Understanding governing rules of where your data is being held or processed is not insignificant either. Each region is going to have its own governing rules about what happens when data is processed and the processing of the data may influence who owns the data now that it has been changed. So each step and movement of your data becomes an important issue to consider when deciding on a Cloud provider.

Who owns your data, then? It depends on the governing laws and user agreement made between you and the Cloud provider. It also depends upon the governing laws of where your data is being held, in addition to the agreements that your cloud provider may be making with their cloud provider. The Cloud has so much under the umbrella of Cloud services, that often one type of Cloud provider will outsource to another type of Cloud provider.

Interoperability and Cloud Services

Interoperability in a general sense is the ability of an infrastructure to be able to connect and communicate with another structure without something translating, or restricting access. It is designed for a service to be formatted to allow cross-platform communication, in simpler terms. Word and Pages were not always interoperable, but rich text formatting was interoperable between the two. The ability for data to be moved from one format to another without a middle man is a key element. The other element for many service providers is access, if their product would be the dominant culture. The dominant cultural product would want to restrict certain information to maximize their products capabilities. So for something to be interoperable the data must be easily moved, and all of the data must be available; which is difficult for businesses to manage.

Each Cloud Service is going to want to showcase a unique product to their customer base. Essentially they will want to carve out a niche, if not become the primary provider; to do that they need to have a unique and powerful offering.

For a Cloud provider to be able to distinguish their service from others is paramount to be able to thrive in this new culture. With most new industries there is a relatively massive push and pull between different standards. Like the classic examples of Apple and Microsoft or even VHS and Betamax; this polar competition is a rough approximation to the standardization issues in interoperability of Cloud Services. In he Cloud world there is a much larger variety of services, even types of services, but the nitty-gritty of the issues is a need for a company to distinguish themselves amongst their competitors.

The vendor of a particular Cloud service may feel that they have a nifty offering, and they wouldn’t want to create an inferior product to meet an industry standard. Now if there ever is an industry standard, each company will have to decide if portability of offerings is necessary for them to compete with other services. They will be deciding between the particulars of their offering and the offerings needed to port from their competitors. But being able to move from a competitor also means the ability for their customers to move to one of their competitors. Not surprising the ability for your data, software, or platform to communicate and integrate with other services is the main difficulty with moving it. Portability is the ability to port or move your data from one system to another, not surprising the main issue with portability is interoperability. I am using data in a very general sense, it can mean literally the information stored on an Saas system, or the programs that are stored in a Paas system, for instance. The interoperability of your data wedges into this issue of porting information from one system to another. There are strides being made into interoperability, a growing desire from parts of the industry to have a standard to ease interoperability.

As a vendor of a Cloud service you have to consider whether you are utilizing the best practices as well as what is good for your company. Your company may be able to beat out competitors by having the best services provided and then the adoption of a standard set of services necessary for interoperability might cut down on the services offered. A company could end up giving a competitive edge over in search of complying to an industry standard. So, the need to be interoperable is not a task to consider lightly. There are many standardizations that would be good for a consumer but not necessarily for a vendor.

VM snapshots for efficient Forensic Investigation

Cloud computing is a technology which allows users to access storage, software, and infrastructure and deployment environment based on a model named “pay-for-what-they-use”. The nature of the cloud environment is that it is multi-tenant and dynamic as there is a need for addressing the various legal, technical and organizational challenges regarding the cloud storage.

With the dynamic nature of the cloud environment, it is possible for digital investigations to be carried out in the cloud environment. Digital forensics has to adhere to a number of steps as it was the case with traditional computer forensics. These steps include Identification, Collection, Examination and Reporting/ Presentation. The first step involves identifying the source of evidence, while the collection phase involves identifying the actual evidence and collecting the necessary data. The examination stage involves analyzing the forensic data, while in the reporting phase, the found evidence is presented in a court of law.

The digital investigators experience challenges as a result of the legal, technical and organizational requirements. If some compromise is made on the part of the CSP, then the evidence which is provided will not be genuine. It might have happened the data you are relying on as evidence was injected by a malicious individual.

A number of digital devices are currently using the cloud, but the investigators are given little chance to obtain the evidence. The available Agreement may not be stating the role of the CSP in carrying out the investigation and its responsibility during the time of happening of the crime. The CSP might have failed to keep logs which are an important part in getting evidence regarding the occurrence of a crime. The investigator also has to rely on the CSP for collection of the necessary log files, and this is not easy. Many researchers have clearly stated that many investigators experience difficulties in trying to collect the log files.

