Tuesday, November 15, 2011
Monday, November 14, 2011
Legal Issues with Cloud in UK.
Cloud computing did not exist when data protection regulations came in. John Roberts of Redstone explains how to keep within the law
The UK Data Protection Act (DPA) is often regarded as the world's leading law on protecting personal data. But many UK companies now adopting cloud services are not only putting data at risk, but also themselves, by breaching data protection laws. How do you comply with the DPA, whilst maintaining a cloud presence? When the UK government passed the DPA in 1998 it was heralded as the definitive way to guarantee personal data was protected. Over the following decade, refinements to the act ensured that personal data was not just secure, but more specifically, it was secure online. This worked well when data was held on-premise, within a company's own data centre, but the advent of cloud technology has changed all that.
What do we mean by cloud?
Just to be clear, in this context we're referring to 'cloud' as infrastructure as a service. Ask many cloud service providers (CSPs) where a specific piece of data is held, and it would take them a while to answer. In most instances the cloud does not recognise national boundaries. CSPs simply move data across their often globally dispersed infrastructure at will in the most efficient way for them. This means that the IT director no longer knows where his or her data is, nor are they able to comply with the DPA. With data being streamed and stored across national territories, it also runs the risk of falling foul of other countries' legislation. When George W Bush signed the US Patriot Act into law in 2001 following 9/11, no one could have predicted the data protection conflict that would occur between the UK and US as a result. The two acts lie in direct opposition of each other. The UK DPA prohibits organisations passing personal data on to another party, yet, the US Patriot Act expressly permits the US government to access and examine any data – personal or otherwise – that's held by a US company. Security has long been a real concern for IT directors considering cloud infrastructures but previous anxieties have focused on data loss rather than location – a legal requirement enforceable under the DPA. Location of data has to become a priority, considering the words of Microsoft UK MD Gordon Frazer this summer who admitted that the US Patriot Act took precedence over the DPA. Not only does this mean trouble for UK companies using cloud services where data is stored in the US, it also means that the data of US companies operating outside of its borders are also subject to this priority, affecting some of the world's largest CSPs – from Microsoft and Salesforce, to Google and Amazon. The EU, UK and other nations are debating the issue. The EU has negotiated a safe harbour agreement with the US to protect data. However, since most CSPs are unable to assure customers where data is located, the bigger question has to be: just whose responsibility is data storage when operating in the cloud? The Information Commissioner's Office (ICO) is responsible for enforcing the DPA, and its latest annual tracking survey found that one in four companies are still unaware of the need to comply with the DPA. While many companies may plead ignorance, we've found a more concerning trend. When it comes to the cloud many data owners believe data protection responsibility lies with the CSP, or more worryingly, are simply using the cloud as a way to abdicate responsibility for storing and protecting their data. This company apathy to data protection is widespread. We know this from experience. Rarely are we asked by prospective customers to ensure that data held within our cloud service is stored in the UK – compliance is simply not considered an issue when buying cloud services.With power comes responsibility
Many cloud services are problematic because they provide a generic, one-size fits all solution. Yet as cloud services have evolved, alongside customer needs, more tailored solutions have appeared, including UK-specific, DPA (and PCI) compliant services. With these services 'control', a concern cited by many IT directors when considering cloud services initially, has been given back to the IT department. With that control, however comes the responsibility for data protection. The other failure occurs with the law itself. While the DPA provides stipulated requirements for the protection of data, it is enforced retrospectively not proactively. That means that companies are only prosecuted once a breach has occurred. The ICO has no power to audit private sector companies' compliance to ensure that a data breach doesn't occur in the first place. Having no audit control over the private sector makes it impossible to proactively regulate and enforce the DPA. It's generally accepted that the private sector generates the most data protection complaints. As a result, the information commissioner Christopher Graham, recently called for compulsory audit powers for the private sector. Data audits need to become a requirement within the financial and legal audit processes if companies are to be held accountable for data protection. We think that the solution may be simpler. What the industry (and companies operating in the cloud) needs to assist in compliance is a series of DPA standards. Comparable to ISO 9000, a simple checklist of standards would provide companies with a way to effectively measure themselves as part of any risk assessment or business continuity plan. We've seen how well they work for quality management, so now it's time to apply the same theory to the question of data protection.
Source : eweek
Code Search for Open Source Holes
Tools such as Google Code Search can provide hackers with a wealth of information hidden in open source code, writes Eric Doyle
The downside of open source is its very openness. Hackers are using Open Source Intelligence (OSint) to find personal information and even passwords and usernames to plan their exploits.
Organisations like Anonymous and LulzSec have been using Google Code Search - a public beta in which Google let users search for open source code on the Internet - according to Stach & Lui, a penetration testing firm. In Code Search, they can unearth information to assist them in their exploits, for instance finding passwords for cloud services which have been embedded in code, or configuration data for virtual private networks, or just vulnerabilities that lay the system open to other hacking ploys, such as SQL injection.
Google Hacking
The Google service is due to be switched off next year as part of the company's rationalisation of its research efforts with the closure of Google Labs but that does not mean that exposed code on the Internet will be safer. There are several sites which provide similar services.
Google's BigTable is the repository of most things the company gleans from its searches, and searching it for nefarious purposes is known as Google Hacking.
A-Team, a white-hat hacking group which appears to have the sole purpose of exposing Anonymous and its various subgroups, wrote a highly critical, sneering condemnation of Google Hacking.
"LulzSec and Anonymous [are] believed to use Google Hacking as a primary means of identifying vulnerable targets," the group blogged in June this year. "Their releases[revelations] have nothing to do with their goals or their lulz [fun]. It's purely based on whatever they find with their 'google hacking' queries and then release it."
Mark Stockley, an independent Web consultant, wrote on the Naked Security blog, "While the findings provide a much-needed wake-up call to online businesses, admins and developers, they also offer a fascinating insight into the motivation of hacking collectives such as Anonymous and LulzSec...
"Rather than being motivated by politics or injustice, hacking groups may simply be targeting organisations because Google Code search has turned up a vulnerability too tempting to ignore, making them less political action groups, more malicious 21st century Wombles," he said.
The best protection is to ensure that nothing is included in code that is useful to a hacker. If it is unavoidable then the information should be stored separately and encrypted.
Colin Tankard, managing director of encryption and security specialist Digital Pathways, advised, "Obviously if the data is encrypted it protects that data wherever it goes as long as the key is never stored with the data. This adds extra control of who or what application is allowed access to the data. By applying encryption with access control organisations can define who or what is allowed access to data."
Source: eWeek
Subscribe to:
Posts (Atom)