Protect the Cloud
Legal concepts
Criminal Law - laws the provide safe and well being of the public
Civil Law - laws that deal with personal and community based laws such as marriage and divorce, or contracts
Contracts -
Federal Laws - affect the entire country
State Laws - speed limits, criminal code
Administrative Law
Created by executive bodies
US Laws
HIPAA
GLBA
SOX
International Laws
Laws, Frameworks, and Standards around the World
EU GDPR - subject to specific courts or courts
Can only send data to country with Federal PII law that complies with EU Privacy regulation
Aus/NZ, Argentina, EFTA, Israel, Japan, Canada
Based on 7 OECD Principles
Notice
Choice
Purpose
Access
Integrity
Secuirty
Enforcement
Added right to be forgotten
Privacy Shield allows communications to US after agreement
APA 1988 -
Canada's PIPEDA
PDPA
EFTA
APEC Privacy Framework
ISMS
ISO/IEC 27017:2015
Difference between Laws, Regulations, and Standards
All can dictate how data handled
Rules can come from industry, like PCI-DSS
eDiscovery - gaining electronic evidence
Needs to be in SLA
Chain of Custody and Nonrepudiation - specific personnel can use and
Forensic Requirements -
ISO standards deal with Forensics
Conflicting International Legislation
Could be required to follow different legislations
Cloud Forensic Challenges
Jurisdiction problems
Direct and Indirect Identifiers - remove information and make anonymous
Forensic Data Collection Methodologies
Virtualization
Complicates auditing
Scope
What is included in the audit
Gap analysis
Show the analysis of what you expect and where the system is actually at
ISMS
In ISO 27001, standardized ISMS model with all components for a security management system
Right to Audit
Customer can ask for any and all audit reports
Audit reports are very sensitive
Audit Scope Statements
documented description of audit focus
Restrictions of audit scope statement
AICPA and others want to know any differences between the audit scope and differences
Policies
Policies are rules to reduce risks
Cloud computing needs policies for controls in the cloud (remote access, password, encryption, and duties)
Different Types of Audit Reports
internal
External
Auditor Independence
needed to ensure that auditors feel comfortable pointing out flaws.
AICPA Reports and Standards
SOC 1
SOC 2 Type I - list how security controls are designed.
SOC 2 Type II - how secuirty controls are implemented
SOC 3 Public consumption only
Cloud assets are dispersed across multiple legal jurisdictions
Policies
Hard to write policies for every part of the world
Who creates policies - Subject Matter Experts
Who signs the policy - C - level
Who reviews for completeness - board, compliance officer
What policies for cloud
Acceptable Use Policy
Data Classification Policy
Information Security Policy
Network and Internet security
Passwords
Antimalware
Software Security
Incident Response
Legal Compliance
Encryption
Risk appetite and Risk Tolerance
Each decision provides benefit and second is opportunity
Risk human life is not acceptable
Cloud Implications for RISK
KRIs - closely monitor risk indicators
Risk appetite and Tolerance - appetite goes up as they wnat to tolerate more risk
Risk Profilies - possible risks organization is exposed to
Risk Owners and Players - Organizations that determine risk profile
Choices involved in Risk Management
Risk choices
Acceptance
Mitigation
Avoidance
Transfer
Risk Management Frameworks
ISO 31000
NIST 800-37 - they developed
ENISA
Why - help organizations develop sound risk management practices
Risk Management Metrics
Contracts and Service Level Agreements
Business Requirements
Scoping - include only requirements
Regulatory Compliance
Disaster Recovery
Vendor Lock in
Data Portability
Understand SLA
Performance
Security
Logging
Disaster Recovery Metrics
Cloud Computing Certification
Supply Chain Risk