OWASP AppSec DC 2012/Private information Protection in Cloud Computing LawsCompliance and Cloud Security Misconceptions

The Presentation
Cloud Computing (CC) is a distributed computing technology and thus is not new. Similar approach has been implemented in multiuser mainframe environment and in client-server architecture. What is completely new is that the technology is based on distributed legal entities' environment. Interfering computing resources and intersecting legal boundaries create completely new environment, which challenges security research. However, CC has been pushed and promoted by numerous providers as ready to use, without adequate security research. Usual consideration of CC security is based on common sense pure technical Ðdata protectionÓ concept, which completely ignores legal ground. In particular, this relates to Personal Information (PI) protection, which is mandated and regulated by numerous US and international laws. In our research we do an attempt to return to where CC security should be starting from _ laws and regulations. US laws protecting Personal Information, for instance federal HIPAA and Massachusetts MGL c.93H and 201 CMR 17.00 Standards, do not contain direct reference to technologies, but require owners of PI engage in certain binding relationship with service providers concerning PI protection. Thus, laws dictate completely different approach to CC security analysis, which should be base on whether and how such binding relationship could be implemented. We use a term of Chain of Trust    to refer to such relationship. We need to note that tons of publications considering PI protection in CC environment simply ignore Chain of Trust matter. How often have we seen exact quote of a law and then interpretation concerning CC related PI protection issues and finally consideration of certain CC solution lawfulness? Not really often, or may be not at all. Our presentation returns the consideration of CC security to the legal ground. Our starting point is three laws covering one of the most vulnerable and wide industry _ health care _ HIPPA Security Rule and HITECH Act, and entire state of Massachusetts _ 201 CMR 17.00 Standards. Our research is based on the consideration of Service Models (SaaS, PaaS and IaaS) and Deployment Models (Private Cloud, Public Cloud and Hybrid Cloud) as they described in two NIST publications _ 800-144 and 800-146. Well organized, but missing serious consideration of PI protecting laws implication on CC services, these documents form a ground for our security research. Each of Service Models' and Deployment Models' legitimacy is considered on the basis of three above mentioned laws, and exact legal obstacles in their implementation are identified. We define our Chain of Trust concept in terms of requiring certain relationship between PI owner and service provider. Following that, we consider necessary binding agreements between PI owner and service provider, and if and how such relationship could be implemented by currently available managerial and technical security means. Finally, we consider some aspects of possible government audit of PI protection compliance. We return to the compliance original meaning instead of widely used but incorrect marketing driven interpretation. Our research provides practical ground and advising how to deal with required Chain of Trust in protecting of personal information in CC environment, and how to avoid future problems during government compliance audit.

The Speakers
Mikhail Utin and Daniil Utin