the non market issue of cloud computing hp - cloud security alliance

Download The non market issue of cloud computing   hp - cloud security alliance

Post on 08-May-2015




1 download

Embed Size (px)


  • 1.Sumaya September 2012Cloud Computing Security RisksBackground and key information:It finally seems like the Feds are catching up with the Cloud era boom. The USgovernment has released its stand on the data security on cloud technologies at theSecurity in Government 2012 conference. Important concerns regarding thejurisdictional issues of data storage were raised. The Federal Financial InstitutionsExamination Council(FFIEC) issued a press release with cloud computing risks andissued guidelines in its FFIEC IT Examination Handbook. The department will becoming up with new cloud guidelines. Separately in Europe, the European Networkand Information Security Agency (ENISA) and the Cloud Security Alliance (CSA)have come up with their own assessment of how to addresses cloud riskguidelines. The European commission and European data protection council has issuedstatements indicating firms offering cloud solutions should offer legal clarity and clearprivacy policies. The UK Government Digital Service is formulating its policies tomaximize on the potential benefits to the UK economy. The CSA is also working onstandards for cloud interface.HP has partnered with VMware in providing cloud platform solutions. The partnershipaims at providing infrastructure with strong security and converged cloud solutions tothe PCI industry. The companies are selling their solutions that goes beyond addressingthe security guidelines put forth by various councils; it will be interesting to see how HP-VMware partnership will fair against various commission guidelines. In another initiativeHP has partnered with Microsoft for cloud integration. HP has signed new contracts withvarious government organizations to provide both hardware and software solutions. HPhas made new investments in cloud computing in China. Following its China five-yeargrowth plan, HP opened a brand new center called HP Cloud Executive Briefing Centerin Tianjin and expanded its R & D in China. In addition, HP has started other biginvestments in China. With so many countries and their respective Governments on thebandwagon trying to form their own policies and drawing the blueprint of how the cloudinfrastructure should look like, the result will be a set of conflicting laws and regulationsbetween borders and countries. To add to the complexity, some governments are leeryof working with China. And Chinas stand on how these services will impact its ownindustry and Government is a question that is yet to be raised.While HP is ahead of the game, it may be missing some key mandates from the CloudSecurity Alliance and the various Government policies that could prove as a costlymistake. Moreover setting up a cloud hub in China could be security threat tobusinesses and organization in the US including the US government especially in thewake of latest allegations in regards to spying from two big Chinese firms ZTE Corp.and Huawei Technologies. Given the sensitive nature of government and payment data,this can soon become an unmanageable nightmare and lead to unimaginablevulnerabilities for the United States or for the western European nations. The issue is in1

