Karl Wabst's Library tagged cloud →  View Popular, Search in Google

When the federal government finally does undertake the task of legislating around cloud computing, it seems very likely that security measures and data privacy will drive the ship. The TechAmerica Foundation’s CLOUD2 commission today announced a data- and security-heavy set of recommendations to guide the federal government’s efforts in regulating, adopting and promoting the cloud, following up on a recent Brookings Institution discussion on a proposed Cloud Computing Act that focuses on those two issues. This isn’t surprising given that these are two areas in which the government can most directly affect the nature of the cloud.

cloud security data privacy government

Not having a strong IT governance framework for making technology-based decisions can be as precarious as riding a bicycle downhill without any brakes.

cloud environment premium governance

Members of the European Parliament have demanded to know what lawmakers intend to do about the conflict between the European Union's Data Protection Directive and the U.S. Patriot Act.

The issue has been raised following Microsoft's admission last week that it may have to hand over European customers' data on a new cloud service to U.S. authorities.

EU microsoft cloud

Microsoft is set to launch a new cloud service next week. It said it will allocate its customers a region where their information will be physically stored, but said it could not guarantee that it would tell EU customers' details if US authorities sought access to their data.

EU US cloud

"Salesforce.com is attempting to make the next version of its Software-as-a-Service-based customer service offering more social-friendly by enabling brands to take Facebook posts and use them for case tracking.

The vendor unveiled version 3 of its Service Cloud at its Cloudforce 2011 conference in New York, enabling users to convert Facebook ‘Wall’ comments into customer service cases to enable agents to tackle any issues more proactively. The previous release of the software only enabled them to answer questions posted on their organisation’s own website."

(Might be time to fill those Privacy roles they have been advertising - KW)

salesforce cloud social Privacy

"In some ways,
Google
is a digital Rome. Instead of extending
roads to connect its empire, it builds data centers worldwide and challenges
local rule not with swords, but with tools and information.

It is a company that probes the perimeters of censorship in China and tests
the limits of privacy laws in Europe, sometimes with consequence, as it expands
its
cloud computing
empire.

On Monday, Google received
a letter from 10 nations
, including Canada,
France and Britain, telling the company that the "privacy rights of the world's
citizens are being forgotten as Google rolls out new technological
applications.""

Privacy Laws google Microsoft cloud

"We all know that Internet and communications technology is changing rapidly, creating huge opportunities for business innovation and individual self-expression.

Most people are probably not aware, however, that privacy law is not evolving nearly as quickly. It is time to update legal protections to reflect the impact the digital revolution is having on modern life.

Cloud computing -- a bit of tech-jargon meaning the use of remote servers to store and process data -- is a great example.

The movement of personal and proprietary data off desktop computers and into "the cloud", which is made up of server farms and broadband connections, is a major disruptive trend in computing.

Unless our laws change to account for cloud computing and other equally momentous technology developments, the Constitution's protection against unreasonable search and seizure will become a relic of the past.

The federal law setting standards for government access to personal communications -- the Electronic Communications Privacy Act (ECPA) -- was written more than two decades ago, before the Internet took off. "

Privacy Cloud

Google Inc. this week came swinging at critics who have cited privacy and security concerns in calling on the city of Los Angeles to rethink its plan to implement the Google Apps hosted e-mail and office applications.

In an interview yesterday, Matt Glotzbach, director of product management for Google Enterprise, said the angst voiced by consumer groups and others about the Los Angeles project is overstated and based on incomplete information. In fact, he contended that transitioning the applications to Google will strengthen the security of the city's data and better maintain its privacy.

"From what I know of the city's operation, this is a security upgrade," Glotzbach said. "Those who may be unfamiliar with cloud computing see this as a security risk simply because it is new and because it is something different," he said. Glotzbach said he believes that at least some of the concerns raised originated from Google's competitors.

Meanwhile top managers at the Los Angeles Information Technology Agency (ITA), which oversees technology implementations in the city, yesterday said the city is still committed to implementing Google Apps. The agency insisted that provisions are in place for addressing the security and privacy issues raised by critics. A spokesman for Mayor Antonio Villaraigosa said the city council will sign off on the project only after it is assured that the privacy and security concerns have been properly addressed.