The cloud service provider will provide their clients with a number of different services, and it has been found that only a few customers from the same organization will be accessing the same services. Malicious users are capable of stealing sensitive data from the other users and this can negatively affect the trust of the CSP. There is a need for the cloud to protect against these malicious activities by use of Intrusion Detection Mechanisms for monitoring the customer VMs and in detecting malicious activity.

A user can create his or her physical machine to create a VM. Other than for the user having to request, some cloud software such as the OpenStack and eucalyptus will create snapshots from a VM which is running and then store the snapshots till when the VM has terminated. If you reach the maximum VMs, then the older VMs will be deleted from the system. The snapshots from a cloud environment are a great source of digital evidence and they can be used for the purpose of regenerating events. It is hard for us to store numerous snapshots. The snapshots have also been found to slow the virtual machine, and this is determined by the rate at which it has changed since when it was taken and the period of time for which it is stored.

Malicious activities will always be identified in case the users of the VM carry out actions such as uploading a malware to the systems in our cloud infrastructure, excessive access from a location, or by performing numerous downloads or uploads within a short period of time. Other activities which can be suspicious include cracking of passwords, launching of dynamic attack points and deleting or corrupting some sensitive organization data.

Encryption of Data in the Cloud

Many organisations are nowadays looking on how to take advantage of cloud computing, but security of their data remains a serious concern. However, there are several mechanisms which can help you in encrypting your data in cloud and ensure there is effective data protection.

As organisations grow in size, they experience security challenges which they lack knowledge and experience to handle. Although most IT experts conclude that encryption of cloud data is the key to security, the approach can be daunting, and especially for small to mid-sized businesses. The process of managing encryption keys in a cloud environment is not easy. The encryption key should be kept separate from the encrypted data, and this is a challenge, especially in a cloud environment with an asymmetrical growth.

Encryption keys should be stored in a separate storage block or server. To stay protected against disasters, the encryption keys should be backed up in offline storage. The backup needs to be audited on a regularly basis, probably each month to ensure that it is free from corruption. Although some of the keys will expire automatically, others need to be refreshed, thus, calling for the need for a refresh schedule. For improved security, the key themselves should be encrypted, while the master and recovery keys should be given a multi-factor authentication.

It is good for any organisation to let a third party manage the encryption keys rather than the IT department of the organisation. If you encrypt the data before uploading it to your cloud storage provider, and then it happens that the same data is needed on a remote or mobile device having no decryption keys, the downloaded data will be useless. In case the company is in need of sharing the data with their business partner, and they don’t need the partner to access the decryption keys directly, this will become complex.

The following are some of the criteria which can be used for encrypting data in the cloud:

Exercise discretion

You have to determine the percentage of your organisation data which is considered as being sensitive. You will find that majority of your organisation data does not need to be encrypted. With a ubiquitous encryption, the functionality of the application can be interrupted, most probably the search and report functionality, and these are very important in the today’s cloud model. A discretionary approach to encryption should ensure that the sensitive data has been secured without interference with the advantages associated with emerging technologies.

Adherence to security policy of the corporate
The security policy for your organisation can help you determine the sensitive information in the environment and then make use of the strategy to create a strategy for the encryption strategy. Both the internal and external regulations in relation to the business have to be considered.

Automation-ready encryption
Once you have agreed on what needs to be encrypted, an action should be taken. Security technologies should be leveraged for identification of sensitive information in the corporate, and the encryption should be used as a remediation tool for risky situations. Once this process has been automated, inappropriate exposure of data will have been mitigated in a content-aware manner.

Consider the human element
Any data security mechanisms must consider the needs of the end users. If the security program of the corporate interferes with the normal workflow of the users, they will have to seek for alternatives to bypass the corporate network entirely.

Cloud providers and their potential SaaS partners should be asked about the protocol they use when transmitting their data. The SSL (Secure Socket Layer) protocol is now not the best since the discovery of a man-in-the-middle attack discovered in 2014. This can only be solved by implementation of TLS rather than the SSL, but the problem comes in that systems running older operating systems such as Windows XP are not able to implement the TLS. This has made some businesses to continue using SSL despite the risk it poses of exposing confidential data. The main solution to this problem is disabling the SSL completely, either on the server or client side, but this will make it inaccessible by systems which rely only on SSL.

