This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

OWASP AppSec DC 2012/Private information Protection in Cloud Computing LawsCompliance and Cloud Security Misconceptions

From OWASP
Jump to: navigation, search

AppSecDC-468x60-banner-2012.jpg

Registration Now OPEN! | Hotel | Schedule | Convention Center | AppSecDC.org

The Presentation

Cloud Computing (CC) is a distributed computing technology and thus is not new. Similar approach has been implemented in multiuser mainframe environment and in client-server architecture. What is completely new is that the technology is based on distributed legal entities' environment. Interfering computing resources and intersecting legal boundaries create completely new environment, which challenges security research. However, CC has been pushed and promoted by numerous providers as ready to use, without adequate security research. Usual consideration of CC security is based on common sense pure technical _data protection' concept, which completely ignores legal ground. In particular, this relates to Personal Information (PI) protection, which is mandated and regulated by numerous US and international laws. In our research we do an attempt to return to where CC security should be starting from _ laws and regulations. US laws protecting Personal Information, for instance federal HIPAA and Massachusetts MGL c.93H and 201 CMR 17.00 Standards, do not contain direct reference to technologies, but require owners of PI engage in certain binding relationship with service providers concerning PI protection. Thus, laws dictate completely different approach to CC security analysis, which should be base on whether and how such binding relationship could be implemented. We use a term of Chain of Trust to refer to such relationship. We need to note that tons of publications considering PI protection in CC environment simply ignore Chain of Trust matter. How often have we seen exact quote of a law and then interpretation concerning CC related PI protection issues and finally consideration of certain CC solution lawfulness? Not really often, or may be not at all. Our presentation returns the consideration of CC security to the legal ground. Our starting point is three laws covering one of the most vulnerable and wide industry _ health care _ HIPPA Security Rule and HITECH Act, and entire state of Massachusetts _ 201 CMR 17.00 Standards. Our research is based on the consideration of Service Models (SaaS, PaaS and IaaS) and Deployment Models (Private Cloud, Public Cloud and Hybrid Cloud) as they described in two NIST publications _ 800-144 and 800-146. Well organized, but missing serious consideration of PI protecting laws implication on CC services, these documents form a ground for our security research. Each of Service Models' and Deployment Models' legitimacy is considered on the basis of three above mentioned laws, and exact legal obstacles in their implementation are identified. We define our Chain of Trust concept in terms of requiring certain relationship between PI owner and service provider. Following that, we consider necessary binding agreements between PI owner and service provider, and if and how such relationship could be implemented by currently available managerial and technical security means. Finally, we consider some aspects of possible government audit of PI protection compliance. We return to the compliance original meaning instead of widely used but incorrect marketing driven interpretation. Our research provides practical ground and advising how to deal with required Chain of Trust in protecting of personal information in CC environment, and how to avoid future problems during government compliance audit.

The Speakers

Mikhail Utin

AppSecDC12-Mikhail utin.jpg
Mikhail Utin: I was born in Russia in 1948.

Finished basic engineering education in 1975 and got MA in Computer Science and Electrical Engineering. My career in Russia includes working for research and engineering organizations. I got Ph.D. in Computer Science in 1988 from then Academy of Science of the USSR. I was one of first entrepreneurs in Russia forming a private company. From 1988 to 1990 we successfully worked in emerging Russia private sector as Information Technology company. I had several USSR patents and published numerous articles. I emigrated in the US in 1990 to continue my professional career and to escape from political turmoil. Here, in the US I worked in information technology and information security fields for numerous companies and organizations including contracting for US government. I formed my own company for IT and IT security consulting in 1998. I am (ISC)2 certified professional, and participate in ISSA as well. I publish articles on Internet and professional journals, and proud reviewer of articles submitted to (ISC)2 Information Security Journal: A Global Perspective. Our research on SMB security problems to comply with US laws and regulations _US experience: Laws, Compliance, and Real Life - When everything seems right but simply does not work' was presented on DeepSec 2011. My current focus on IT security research is security governance, regulations and management affecting technology and security status.


Gold Sponsors

Aspect logo owasp.jpg AppSecDC2009-Sponsor-securicon.gif AppSecDC2009-Sponsor-mandiant.gif AppSecDC2012-ISC2.gif

Silver Sponsors

SPL-LOGO-MED.png

Small Business

AppSecDC2012-Sponsor-sideas.gif BayShoreNetworks.png

Exhibitors

link=http://www.codenomicon.com/ Codenomicon WhiteHat Logo.png AppSecDC2012-HP.jpg WSI - Logo.jpg