Cloud Security Alliance

1. www.cloudsecurityalliance.orgCopyright © 2012 New Zealand Cloud Security Alliance
Rizwan Ahmad
Chair Data Governance, CSA, CEO NZCSA, Senior Lecturer MIT

2. www.cloudsecurityalliance.orgCopyright © 2012 New Zealand Cloud Security AllianceCopyright © 2014 Cloud Security Alliance New Zealand Chapter
Global, not-for-profit organization
Members
Over 49,000 individual members
200 corporate members
70 chapters worldwide
Established with the aim of bringing trust to
the cloud
30 research groups with 25 research
projects

3. www.cloudsecurityalliance.orgCopyright © 2012 New Zealand Cloud Security AllianceCopyright © 2014 Cloud Security Alliance New Zealand Chapter
Over 300 hundred members
Main focus is research in
Data governance
Privacy
Cloud Assurance
Cloud Auditing

4. www.cloudsecurityalliance.orgCopyright © 2012 New Zealand Cloud Security Alliance
Sir Winston Churchill

5. www.cloudsecurityalliance.orgCopyright © 2012 New Zealand Cloud Security AllianceCopyright © 2014 Cloud Security Alliance New Zealand Chapter
Preservation of sovereignty is a Noble
cause
Enshrined in constitutions, Legislation and
Patriotism
To preserve peace
To protect territory against the hostile elements
To protect its citizens
To guarantee freedom

6. www.cloudsecurityalliance.orgCopyright © 2012 New Zealand Cloud Security AllianceCopyright © 2014 Cloud Security Alliance New Zealand Chapter
Countries take various steps to preserve
sovereignty of the state without infringing
the rights of his/her own citizens through
Proactive actions
Reactive actions

7. www.cloudsecurityalliance.orgCopyright © 2012 New Zealand Cloud Security AllianceCopyright © 2014 Cloud Security Alliance New Zealand Chapter
Legal or not Legal?
Sovereignty of State
Reactive
Police Military
Proactive
Intelligence
Agencies
Counter Operational

8. www.cloudsecurityalliance.orgCopyright © 2012 New Zealand Cloud Security AllianceCopyright © 2014 Cloud Security Alliance New Zealand Chapter
Government develops legislative measures
to enhance these agencies by National
security laws meant to protect citizen’s
Fundamental rights
Freedom
Democracy
Country

9. www.cloudsecurityalliance.orgCopyright © 2012 New Zealand Cloud Security Alliance

10. www.cloudsecurityalliance.orgCopyright © 2012 New Zealand Cloud Security AllianceCopyright © 2014 Cloud Security Alliance New Zealand Chapter
Various covert and overt operations are
under fire
These operations reflect national security
but overrides fundamental rights
(Globalization)
Operations take strength from legislation

11. www.cloudsecurityalliance.orgCopyright © 2012 New Zealand Cloud Security AllianceCopyright © 2014 Cloud Security Alliance New Zealand Chapter
These programs and legislations are not
new

12. www.cloudsecurityalliance.orgCopyright © 2012 New Zealand Cloud Security AllianceCopyright © 2014 Cloud Security Alliance New Zealand Chapter
Country National Security Laws Tolerance
USA Foreign Intelligence Security Act (FISA)
PATRIOT ACT
Justifies PRISM
Zero tolerance for Foreigners
US Citizens safe
UK Regulation of Investigatory Powers Act
2000 section 22(2)
Telecommunications Act 1984 section 94
Tempora Program targets Citizens and
Non Citizens
Sweden Act 2008:717 on signals intelligence
within defence intelligence operations
Act 2009:966 on the Intelligence Court
Decree 2009:968
Gathering information
Has some weakness
France Code de la Sécurité Intérieure Book 2,
Title IV of this Code.
Anti-Terror Act 2006
CNCIS
Targeted surveillance
Extends powers to gather telecom
data directly from providers

13. www.cloudsecurityalliance.orgCopyright © 2012 New Zealand Cloud Security AllianceCopyright © 2014 Cloud Security Alliance New Zealand Chapter
Country National Security Laws Tolerance
Germany G-10 Law Warrantless automated wiretaps of
domestic and international
Communications
Netherlands Dutch Intelligence and Security Act 2002 Does not permit wiretap
European
Union
Directive 95/46/EC, Article 13 Exemption to data protection
European
Union
Convention for the Protection of
Individuals with regard to Automatic
Processing of Personal Data
Exemption in Article 9 and Article
16
International Convention on Cybercrime Article 27 and 30

14. www.cloudsecurityalliance.orgCopyright © 2012 New Zealand Cloud Security AllianceCopyright © 2014 Cloud Security Alliance New Zealand Chapter
Country User Data
Requests
Percentage of
requests where
some data
produced
Users/Accounts
Specified
Total > 27477 64% > 42648
United States 10,574 83% 18,254
France 2,750 51% 3,378
Germany 2,660 40% 3,255
India 2,513 66% 4,401
United Kingdom 1,397 69% 3,142
Brazil 1,085 49% 1,471
Italy 896 42% 1,084
Australia 780 70% 944
Singapore 755 68% 847
Spain 545 53% 761
Poland 502 23% 740

15. www.cloudsecurityalliance.orgCopyright © 2012 New Zealand Cloud Security Alliance
Survey on PRISM