DLP (Data Loss Prevention) in the Cloud

Most organizations have moved their sensitive data to the cloud, but they lack policy controls for the cloud data. Research has shown that 21% of the documents uploaded to the cloud have sensitive data such as protected health information (PHI), personally identifiable information (PII), intellectual property or payment card data and this creates concerns in terms of cloud compliance. In the year 2014, breaches in cloud data rose.
Most organizations have made an investment in tools for data loss prevention so as to protect loss or theft of their on-promise information and adhere to data compliance laws. The problem is that most of these tools have been made to protect data contained in emails and file servers, meaning that they address issues to do with mobile security and cloud governance since the data will always be passed to unsanctioned cloud services which are regularly accessed by unsecured devices. It has been found each average organizations will upload 3.1GB of data each day, and it is expected that 1/3 of organization data will be in the cloud by 2016. You have to recognize that migration of unprotected data to the cloud is risky, thus, there is a need for any organization to extend data prevention policies to take care of the data in the cloud to protect against being exposed.
Whenever you are addressing DLP, consider the following requirements:
1. Know the activity-level usage in your apps, and then use DLP to identify the activities dealing with sensitive data, anomalies and non-compliant behavior.
2. The cloud DLP software to be used should know the context which surrounds all the activity whenever you are dealing with sensitive data.
3. Restrictions and controls should be formulated in the organization to ensure that sensitive data is used safely.
4. Cloud activities should be tracked at app, user and activity level for compliance and auditing purposes.
5. Sensitive content which is residing in the cloud or moving to the cloud apps has been encrypted.

 

A number of tools for preventing data loss in the cloud have been developed. With NetScope Active Cloud, sensitive data for an organization can be protected from breaches and leaks. The tool provides advanced mechanisms for data loss prevention such as custom regular expressions, over 3000 data identifiers, support for over 500 file types, double-byte characters for international support, proximity analysis, exact match and fingerprinting. Once the tool detects some sensitive data, it use context for narrowing the content down, increasing the accuracy of detection and in reducing false positives.
Skyhigh is another DLP tool, and it extends the ability of an organization to protect against loss of data to the data stored in the cloud. With Skyhigh, DLP policies are enforced in a real-time manner, and we are provided with the capability to carry out an on-demand scan for the data which has been stored in the cloud so as to know whether we have some data outside the cloud policy. When configuring the DLP policies, you can choose a number of policy actions such as quarantine, alert, tombstone, or maybe choose to block the sensitive data from being uploaded to the cloud service. With Skyhigh, you are free to leverage the policies which you have created in other DLP solutions such as the EMC, Symantec, Websense and Intel McAfee using a closed loop remediation.
Symantec is also another tool which provides mechanism for data loss prevention in the cloud. It has partnered with Box, which is an online tool for file sharing and this improves the functionality of the tool. The tool is also expected to extend the data loss prevention of sensitive data which has been stored on mobile devices.

Cloud computing security: things you must know

One of the best game-changing revolutions of this particular era is Cloud Computing. The shift far from original on-premises applications and also data storage is undoubtedly well underway, with customers, small and middle sized companies, and big businesses putting data and applications into the cloud. The current issue is will it be secure to do this? Cloud Computing protection is undoubtedly the greatest concern amongst all those who are thinking about the technology. And when you are an IT manager, then it is great to be paranoid. Massive Losses from attack and cyber crime can be tremendous, and also the 2008 CSI Computer Security and Crime Survey demonstrate a standard average yearly damage of just below $300,000.

It might appear like the leap of trust to place your precious applications and data in the cloud, and even to believe in Cloud Computing security and safety to a 3rd party. However, belief is not a part of the situation, and neither ought it to be. Each and every business requirements to realize that its applications and data are safe and secure and the issue of the cloud computing protection should be tackled. The cloud comes with several security benefits.

Based on NIST, this particular cloud computing security benefits consist of:

-Moving public data to an external cloud decreases the publicity of delicate inner data
-Cloud homogeneity tends to make security testing/auditing easier
-Clouds allow automatic security management
-Disaster/Redundancy Recovery

All factors are effectively used. Cloud companies normally have a tendency to consist of rigorous cloud computing security as a part of their particular company models, frequently a lot more than an individual user might perform. To that end, it is not only an issue of the cloud computing companies implementing greater security measure, but the thing is, instead, that they deploy the safety precautions which individual companies ought to, however frequently do not.