2. the late formation phase and early interest group formation. The issues are skirtingaround the cloud circles and in the various CSA congress presentations and has yet tobe identified as a full blown threat. The story has been picked up by a few freelancetechnologyjournalists. For example,the authorfor provided enough validation to show the issues surrounding a global cloud dilemma.The main interest groups for this issue will be the consumers and enterprises across theglobe that will use the cloud services technology irrespective of geographicalboundaries. There is no doubt that the Governments across the globe have to take anactive role in formulating the compliance and security protocols and HP being a keyleader of cloud services will be impacted by this and needs to be more involved with theformation of any cloud law legislation that will give it a competitive advantage in the nonmarket arena.Cloud Computing Security RisksIssue Summary: Issue Security vulnerabilities in Cloud Computing Interest Cloud Security Alliance Groups Consumer and Enterprise Business using CloudServices Banks, Payments Card Industry(PCI) Government Organizations like US Military Institutions UK Government Digital Service, Federal Financial Institutions ExaminationCouncil ( FFIEC), European Network and Information SecurityAgency (ENISA) Information Jurisdictional issues of data storage Cloud Computing conflicting lawsandregulations between borders and countriesneeds to be resolved Safety of hosting cloud services from China Issue Life Late issue identification, early interest group Cycleformation Media Currently the story is published by a few Attentiontechnology magazines. Main stream media is yetto pick up the story but eventually in the next fewmonths, this issue will be a hot topic.HPs Business Strategic Political Actions for Security RisksLobbying2 3. HP, Microsoft and other internet companies who are offering services on the Cloudhave been lobbying for safer cloud computing laws since 2010. Microsoft generalcounsel Brad Smith insisted on electronic privacy laws being updated during a SenateJudiciary Committee in Washington in 2010. Since then, there have been continuedlobbying efforts for cloud security.HP as part of the Cloud Security Alliance group has been lobbying against theCybersecurity Act of 2012 and has been successful in protecting the cloud initiatives.The above graph shows HPs spending on lobbying for various causes including tradelegislations, cloud security, data security and privacy regulations, patent approvals, freetrade, broadband subsidies and defense funding. HP is one of the biggest spenders onlobbying efforts. It hires lobbying firms like Palmetto Group, Mehlman Vogel CastagnettiInc, Sternhell Group, Innovative Federal Strategies and Akin, Gump et al . HP hasspent $3,750,000 so far in 2012 on various lobbying.There are a number of individual cloud computing legislations that HP along withMicrosoft, Google, Facebook and other companies have been lobbying like the policyissues in cloud computing, Electronic Communications Privacy Act (ECPA) and thenumber of other policies regarding, Cloud Physical Location and Access Issues Jurisdictional issues affecting theCloud. Example: safe harbor law - a European law enacted in reaction to the U.S.Patriot Act. Another example is the Trade Agreements Act of 1979 (TAA) prohibitsgovernment contractors from using cloud serveices that are set up in countries thatdont have trade agreements with United States. Privacy, Security and the Cloud Concerns around data stored in the Cloud is lessprotected than other in other contexts. fundamental concern about the security ofessential business and government information and processes maintained in theCloud. Law Enforcement and the Cloud Concerns with privacy issues in law enforcementcontext and legal protections against unreasonable search and seizure of datastored in a Cloud context. Example: Congress is currently reviewing a proposedupdate to the Electronic Communications Privacy Act3 4. Intellectual Property (IP) and the Cloud Concerns regarding valuable intellectualproperty, trade secrets or copyrighted material in a Cloud environment. Example:The Digital Millennium Copyright Act provides a safe harbor to cloud serviceproviders from infringement liability for copyright violations if they adhere toguidelines and immediately block access or remove copyrighted materials from theirwebsite upon notification. Global Competition and the Cloud: U.S. companies can compete for a share ofglobal cloud market but U.S. put them at a competitive disadvantage. Example: U.S.Patriot ActSen. Amy Klobuchar has introduced a new bill called the Cloud Computing Act of2012 (S.3569), that is supposed to improve the enforcement of criminal and civil lawwith respect to cloud computing.The proposed bills main purpose is to give cloud computing services protectionsunder the CFAA. HP as part of the CSA alliance is lobbying for this bill.Eric Goldman, Internet Law professor from Santa Clara University has written an articleon regarding the Cloud Computing Act . The article can be found at CoalitionsHP is part of the Cloud Security Alliance group to promote the use of best practicesfor providing security assurance within Cloud Computing. All the top companies likeGoogle, MicroSoft and even US Department of Defense are members of this alliancegroup. The Alliance aims to provide education on the uses of Cloud Computing. TheCloud Security Alliance is led by a broad coalition of industry practitioners, corporations,associations and other key stakeholders. 4 5. HP along with the CSA has developed a number of useful and valuable resources likethe secure best practices for cloud computing, tools for managing governance, risk andcompliance, cloud user certification and cloud security knowledge certification, registryof cloud services amongst other cloud security standards.Public Advocacy & Awareness RaisingFor the last 8 years, every year HP has used events like HP Protect to raise awarenessand increase visibility on security infrastructure, potential security risks and breaches,security landscape, cloud security information, security and compliance standards byhosting a two day event where it invites experts, architects, and gurus under one roof. Itthen makes public all the lectures, information shared during the summit to the generalpopulation.HP along with CSA has provided a number of toolkits, handbooks, standards, guides toeducate various businesses and public interested in cloud