Archive for the 'Cloud' Category

Not all clouds have silver linings – how information security varies between cloud providers

Published January 24, 2012 Cloud , Confidentiality , Data Protection , In the Media , IT Security Comments

You may have read in the press that Google has entered into its biggest cloud-hosting deal to date. And surprisingly this deal is with one of Spain’s largest banks, BBVA.

The fact that a bank is signing up to Google Enterprise Apps for email and other collaboration services could be taken as a considerable endorsement – banks are, by nature, very security-centric: they have to ensure that they comply with strict information security and regulatory requirements. On this basis banks normally use their own servers to store and share data.

This is what makes the BBVA / Google deal so surprising. BBVA’s data will be stored on one of Google’s public servers, rather than on a private servers. BBVA will initially only use Google Apps for “internal communications” (with customer data and systems continuing to be hosted only in BBVA’s dedicated data centres), but it is assumed that over time BBVA may move more and more data to the cloud.

While I suspect that BBVA may have agreed a tailored solution and not signed up to Google’s Enterprise’s general terms and conditions, the standard Google Enterprise offering (as opposed to the free to use standard version) is rather attractive for businesses considering moving to the cloud, and in particular, using a cloud solution for data sharing and storage, such as Google Apps.

How safe is it to store data using Google Apps?
When storing data to an external server you have to make sure the data will be secure.

From an information security perspective Google Apps for Business has pretty good security credentials, so much so, that some of the US Government Departments use it. Google Apps is actually FISMA certified as being a secure way to store and share data. Google has also obtained an SSAE 16 Type II report (an independent audit) confirming that Google Docs actually adheres to the security controls it has in place and that these systems are operating effectively. The SSAE 16 report may give potential customers reassurance in relation to the effectiveness of Google’s security measures.

The other key information security concern for organisations is compliance with data protection rules and the security of personal data. Google Apps is currently hosted in the US and Europe, but Google Inc is a member of the US Safe Harbor Scheme. This is a US Federal Trade Commission scheme that allows US companies to certify compliance with a set of rules approved by the European Commission as being equivalent to the requirements of the EU Data Protection Directive.

This is important for organisations subject to EU data protection controls, as a transfer to an organisation that meets the Safe Harbor requirements allows the organisation to comply with the eighth data protection principle (which restricts transfers of data outside the EEA) without the need for putting in place model form contracts or making a finding of adequacy. This will give considerable comfort to users of Google Apps in relation to the any personal information that they store in the cloud.

However, potential customers should still be aware that Google may be obliged, under the Patriot Act, to disclose information stored in Google Apps to the US authorities.

How do other cloud services compare?
The fact that BBVA is using the Google Apps should not be taken as a green light for companies to store confidential, commercially sensitive or personal data on a similar cloud-computing solution. Google Apps is unique in terms of the FISMA and Safe Harbor accreditation and a number of cloud storage alternatives, such as Dropbox, simply don’t compare.

Dropbox – Information security risks
Dropbox and similar cloud-drive services are becoming an increasingly popular option for storing and sharing large files and for accessing documents from multiple devices. But, looking at the Dropbox terms and conditions, it appears to pose a number of potential information security risks which users may be overlooking.

Storing information
Firstly, Dropbox doesn’t have the greatest reputation as far as security is concerned.

Putting hacking to one side, there is a lack of certainty over what happens to your data once you remove it from the system. Normally, when you are storing confidential information on a third party’s system you want the comfort that at your request all of the confidential information is permanently deleted from the system. However, the Dropbox terms and conditions state that they are ‘likely’ to continue to hold the information on their back-up systems once you have deleted the data.

Releasing information
Another key concern is how readily Dropbox will share your data (confidential, personal or otherwise) with third parties. While there is a general obligation to release information when ordered to do so by a court order, Dropbox will seemingly release your files rather readily. In comparison, Google will inform you of the request and give you the opportunity to object.

Lack of independent certifications
Most importantly for potential customers within Europe, Dropbox states that it does not have Safe Harbor certification, nor is it able to provide a SAS 70 or SSAE 16 report in respect of its information security measures. This causes problems from a data protection perspective, and also means that their is no independent verification of the controls that Dropbox claims to have put in place.

