Mar 20

SecureCloud 2010: day 2 and conclusion

Tag: (i)realidad,Informática Legal,SystemsJoaquim Anguas @ 7:38 pm

SecureCloud 2010, second day:

Keynote

First session was an excellent keynote by Mrs. Pamela Jones Harbour, Commissioner at US Federal Trade Commission. She “asked the tough questions” and pointed to some “storm clouds”.

First «storm cloud» she talked about was asymmetry between users and companies: consumers may not understand when they are using cloud computing and it is hard for them to delimitate what data they are willing to share. In the offer side, providers do not offer consumers minimum choices, they present «incomprehensive privacy clauses», they don’t «adequately disclose the scope» and hide behind «click wrapped agreements».

Second «storm cloud» was (in)security. Cloud services are potentially unsecure and there’s a potential opportunity for providers to avoid responsibility and accountability.

Third «storm cloud» was competition. There’s a great range of choices and if the consumer’s side does not request accurate information and an adequate level of security in the competitive process, government may have to make an intervention on the market. Turbulent times are forcing companies to low cost, so they are forced by the market to lower best practices.

Fourth «storm cloud» was Incompatible jurisdiction. There is an uncertain state of the law in the USA and there’s being some lobbying at federal legislation on cloud computing. There’s a need to identify challenges and develop good practices. In any case, rules have to be process oriented, not technology oriented, not specific on technology requirements.

Final message was: ask the tough questions but don’t fear the challenge of the cloud.

Cloud services at the Federal Reserve

The next speaker was a chief architect at the Federal Reserve.  He said that they provide shared services to all 12 banks operating under the Federal Reserve. Using cloud technologies allowed them to add transparency of IT expenses by being charged usage-based, lower costs, implement applications that were too expensive before, improve execution of green IT goals, avoid upfront infrastructure cost in exchange of operational costs. He explained that they used all delivery models: SaaS, PaaS, IaaS… They defined a grid relating the key differentiators for every workload type and then define what controls does provide the service provider and which ones they have to provide.

Identity Management

Next session was “Identity Management in the Cloud, Practical experience about moving Identity Management to the cloud”.

Mr. Tobias Dussa talked about uniform access, multiple jurisdictions, the obligation to obey local policies and legal difficulties due to organizational boundaries.

Mr. Kurt Anderson from Pfizer talked about the process to select a cloud provider, the need for a IPP (Information Protection Plan) that rates data and applications and the need to put compliance to cloud vendor.

Mr. Marcus Lasance from Verizon explained how being a farmer he had to respond to a security breach: rams were going over the fence, his perimeter was not secure enough, do he had to make his fence taller. He mentioned how users may have to be provisioned (and de-provisioned) transparently into other systems due to SSO.

Securing Inter-Cloud Communication

Next session was Maryann Hondo’s (from IBM WebSphere Technology Institute) “Securing Inter-Cloud Communication Websphere”. She talked about security and reliability, integration, fears of vendor lock-ins, compliance and legal, security challenges and the need reconcile different identities.

Cloud Certification

Then was Mr. Eijiroh Ohki’s (from Kogakuin University) “Possible direction of Cloud Service Certification and Assurance”. He presented a study conducted to 699 companies. Most had a 3rd party certification (ISMS / P-Mark).

89,3% had IS audit in place, 76,1% audit regularly, 97,3% consider data confidentiality is important, 87,2% request periodical reports of incidents management. Cloud providers, 89,3% think 3rd party evaluation is effective, 34% say security certification is important: ISO27000-ISMS, Privacy Mark…

Ohki san pointed the need to establish an end to end accountability chain.

Emerging Certification Frameworks

Next session was the panel “Emerging framework for Assurance and Certification”.

First intervention was Adrian Seccombe from Jericho who focused on the unavoidable trend to cloud services and ended his presentation with a picture of an ostrich hiding his head underground and the phrase “are we humans or are we ostriches?”.

Next interventions focused on the «cloudability» of business as the ability to transfer a business operation to the cloud, the need to simplify the service rates like stars in a hotel and the need to move away of check mentality.

Cloud Providers

Last session I attended was the panel “Cloud Providers”. It was moderated by Nils Puhlmann (Zynga), with Peter Dickman (Google), Matt Broda (Microsoft) and Carl Moses (Amazon).

They all made their point about their company and agreed on the need to «identify your responsibility and stick to it», offered information regarding details of their service to whoever may have interest (sometimes post-NDA…), said that some of the issues raised against cloud models were already present in previous models and requested some trust.

As you may already know, I use to act as an expert witness here in Spain. In my humble opinion, if you have to litigate and you rely on evidence in the cloud, you may get into trouble proving your point.

From my experience, there is a good share of people asking to themselves: If something happens to my in-the-cloud services, will I be able to prove my point in court?

I had a meeting and had to leave the session before they ended the presentation.

I would have loved to ask these three questions to them:

Let’s say we all, the society, trust you, are you guys willing to send snapshots to a court, let’s say in Spain, so they can be properly examined by an expert witness?”

What mechanisms are you going to add to give a proper foundation to the trust you are asking us to put on you?”

Mr. Moses, in the case of Amazon, will we have the option to get the snapshots gift wrapped?”

:-)

Conclusion

My conclusion is that the model is not mature enough but providers (and some clients) are not willing to restrain themselves until both the service offered and the status quo improves to an acceptable level: the race is on.

I would like to raise two issues that in my opinion were not reflected enough in the conference: the risk due to the possible lack of solid evidence in an eventual litigation and the impact that may have the fact that the data and/or applications may not be bounded to a concrete jurisdiction.

International arbitration is trying to undo the “Gordian Knot” of international litigation, but the cloud model may introduce a new variable regarding the different jurisdictions in place in respect to data and applications. To the jurisdiction at the place of arbitration, the law applicable to the procedure, the law applicable to the controversy, the parties’ juridical culture, etc, now you have to add where the data is hosted.