OWASP AppSec DC 2012/Private information Protection in Cloud Computing LawsCompliance and Cloud Security Misconceptions

The Presentation
Cloud Computing (CC) is a distributed computing technology and thus is not new. Similar approach has been implemented in multiuser mainframe environment and in client-server architecture. What is completely new is that the technology is based on distributed legal entities' environment. Interfering computing resources and intersecting legal boundaries create completely new environment, which challenges security research. However, CC has been pushed and promoted by numerous providers as ready to use, without adequate security research.

Usual consideration of CC security is based on common sense pure technical "data protection" concept, which completely ignores legal ground. In particular, this relates to Personal Information (PI) protection, which is mandated and regulated by numerous US and international laws. In our research we do an attempt to return to where CC security should be starting from _ laws and regulations.

US laws protecting Personal Information, for instance federal HIPAA and Massachusetts MGL c.93H and 201 CMR 17.00 Standards, do not contain direct reference to technologies, but require owners of PI engage in certain binding relationship with service providers concerning PI protection. Thus, laws dictate completely different approach to CC security analysis, which should be base on whether and how such binding relationship could be implemented. We use a term of Chain of Trust to refer to such relationship. We need to note that tons of publications considering PI protection in CC environment simply ignore Chain of Trust matter. How often have we seen exact quote of a law and then interpretation concerning CC related PI protection issues and finally consideration of certain CC solution lawfulness? Not really often, or may be not at all.

Our presentation returns the consideration of CC security to the legal ground. Our starting point is three laws covering one of the most vulnerable and wide industry _ health care _ HIPPA Security Rule and HITECH Act, and entire state of Massachusetts _ 201 CMR 17.00 Standards. Our research is based on the consideration of Service Models (SaaS, PaaS and IaaS) and Deployment Models (Private Cloud, Public Cloud and Hybrid Cloud) as they described in two NIST publications _ 800-144 and 800-146. Well organized, but missing serious consideration of PI protecting laws implication on CC services, these documents form a ground for our security research. Each of Service Models' and Deployment Models' legitimacy is considered on the basis of three above mentioned laws, and exact legal obstacles in their implementation are identified.

We define our Chain of Trust concept in terms of requiring certain relationship between PI owner and service provider. Following that, we consider necessary binding agreements between PI owner and service provider, and if and how such relationship could be implemented by currently available managerial and technical security means. Finally, we consider some aspects of possible government audit of PI protection compliance. We return to the compliance original meaning instead of widely used but incorrect marketing driven interpretation. Our research provides practical ground and advising how to deal with required Chain of Trust in protecting of personal information in CC environment, and how to avoid future problems during government compliance audit.

The Speakers
Mikhail Utin and Daniil Utin

Mikhail Utin was born in Russia in 1948. He finished basic engineering education in 1975 and got MA in Computer Science and Electrical Engineering. His career in Russia included working for research and engineering organizations. He got a Ph.D. in Computer Science in 1988 from the then Academy of Science of the USSR. He was one of first entrepreneurs in Russia forming a private company. From 1988 to 1990 he successfully worked in the emerging Russian private sector creating an Information Technology company.

Mikhail had several USSR patents and published numerous articles. He emigrated in the US in 1990 to continue his professional career and to escape from political turmoil. Here, in the US he has worked in information technology and information security fields for numerous companies and organizations including contracting for US government. He formed his own company for IT and IT security consulting in 1998.

Mikhail is an (ISC)2 certified professional, and participates in ISSA as well. He publishes articles in Internet and professional journals, and is a proud reviewer of articles submitted to the (ISC)2's Information Security Journal: A Global Perspective.

His research on SMB security problems to comply with US laws and regulations “US experience: Laws, Compliance, and Real Life - When everything seems right but simply does not work” was presented on DeepSec 2011. His current focus on IT security research is security governance, regulations and management affecting technology and security status.