The moral of the story is that you should carefully consider what data you are uploading to a data sharing  cloud – particularly if it is commercially sensitive or personal information – and, as boring as it is, read the site’s terms and conditions and carry out some due diligence on how your information will be protected.

Leigh Kirktpatrick

Targeted online advertising – are you aware of how it works?

Published October 31, 2011 Cloud , Data Protection Leave a Comment

A couple of weeks ago, I was looking at flights and hotels for a trip to Reykjavik this January. One of the websites that I visited was hotels.com, following a link from the Tripadvisor website.

This morning, I read an article on the Guardian website about the recent overhaul of the Independent website. At the foot of that article was the following advert:

Screenshot on Guardian website of hotels.com advert for hotels in Reykjavik

Is it simply a coincidence that the advert the ad server served up (perhaps based on my Google search history) happened to be for hotels in Reykjavik from one of the websites that I visited when booking that trip?

Or does behavioural advertising now go deeper than I thought, and was this served up by hotels.com based upon my recent searches on the hotels.com website?

How does the system work?
Delving into the Guardian’s privacy policy, it appears that it is the latter.

The Guardian is a member of an online behavioural advertising system provided by a company called Audience Science. Audience Science appears to have many partners – from media/news sites to retailers (although hotels.com doesn’t appear to be on the list of advertisers, it is mentioned in a recent press release), each of whom share information on your use of their websites to allow the others to provide targeted advertising.

What I hadn’t previously considered, and find slightly disturbing about this is that the (very wide-ranging) list of partners in Audience Science’s network will continue to expand. However, once you’ve opted in to the system and accepted the cookie, you are unlikely to be aware of subsequent changes (or really have much idea about what information is being shared and with whom). This means that you could be using one website unaware that your browsing habits could subsequently influence advertisements served up on another site. There is no “Audience Science member” flag.

Retargeted advertising
But I don’t think that the advert I saw this morning was served up through the Audience Science system. I think it was another system used on the Guardian website called “retargeted advertising”, provided by an organisation called Criteo. Here is what the Guardian’s privacy policy says about it:

For example, if you have visited the website of an online clothes shop you may start seeing ads from that same shopping site displaying special offers or showing you the products that you were browsing. This is allows companies to advertise to website visitors who leave their website without making a purchase.

Again, I don’t ever remember consciously opting in to this system. Clearly, I must have accepted a cookie at some point (or passively accepted hotels.com’s privacy policy), but wasn’t aware that by doing so hotels.com was going to chase me around the Internet.

Interestingly, according to Criteo’s privacy policy, the only way of opting out of the Criteo program is to accept a permanent cookie. So if you don’t like cookies, but don’t like your Internet usage being tracked then tough.

Maybe the European Commission is right about the lack of transparent information for users and the recent change to laws governing the use of cookies isn’t so crazy after all?

What do you think? Is behavioural advertising A Bad Thing? Do you think it impedes on your privacy? Is it ok provided that you understand how it is being used?

PS I got the Hotel Thingholt much cheaper on Expedia.

PPS Luckily, the trip wasn’t intended to be a surprise.

PPPS The Internet Advertising Bureau allows you to centrally control your behavioural advertising preferences for services provided by its members here.

Cloud Computing and the risk of Data Ransom

Published May 30, 2011 Cloud , Contract Law , Geek Stuff , IT Law Comments

There have been lots of articles about cloud computing by lawyers. Most of them: i) have a dodgy pun in the title; and ii) bang on about data protection and the risk that your data is outside Europe.

That is not what I am going to write about. Partly because it’s been done to death, and partly because I think DP law is dull (sorry Grant and other data law lovers).

I am going to talk about data ransom in a cloud or hosted environment. That is the risk that your supplier goes bust and you have to buy your data from an administrator/receiver, or that you get into a commercial dispute with your supplier and they either turn off your service or ransom your data.  Both are possible scenarios.

Remember that administrators are legally bound recover as much money as possible for the creditors. They are also not too bothered what your contract with the insolvent company says.  These facts can make them quite interesting to deal with!

On the commercial dispute side it is traditional for purchasers to manage suppliers by withholding payment on invoices or similar. But with cloud or hosted apps the power has shifted – if the purchaser withholds payment then the supplier can probably turn off the service. Gulp!  Worse imagine you have decided not to renew the contract, and your supplier starts being “sticky” about handing over your data to the new supplier. Remember “sticky” could include giving the new supplier all your data, but in an incomprehensible format.

