Top
Me
Categories
Literary

Entries in Cloud Computing (4)

Tuesday
Nov032009

Dr. Chenxi Wang's comments on Amazon EC2 side-channel-attack

DateTuesday, November 3, 2009 at 3:48PM

Researchers from MIT and UC San Diego recently demonstrated an attack against Amazon’s EC2 where an attack virtual machine can launch attacks against a victim virtual machine that is located on the same physical server.

Does this mean that there is a security vulnerability within EC2? Yes.

Should you be concerned? Not really.

Read more .. ..

AuthorSaqib Ali | Comments Off |
tagged , , , , in
Saturday
Oct242009

"legal obligation to delete" in the Cloud

DateSaturday, October 24, 2009 at 5:47PM

David Navetta, Esq. CIPP, has published an interesting blog post on the topic of Legal Implications of Cloud Computing.

Mr. Navetta emphasize the need to understand the increasingly complex and interlocking relationships in the Cloud:

The party with whom a company is dealing will often not be the party actually processing data or providing computing services.  This poses compliance challenges (e.g. how to perform/show due diligence) and  contracting challenges (e.g. how to obtain/enforce contractual rights / remedies when one or two layers removed from the company actually doing the processing).

The blog post also highlights the need for proper data retention and destruction policies.

What if the SaaS provider is working on a Cloud Platform that creates residual copies of data that the Cloud User has a legal obligation to delete? What if the SaaS provider works with a Cloud Platform that does not have the technology or capability to properly wipe data? Even if the Cloud Platform has these capabilities, what if the SaaS provider has not negotiated for the right to obtain these services?

My thoughts on Legal Obligation to Delete:

Internet has created a world where "absolute destruction" of data is not easy to achieve. Even when the services are hosted in-house, this type of data destruction is not possible. There could be replicas, backups, off-site backups, DR backups, user created offline replicas, user archives and even printed copies.

I think what is a more achievable is delete in context. Data that loses its context, loses its meaning and is not of much use. So going back to Cloud Services, when I delete an email from my SaaS powered Inbox, the SaaS provider may still have some residual "Sharded" copies of the data. But these residual copies have completely lost their context. And as you traverse down the layers of Cloud Service aggregators (Saas –> PaaS –> IaaS), this residual data becomes more and more meaningless. Re-animating an email from this sharded residual data would be like trying to re-construct a needle by searching for its pieces in a haystack! :-)

AuthorSaqib Ali | Comments Off |
tagged , , in
Wednesday
Oct212009

Habeas Data and Foreign Entities

DateWednesday, October 21, 2009 at 2:35PM

Background:

A constitutional right  granted in many Latin American countries is "Habeas Data" i.e. the right to own your data. Habeas Data can be brought up by any citizen against any manual or automated data register to find out what information is held about his or her person. That person can request the rectification, actualization or even the "destruction" of the personal data held.

Question:

Can a writ of Habeas Data be issued to a Foreign Entity?

My thoughts:

Any volitional disclosure of PII to a entity that is not under the jurisdiction of the said Country would not be covered by this (IMO).  Besides, how would you obtain a writ of Habeas Data for an entity that is outside of the jurisdiction of issuing authority?

Your thoughts:

Please share your thoughts on this as comments below:

AuthorSaqib Ali | Comments Off |
tagged , , in
Monday
Oct192009

EU Data Protection Directive and Cloud Computing

DateMonday, October 19, 2009 at 12:14AM

Tanya L. Forsheit, Esq., CIPP writes about the EU Data Protection Directive and Cloud Computing:

The most notable thing about the EU Directive and member state laws for purposes of cloud computing is this -- in the absence of specific compliance mechanisms, the EU prohibits (yes, you read correctly, prohibits) the transfer of personal information of EU residents out of the EU to the US and the vast majority of countries around the world.

What does this mean for cloud computing?  If you want to put data in the cloud that includes personal information of EU residents (and that might be something as simple as an email address or employment information), and the data will flow from the EU to almost anywhere in the world, you cannot simple throw the data in the cloud and hope for the best.  You need to have, at a minimum, one or more of the following:

  • International Safe Harbor Certification (which allows data transfer from the EU to the US, but not from the EU to other countries);
  • model contracts (which allow data transfer from the EU to non-US countries, but do not always work well with multi-tiered vendor relationships); or
  • Binding Corporate Rules (which are designed for a multinational company and therefore may not function well for cloud provider relationships).

Read more .. ..

 

Safe Harbor Act also known as the European Union Data Protection Directive

  1. The act prohibits the transfer of personal data to non-European Union nations that do not meet the European "adequacy" standard for privacy protection.
  2. US based companies should try to obtain Safe Harbor Certifications
  3. Slightly higher standard than California Privacy Laws. Somewhere between EU and US
  4. Requires you to do the work up-front. 6 months - 1 year of work required. Annual re-certification required
  5. Attaining Safe Harbor certification elevates reputation of the company
AuthorSaqib Ali | Comments Off |
tagged in