Home > Uncategorized > Legal Risks in the Cloud: Part 3

Legal Risks in the Cloud: Part 3

It would be nice if the set of cloud-related legal risks I described in my previous two blog entries were a complete set. But, alas, they are not even close. Another very serious risk is inability to conduct forensics investigations, or if such investigations can be conducted because of certain provisions in an SLA or SOW with a CSP, diminished ability to conduct thorough and procedurally complete investigations. Investigation of anomalous events is one of the most important functions a security practice can have. But when an organization’s data and applications reside somewhere in the proverbial cloud, the organization is less likely to obtain information that enables its technical staff members to realize that anomalous events have occurred and to investigate them. Even if an organization has arranged to obtain, say, system and network audit data from a CSP, chances are the organization will face hurdles in obtaining access to its data and applications in the CSP’s network. The exception to the rule is when a CSP agrees to allow “delegated authority” to the customer; in this case, the customer can obtain a considerable amount of access to the part of the CSP’s network that contains the customer’s data and applications. But whether or not physical access to the customer is allowed is yet another detail to be negotiated–there is no substitute for physical access to systems and devices when forensics investigations are being conducted. So organizations that take their data and applications to the cloud are at least to some degree inhibiting their own forensics investigation functionality.

Another significant legal risk in connection with cloud computing is accidental (or possibly even deliberate) violation of state and federal laws when customers attempt to remotely access their data and applications or when they perform allowed security testing to identify vulnerabilities in a CSP’s network(s), systems, and applications. For example, terms of Amazon’s EC2 Cloud Service allows customers to scan the portion of EC2’s network space that contains their resources. But Amazon also lists a number of restrictions on scanning activity. Now imagine that these restrictions are not communicated to the customer’s vulnerability scanning team, or that someone on the vulnerability scanning team ignores them for one reason or another. The consequence could be the CSP filing a civil lawsuit against the customer, or possibly even violation of laws (e.g., Title 18 USC Section 1030) due to uninformed, accidental or naïve actions (e.g., launching vulnerability scans in a CSP’s IP space without CSP’s prior approval), leading to criminal charges.

I could keep going further, but I feel that I have said enough, with the exception of one thing. We have an abundance of high-caliber technical staff members in our organizations. If told to do so, they are more than capable of doing just about anything that is technically possible for the sake of security. We have sent these people to top notch technical security training and education courses, and they end up having an impressive list of security and other certifications. And information security practices may also have an impressive set of policies, standards and procedures. This is all fine and well, except that in cloud computing having outstanding technical personnel and foundational documents does not do nearly as much good as in conventional computing environments. You can have all these things, but end up with huge amounts of unmitigated security risk because you have turned over control of your IT environment (including security control) to another entity. And if your SLA or SOW does not contain specific provisions for creating, implementing and monitoring security measures in the cloud, you will not get them! So what information security practices now desperately need is information security professionals who are trained and experienced in contacts and contracting language to work with contract offices within their organizations to ensure that the right security provisions get incorporated into contracts with CSPs.

Oh, by the way, I just talked extensively with two top notch cybersecurity lawyers late last week. They expressed amazement concerning how deficient cloud service contracts are with respect to provisions for security. There is a big message here, and I hope that you will not only get it, but do something about it if and when your organization is ready to make the plunge to the Orwellian world of cloud computing.

Categories: Uncategorized Tags:
  1. No comments yet.
  1. No trackbacks yet.
You must be logged in to post a comment.