So what do you do ?

Contractually

  • Have an obligation to get a weekly or daily back-up of your data delivered to you in a format you could decode.
  • In fact why not take advantage of virtualisation technology and get a virtual copy of “your environment” and related rights to run it on your servers. (I have been putting this in contract for about a year – so far I have not seen anyone else do this).
  • Have strong exit management provisions (preventing the supplier mucking you around on exit).
  • Have a source code escrow agreement.  Note from a “self-help” basis these are probably useless (partly) because you may not have the object code; but having the right to get the source code will give you bargaining position against an administrator/receiver *.

Practically

  • Actually Enforce any of the contractual rights described above (it is probably too late to start enforcing them once the “ransom” starts).
  • Make sure your lawyer really understands concepts such as cloud, source code and virtualisation (this is an undercover sales pitch).

Not one dodgy pun!

*  I find a lot of lawyers still ask for source code escrow in a hosted app environment (where the client doesn’t even have the object code) not because of the reasons I have outlined but simply because the turnkey contract they are using as a style has an escrow clause in it. This strikes me as fairly dumb. Rant over.

“Midnight Movies”, ACS Law and the ICO

Published May 16, 2011 Cloud , Data Protection , In the Media , IT Security Leave a Comment

The Information Commissioner has been criticised for levying a monetary penalty of just £1,000 against a law firm whose severe security shortcomings led to the sensitive personal data of 6,000 people being made available online.

ACS: Law, led by solicitor Andrew Crossley, was conducting a widespread speculative invoicing campaign which involved accusing thousands of people of illegal file sharing and charging fines (which Douglas discussed a few months ago).  However, the scheme came unstuck when “hacktivism” group Anonymous took umbrage with Mr Crossley’s tactics and launched a “denial of service” attack.   The attack made the ACS: Law website “collapse”, revealing details of individuals accused of illicit filesharing which had previously been hidden from unauthorised access.

Reports of the incident have suggested that the breach was aggravated because it revealed details of illegally downloaded pornographic films, meaning that not just any old personal data was disclosed, but “sensitive personal data” as defined under the Data Protection Act 1998, pertaining to individuals’ sexual lives.

Of course, as all diligent data protection lawyers know, details of the commission (or alleged commission) of any offence already constitutes “sensitive personal data” under the DPA. So I’m not really sure why the “midnight movies” needed to be mentioned at all. It wouldn’t be just to make an article about data protection seem a wee bit saucier, would it?

Information Commissioner Christopher Graham said that the severity of the breach would have warranted a fine of £200,000, but he believed that Mr Crossley was not in a position to pay. (The ICO does not have the power to audit people’s accounts, but instead obtained a sworn statement from Andrew Crossley on the state of his finances.)

Privacy campaigners are now concerned that the decision introduces a loophole for companies wishing to evade ICO monetary penalties. I’m not convinced. Surely pretending to be bankrupt is even worse for your reputation that failing to protect personal data?

The forecast: clouds, with grey linings, perhaps turning to silver later

Published May 12, 2011 Cloud , Geek Stuff , In the Media Leave a Comment

Samsung has today announced the first publicly available laptop based on Google’s Chrome OS. The laptop is aimed at both consumers and corporate users.

What’s different?
Unlike many laptops and netbooks, Samsung’s new laptop comes with only 16 GB of (solid state) storage for files. By way of comparison, my MacBook that I bought last year came with a 320GB hard drive (20 times larger). Of that 320GB, approximately 70GB of that is taken up by photos, music and videos (including a staggering 25GB of which relates to photos and video from my wedding and honeymoon last year).

So why is the storage space on a Chrome laptop so small? The reason is that users won’t store any files on the laptop itself. Instead, the user will use remotely hosted applications like Google Docs and store its files in a “secure” space in the Cloud. Google and Samsung cites a number of advantages of this approach – if the laptop breaks or is stolen, then the data won’t be lost, and because applications and files are hosted remotely, the computing power required at the user end is much less; ergo a Chrome OS laptop is much cheaper to buy.