Google Apps Cloud Los Angeles

The federal government may step up with a set of cloud-security standards to meet government requirements for protecting sensitive data.

Federal CIO Vivek Kundra says he wants to certify cloud services that pass government muster so federal agencies can buy the computing or applications services they need and turn them on quickly.

Cloud Federal Standards

Revelations on Wednesday that a hacker was able to hijack sensitive Twitter company documents has spurned discussion around the potential security implications of on-demand computing.

As more organizations move toward cloud services, they must consider the possible data security consequences, Amrit Williams, CTO of security and systems management firm BigFix, told SCMagazineUS.com on Thursday.

In the case of Twitter, an intruder using the alias "Hacker Croll" was able to crack the password to a high-ranking employee's personal email account, which in turn, gave him access to that worker's Google Apps account, according to a blog post Wednesday written by Biz Stone, Twitter's co-founder.

Cloud Twitter Security Privacy

A group of computer scientists at the University of Washington has developed a way to make electronic messages “self destruct” after a certain period of time, like messages in sand lost to the surf. The researchers said they think the new software, called Vanish, which requires encrypting messages, will be needed more and more as personal and business information is stored not on personal computers, but on centralized machines, or servers. In the term of the moment this is called cloud computing, and the cloud consists of the data — including e-mail and Web-based documents and calendars — stored on numerous servers.

Email Cloud Vanish Privacy Facebook Google blogs

What would you think if I told you that I could walk into your datacenter, grab 10 of your servers and walk out without lifting any equipment or leaving any trace forensic evidence behind?
With the growing momentum in the federal government for cloud computing and virtualization, this worst case scenario will become reality for some agencies leading the charge into the cloud. Here's why:

Security Cloud Policy

Consumers save their e-mail and documents on Google's data centers, put their photos on Flickr and store their social lives on Facebook. Now a host of companies including Amazon and Microsoft wants government agencies to similarly house data on their servers as a way to cut costs and boost efficiency.

But federal officials say it's one thing to file away e-mailed jokes from friends, and another to store government data on public servers that could be vulnerable to security breaches.

The push toward "cloud computing," so named because data and software is housed in remote data centers rather than on-site servers, is the latest consumer technology to migrate to the ranks of government. Companies such as Amazon and Salesforce, which do not typically sell services to the government, want a piece of the business.

Google opened a Reston office last year to sell applications such as Google Docs to federal employees. Silicon Valley-based Salesforce, which has focused on selling to corporations, established a team dedicated to government contracting. Microsoft spent $2.3 billion in 2007 to build data centers for cloud computing, and IBM, Sun Microsystems and HP want to provide the government cloud.

Privacy Security Government Cloud Risk

Federal regulators on Tuesday met to hear about whether the benefits of cloud computing justify increased regulation, as privacy activists claim, or whether such an approach would do more harm than good.

"We need to be smarter about dealing with technology, and cloud computing is posing (a) risk for us," said Hugh Stephenson, deputy director for international consumer protection at the Federal Trade Commission's Office of International Affairs.

The FTC convened the two-day meeting in its offices here, which follows a series of similar workshops held in previous years on topics like spam, privacy, and behavioral advertising. The agency may file lawsuits to halt "unfair or deceptive acts or practices," meaning that if cloud computing is not unfair or deceptive, the FTC would likely not have jurisdiction.

To secure personal information on the cloud, regulators may have to answer questions such as which entities have jurisdiction over data as it flows across borders, whether governments can access that information as it changes jurisdiction, and whether there is more risk in storing personal information in data centers that belong to a single entity rather than multiple data centers.

The current panoply of laws at the state, national, and international level have had insufficient results; FTC Commissioner Pamela Jones Harbour cited a 2008 PricewaterhouseCoopers information security survey (PDF) in which 71 percent of organizations queried said they did not have an accurate inventory of where personal data for employees and customers is stored.

With data management practices that are not always clear and are subject to change, companies that offer cloud-computing services are steering consumers into dangerous territory, said Marc Rotenberg, executive director of the Electronic Privacy Information Center.

Already, problems of identity theft are skyrocketing, he said, and without more regulation, data management services may experience a collapse analogous to that of the financial sector.

"I predict we are goi

FTC Cloud Jurisdiction Privacy

The Electronic Privacy Information Center formally asked the Federal Trade Commission on Tuesday to investigate the privacy and security safeguards of Gmail, Google Docs and other so-called cloud computing services offered by Google to consumers.