16. www.cloudsecurityalliance.orgCopyright © 2012 New Zealand Cloud Security AllianceCopyright © 2014 Cloud Security Alliance New Zealand Chapter
56%31%
10%
3%
Survey 207 responses
Less
No impact
Cancelled
More

17. www.cloudsecurityalliance.orgCopyright © 2012 New Zealand Cloud Security AllianceCopyright © 2014 Cloud Security Alliance New Zealand Chapter
47%
32%
11%
10%
Survey Results of 440 responses
Poor
Fair
No Idea
Excellent

18. www.cloudsecurityalliance.orgCopyright © 2012 New Zealand Cloud Security AllianceCopyright © 2014 Cloud Security Alliance New Zealand Chapter
36%
64%
Survey Results 220 responses
Yes
No

19. www.cloudsecurityalliance.orgCopyright © 2012 New Zealand Cloud Security AllianceCopyright © 2014 Cloud Security Alliance New Zealand Chapter
41%
46%
13%
Survey Results 423 responses
Patriot Act Repealed
Patriot Act Modified
Patriot Act is Fine

20. www.cloudsecurityalliance.orgCopyright © 2012 New Zealand Cloud Security AllianceCopyright © 2014 Cloud Security Alliance New Zealand Chapter
91%
9%
Survey Results 438
Yes
No

21. www.cloudsecurityalliance.orgCopyright © 2012 New Zealand Cloud Security AllianceCopyright © 2014 Cloud Security Alliance New Zealand Chapter
User rights are aggravated by
Lack of transparency manifested by the cloud
service providers and governments
Inadequate cloud security standards
Evolving nature of cloud computing
Risks
Jurisdictional laws and conflicts

22. www.cloudsecurityalliance.orgCopyright © 2012 New Zealand Cloud Security Alliance
Universal principles

23. www.cloudsecurityalliance.orgCopyright © 2012 New Zealand Cloud Security AllianceCopyright © 2014 Cloud Security Alliance New Zealand Chapter
Article II 3(b), (c), (d) and (e) United Nations
Guidelines for Consumer Protection
(b) The promotion and protection of the economic
interests of consumers;
(c) Access of consumers to adequate information to
enable them to make informed choices according to
individual wishes and needs;
(d) Consumer education, including education on the
environmental, social and economic impacts of
consumer choice
(e) Availability of effective consumer redress.

24. www.cloudsecurityalliance.orgCopyright © 2012 New Zealand Cloud Security AllianceCopyright © 2014 Cloud Security Alliance New Zealand Chapter
Transparency
• What information is
disclosed by CSP
Legal Protection
• What legal protection
is offered?
Compliance
• What standards and
laws?
Accountability
• How grievance is
addressed?
Cloud
Governance

25. www.cloudsecurityalliance.orgCopyright © 2012 New Zealand Cloud Security AllianceCopyright © 2014 Cloud Security Alliance New Zealand Chapter
Right to know reforms…..
Disclosure of information to inform cloud
user that impact his data rights related to
Jurisdiction
Legal issues
Data protection laws
Compliance to relevant policies, law enforcement
Redress, complains

26. www.cloudsecurityalliance.orgCopyright © 2012 New Zealand Cloud Security AllianceCopyright © 2014 Cloud Security Alliance New Zealand Chapter
Assess legal and jurisdictional risks
Contracts must be enforceable
Flexible contracts to allow cloud user
requirements
Choice of court
Arbitration
Ensure data protection under cloud user
laws

27. www.cloudsecurityalliance.orgCopyright © 2012 New Zealand Cloud Security AllianceCopyright © 2014 Cloud Security Alliance New Zealand Chapter
Cloud Service provider displays compliance
to
Relevant provisions of laws
Security standards, best practices
Legal protection not to show data to third party
Transparency, legal protection and compliance to
standards show accountability

28. www.cloudsecurityalliance.orgCopyright © 2012 New Zealand Cloud Security AllianceCopyright © 2014 Cloud Security Alliance New Zealand Chapter
Cloud service provider displays information
to show
Accountability processes
Breach of security
Electronic dispute resolution
Liability
Choice of court

29. www.cloudsecurityalliance.orgCopyright © 2012 New Zealand Cloud Security AllianceCopyright © 2014 Cloud Security Alliance New Zealand Chapter
Four Elements
Transparency
ISO 27001 CCM
SSAE 16 SOC2 Type 2/ ISAE 3402
STAR Registry (CAIQ, CCM)
Disclosure of laws
Breach notification
Legal
Protection
Choice of court
Flexible contracts
Enforceable contracts
Compliance
Standards
Contracts
User laws
Accountability
Liability
Dispute resolution

30. www.cloudsecurityalliance.orgCopyright © 2012 New Zealand Cloud Security AllianceCopyright © 2014 Cloud Security Alliance New Zealand Chapter
Foundation for data governance
Need your cooperation to build strong
research
Presenting a proposal for new standards
on data sovereignity

31. www.cloudsecurityalliance.orgCopyright © 2012 New Zealand Cloud Security AllianceCopyright © 2014 Cloud Security Alliance New Zealand Chapter
 r.ahmad@cloudsecurityalliance.org.nz
Join Hands for Cloud and
Cyber Security to Secure
Community

32. www.cloudsecurityalliance.orgCopyright © 2012 New Zealand Cloud Security Alliance
Thankyou