The majority of application providers enforce a few standard of security for their applications, even though whenever cloud application providers apply their amazing strategies to Cloud Computing protection. Issues happen across international privacy laws and regulations, exposure of data to international choices, stovepipe solutions to authentication and role- dependent accessibility, and even leaks in the multi-tenant architectures.

Exceptional physical security from the Cloud Computing companies:
Deficiency of physical security is the trigger of a huge quantity of damage, and also insider attacks are the reason for the remarkably big percentage of damage. Even though the specter of the black hats cracking into your network from an underdeveloped country is certainly much real, it’s not uncommon that, the “black hat” is, in fact, a dependable employee. It is the person from accounting department with whom you have lunch. It is the woman who else gives you coffee early in the morning and remembers that you prefer two sugars. It is the latest college grad with a lot possible, who else does this type of great work on that final report.

Outstanding security from the cloud:
Apart from physical security measure, technical security is of the highest value. Hosting your individual applications and servers needs additional steps. A bigger business may need to employ dedicated IT employees for protection exclusively. Cloud computing, on the Furthermore, forms cloud computing protection straight into the cloud platform. While the business nevertheless should maintain private security in any situation, the provider makes sure that the data and applications are secure from attack. You no need to be worried about your data protection if you have cloud-based technology. Your data and applications will be risk-free.

Top 10 Advantages of Cloud Technology

In this IT world, cloud computing is evolving rapidly from an upcoming solution into a practical alternate choice for several small to medium type of companies. For any developing company, one of the hardest things to perform is to maintain capital expenses in check. Cloud computing is a way to get into business – grade IT that might or else be excessively expensive to buy and maintain.

Here listed below is a short list of top 10 advantages of cloud computing:

1. Cost benefits:
In the existing economic, companies require low priced and high production. A cloud solution is an action in that path. It decreases costs without having sacrificing productivity. Aided by the cloud; generally, there will be no upfront investments in software or hardware.

2. Entry to your Data – Anywhere, Anytime and even with Any Device:
The users of Cloud solutions can access into their particular applications and data anywhere, anytime and from any device in the cloud computing technology. Just because data is utilized over the Internet on the servers of your cloud provider and management has 24/7 accessibility whenever and wherever they require.

3. Scalability:
Scalability is the leading cause for that business to run their company quickly. Several periodic business processes undergo intervals of dangerous activity; however this activity slows down substantially whenever the busy season is expired. Cloud- dependent solutions may increase as a small business the resources.

4. Protection:
The particular cloud technology is safe through cyber-terrorist, bugs, and accidents. It may very easily pay for all sorts of protective steps such as patch management, filtering and also cryptography techniques. Cloud technology safeguards your data and even keeps you like a long-term client.

5. Leveling of the playing field:
Cloud computing has a significant role for leveling the particular playing field between small and large businesses having a “spend on what you use only” model. Medium to small sized businesses no more needs to pay out a lot of money to be able to purchase IT infrastructure that can be compared to major companies. Right now they may only rent what they require in the cloud.

6. Management control:
The particular cloud dependent technology assists in allowing managers for superior monitoring in their business with their employees. The managers may gain access to data exactly what their employees are working on and may examine the job much faster with increased effectively.

7. Greater Innovation, Efficiency, and Functionality
With the cloud computing technology, you require waiting around for many years for your next update. You can begin operating new applications in a few days or perhaps hours.

8. Disaster Recovery and even Backup:
With the assistance of cloud technology, you can keep your company’s data securely on a secure data center instead of the server room. While reducing the power as a result of earthquakes, hurricanes or even a construction employee cutting down the power lines, you are back once again at the work as long as you own an internet connection.

9. Ease of use:
Getting rid of the need to purchase and configure new software and hardware enables your workers, and also, your IT department, to pay attention to the projects that will positively straight boost your earnings and develop your business.

10. Flexibility:
Cloud computing technology assists your company to select just exactly what your business requires, whenever you need it. You may pick a CRM tool, choose the Internet as the platform, and buy email marketing software, financial services software or even a host of other available choices for your business.