We are seeing an increasing interest in clients (both large and small) adopting cloud computing and virtual desktops – finally realising the dream that Sun had for its thin JavaStation clients back in 1996 (I remember this well – I wrote a dissertation on it when doing Higher Computer Studies). As applications and files are hosted on a remote server, it means that users require only a very basic computer, meaning lower upfront and support costs and more flexibility to support various ways of working.

Dark clouds on the horizon
But as we saw a couple of weeks ago, the Cloud is not infallible. Leaving aside a reliance on patchy (and often slow) 3G coverage and wifi for mobile users in the UK, there are a number of risks. Users of Amazon’s EC2 cloud computing service suffered a major outage, leading to some users being affected for up to four days. The outage knocked out a number of businesses and arose notwithstanding a number of failover systems that Amazon claimed to have in place to prevent this sort of thing from happening.

Whilst a consumer may consider such an outage to be a risk worth taking given the cost and convenience benefits of using the Cloud, I suspect that businesses may take a different view. Reports have confirmed that because of the way the outage occurred, Amazon’s outage didn’t actually trigger a breach of Amazon’s service level agreement, meaning that users had no automatic entitlement to service credits (although on this occasion Amazon has made a discretionary award of compensation to affected customers). That’s a tough one for a CIO to explain to his CEO – not only did the service fail, but there isn’t even a right to any service credits.

Raining on the Cloud’s parade
The Amazon outage also highlights the risks of, to mix some more metaphors, putting all your eggs in one cloud. If a business is dependant upon the Cloud in order to trade or for its employees to carry out their day to day duties (because all data is hosted remotely), and is also dependant upon a single cloud vendor, then it needs to look very carefully at the business continuity, and DR provisions that the cloud vendor has in place and consider if those are sufficient.

Similarly, if all your data is hosted by a third party in the cloud, then you may be reliant upon that third party to ensure that your data is backed up, and may also need to consider how you can get it out of the Cloud at the end (particularly when using software as a service applications). See Damien’s previous blog on this.

Wrapping up a bad couple of weeks for the Cloud, the hacking attack and theft of data from Sony’s PlayStation network also emphasises the importance of ensuring the security of data (personal or otherwise) held in the Cloud. Just playing some Rolling Stones isn’t going to be enough.

I don’t doubt that the Cloud will continue to grow in importance, but these recent events show the legal and commercial risks associated with cloud computing, and a number of the issues that cloud providers need to overcome before the market will fully mature. In the meantime, businesses seeking to move to Cloud will need to ensure that they read the small print and carry out appropriate diligence on their proposed supplier(s).

HOLLYWOOD HACKING: WIKILEAKS

Published December 7, 2010 Cloud , Confidentiality , Contract Law , Data Protection , Domain Names , In the Media , IT Security , web law Comment

“Hollywood Hacking” is the trusty cinema cliche whereby a geek with a laptop hits lots of buttons on his keyboard very quickly, says “we’re in” (or something similarly breezy), and gains access to the military system/bank account of his choosing. While Hollywood Hacking is usually very silly and completely unrealistic, the current Wikileaks saga is actually happening right now, in real life, and there’s more than a touch of unbelievable Hollywood Hacking about the whole tale.

As you’ll probably be aware, Wikileaks is the whistleblowing website that last week made available for download more than 250,000 confidential U.S. diplomatic cables. The cables contain correspondence between American embassies throughout the world and the U.S. State Department, and their contents are proving to be highly embarrassing for the U.S. Government and its allies.

Wikileaks founder Julian Assange has been placed on Interpol’s Most Wanted list (for “sex crimes” being investigated by the Swedish authorities, although the US government is also investigating if espionage laws were broken), and the Wikileaks website is under continuous heavy attack from unidentified and mysterious “internet hackers”.

These hackers are bombarding the site, or more accurately, the computer servers which hold or “host” its content, with “Distributed Denial of Service” (“DDoS”) attacks of unprecedented ferocity. (In DDoS attacks incoming messages flood the target system and force it to shut down, thereby denying service to the system to legitimate users).

In an attempt to defend itself, Wikileaks moved last week from smaller internet providers to a larger one whose servers would be more likely to withstand a DDoS assault. Wikileaks provider of choice was Amazon.com and its’ much-vaunted EC2 cloud computing system, which operates on vast banks of computers, meaning that network capacity can be quickly scaled up or down to meet surges in traffic. The tactic was working well for Wikileaks until Amazon.com decided on Thursday to kick them out.