The filing points to a security breach earlier this month that may have improperly exposed the files of Google Docs users to others. It asks the F.T.C. to look into the adequacy of privacy and security safeguards of Google’s services and to require Google to be accountable for breaches. It also asks the agency to force Google to make its security policies more transparent and to disclose any breaches. It also asks the F.T.C. to enjoin Google from offering cloud computing services until it establishes verifiable safeguards. The full filing is available here.

Marc Rotenberg, EPIC’s executive director, said he was concerned about all cloud computing services, which encourage users to store a growing number of documents on the servers of companies like Google, Yahoo, Microsoft and others. But he said that EPIC focused on Google because it is the primary provider of cloud computing services to consumers.

Privacy Google FTC EPIC Cloud

One of the more interesting panel discussions at the IDC Cloud Computing Forum on Feb 18th in San Francisco was about managing the complexities of security, privacy and compliance in the Cloud. The simple answer according to panelists Carolyn Lawson, CIO of California Public Utilities Commission, and Michael Mucha, CISO of Stanford Hospital and Clinics is "it ain’t easy!"

"Both of us, in government and in health, are on the front-lines," Lawson proclaimed. "Article 1 of the California Constitution guarantees an individual’s right to privacy and if I violate that I’ve violated a public trust. That’s a level of responsibility that most computer security people don’t have to face. If I violate that trust I can end up in jail or hauled before the legislature," she said. "Of course, these days with the turmoil in the legislature, she joked, "the former may be preferable to the later."

Stanford’s Mucha said that his security infrastructure was built on a two-tiered approach using identity management and enterprise access control. Mucha said that the movement to computerize heath records nationwide was moving along in fits and starts, as shown by proposed systems likeMicrosoft (NSDQ: MSFT)’s Health Vault and Google (NSDQ: GOOG)’s Personal Health Record. "The key problem is who is going to pay for the computerized of health records. It’s not as much of a problem at Stanford as it is at a lot of smaller hospitals, but it’s still a huge problem."

Mucha said that from his perspective security service providers in the cloud and elsewhere are dealing with a shrinking security parameter or fence, which is progressing from filing cabinets, to devices, to files, and finally to the individual, who under the latest Health Insurance Portability and Accountability Act (HIPAA) privacy rules has certain rights, including rights to access and amend their health information and to obtain a record of when and why their Protected Health Information (PHI) record has been shared with others for certain purposes.

Privacy Security Risk cloud

Cloud services are now vulnerable to malicious use, a security company has suggested, after a techie worked out how Amazon's EC2 service could be used as a BitTorrent file harvester and host.

Amazon's Elastic Compute Cloud (EC2) is a web service software developers can use to access computing, compilation and software trialling power on a dynamic basis, without having to install the resources locally.

Now a developer, Brett O'Connor, has come up with a step-by-step method for using the same service to host an open source BitTorrent application called TorrentFlux.

Getting this up and running on Amazon would require some technical know-how, but would be within the reach of a moderately experienced user, right down to following O'Connor's command line low-down on how to install the public TorrentFlux app straight to Amazon's EC2 rather than a user's local machine.

Finding an alternative way of using BitTorrent matters to hardcore file sharers because ISPs and admins alike are increasingly keen to block such bandwidth-eating traffic on home and business links, and O'Connor's EC2 guide was clearly written to that end - using the Amazon service would make such blocking unlikely.

"I created a web-based, open-source Bittorrent 'machine' that liberated my network and leveraged Amazon's instead," says O'Connor. He then quips "I can access it from anywhere, uploading Torrent files from wherever, and manage them from my iPhone."

However, security company GSS claims the guide shows the scope for possible abuse, using EC2 to host or 'seed' non-legitimate BitTorrent file distribution.

"This means, says Hobson, that hackers and other interested parties can simply use a prepaid (and anonymous) debit card to pay the $75 a month fee to Amazon and harvest BitTorrent applications at high speed with little or no chance of detection," said David Hobson of GSS.

"The danger here is that companies may find their staff FTPing files from Amazon EC2 - a completely legitimate domain - to the firm's computers, resulting in an intern

Security File Sharing Cloud