In a blogpost, Amazon.com denied that it was acting under pressure from politicians, saying WikiLeaks had breached its terms by not owning the rights to the content it was publishing. (I imagine Amazon.com might also have been a bit nervous about potential liability for the illegally sourced cables.)

The wikileaks.org web address was then withdrawn from Wikileaks because its domain name service provider EveryDNS.net claimed that WikiLeaks had violated part of its Acceptable Use Policy, which requires members not to “interfere with another member’s use and enjoyment of the service or another entity’s use and enjoyment of similar services. WikiLeaks had interfered with other members’ service because, said EveryDNS, “wikileaks.org has become the target of multiple DDoS attacks. These attacks have, and future attacks would, threaten the stability of the EveryDNS.net infrastructure, which enables access to almost 500,000 other websites.”

Wikileaks solution has been to move to Switzerland, with a new domain wikileaks.ch.  The domain name is registered by the Pirate Party of Switzerland, associated with an IP address in Sweden, and points to a web address in France (where the Wikileaks documents are actually believed to be hosted).  If wikileaks.ch is also withdrawn, Wikileaks has announced that content will still be accessible by bypassing the DNS look-up and typing in Wikileaks’ actual IP address: http://88.80.13.160/.

Over the weekend online payment service provider PayPal cut off the WikiLeaks account, eliminating one of the easiest means for donors to send money to the organisation. It’s simply impossible to tell what’s going to happen next!   The latest development is that Julian Assange is under arrest, having voluntarily reported to a police station in central London this morning.

Who said Tech Law was boring? Hopefully in the inevitable Hollywood dramatisation of the saga there will at least be a cheeky cameo of yours truly writing this blog.

The wisdom of Clouds?

Published November 24, 2010 Cloud , Outsourcing Leave a Comment

If, like me, you’re suffering from Cloud-fatigue, you may not be keen to read another post about it.   However, like it or not, the Cloud hype of recent years is turning into Cloud reality as the mist clears.

Is The Cloud maturing?

Yesterday there was an announcement that the Cloud Industry Forum has released it’s code of practice for cloud computing services.  The wild frontier of “Cloud” is being tamed it seems as the industry grows up.  Amazon, Google, Microsoft and other cloud platform and services providers have been upping their game, publishing extensive security white papers to give comfort to larger corporate and public sector organisations.  Toes that have been dipped into using Cloud services have been followed by ankles and knees and in some cases have gone right up to the neck – or maybe they’ve got their head in the clouds (sorry).

Just another decision

So where have we got to with the Cloud?  Well, hopefully there’s more pragmatism and sense being applied now in that people realise it’s not so much a revolution as just another way of delivering technology.  As I saw a commentator recently put it, “Going into the cloud is nothing more than a make vs. buy decision” in an article called, provocatively, “Why ‘the cloud’ doesn’t matter“.  The point being, it’s just another purchasing/procurement/planning exercise – i.e. where are we going to put this new system, on site or in the cloud?  The difference is that you’re buying a service rather than a software licence, so you need to take the appropriate approach.

Due diligence

This chimed with a great presentation from our very own Grant Campbell a few weeks back, entitled “Navigating through the Cloud…a guide to the legal issues”.  To paraphrase Grant, “going into the Cloud” is basically outsourcing, so you should treat it as such, approach it carefully, do your due diligence and consider the implications: where is our data going to be, who controls it, what are the risks, what will the service level be, what happens if it all goes wrong, how do we exit/get our data back, and so on.

Ever increasing circles

I’ll be speaking at The Cloud Circle Forum tomorrow on a similar topic – sharing a platform with Mimecast - and providing a customer’s perspective on Cloud.  I’ll be talking about what we’ve done when considering moving services to the cloud, and borrowing liberally from taking inspiration from Grant’s presentation regarding the legal questions to consider.  Will it live up to the Cloud hype?  Probably not, but then the delivery is always more difficult and more mundane than a sales pitch and we’re really looking at bringing the Cloud back down to earth.

Twitter: @BrodiesTechBlog feed

 

February 2012
M T W T F S S
« Jan    
 12345
6789101112
13141516171819
20212223242526
272829  
Follow

Get every new post delivered to your Inbox.

Join 148 other followers