Aujas US

An IDG Ventures Company

Ephemeral Borders: Privacy and Security of Data in the Cloud

Privacy in the Cloud is fleeting

Can there be privacy in the Cloud?

Business is expanding across national borders at an accelerating rate.  Most corporations of significant size have facilities in many countries.  Cloud applications and storage offer savings and efficiencies, such as 24/7 availability of data and applications, enhanced access and elimination of costs associated with server maintenance.  Multinational corporations considering implementation or expansion of Cloud use should, however, tread cautiously, and obtain guidance on applicable privacy and security issues.

For example, litigation or government oversight proceedings involving such companies may result in demands for data originating in, say, France, yet stored in Cloud repositories in other countries  The servers will, for the most part, be located beyond the borders of France.  Personal data, which includes emails by definition, are subject to the European Union Privacy Directives and local enabling law, which hold that the personal data of an individual may not be sent outside the European Economic Area (the E.U. member states plus Norway, Switzerland, Iceland and Liechtenstein) without the individual’s consent.  Appropriately informed consent documents, then, must be drafted.  Additionally, no data of any kind may be sent outside France, pursuant to the Blocking Statute, for use in a foreign judicial proceeding.  Other states, such as Switzerland, have similar statutes.  Criminal penalties lie for violation of these provisions.  Data sent to Cloud repositories, then, with the intent of onward transfer for litigation, may run afoul of these laws.  In addition, The Data Protection Authority of the German state of Schlewsig-Holstein recently opined that it is a violation of German law to send data to Cloud repositories for which the servers are located outside the European Union.

Those companies registered with the U.S. Safe Harbor Program would require amendment to comprise personal data in the Cloud repositories. The Service Level Agreements with the Cloud providers must contain provisions for E.U. levels of security and privacy in the Cloud repositories (other countries where the company does business will have similar provisions) or, perhaps, provisions that the data will not be transferred to or stored in locations outside the country in which the data were created.

Finally, multinationals considering the significant economic and security advantages the Cloud offers would need documented protocols for Legal Holds for data in Cloud repositories.  Legal Holds are considered “processing” of data in the E.U., and must be done in a manner consistent with the Privacy Directives and for retrieval and production of such data to governmental agencies and courts.  

Security consultants, working closely with U.S.-based counsel experienced in cross-border data disclosure conflicts, can assist in navigating the byways of this new and complicated area of information governance.  This is where Aujas can help.

This article provided by Kenneth N. Rashbaum, Esq.     Rashbaum Associates, LLC

November 15, 2010 Posted by | Cloud Security, Risk management | , | 1 Comment

Information Risk Management Concerns in Merger & Acquisition – A Point of View

Integrating Risk, Compliance and Security Components into the Post-Merger Integration Process

M+AOver last few years, the Merger and Acquisition space has witnessed high growth. However, as experience shows,  getting a deal executed is only half the job done. Capturing the actual value in M&A comes from appropriate and timely post-merger integration of people, operations, processes, information systems, and culture.

Historic data indicates that most M&A deals failed to realize value due to ineffective post-merger integration. This has forced companies to look at post M&A integration activity as a program with set milestones. Companies today create separate integration teams with a Project Management Office and clear reporting structure. While companies look at retaining customers and key employees, integrating finance and IT functions, and addressing tax and other operational issues, they often fail to identify and address the risk and control environment. This can affect a company’s security and internal control environment.  Appropriately addressing security, risk and control issues can save time and compliance cost while minimizing business and legal risk for the combined entity.

Key Security, Risk and Control Challenges

1.       How to address compliance requirements and create an effective risk and control environment

When two companies merge, their separate compliance requirements need to be integrated. With different structures, processes, geographies and separate applicability, it becomes difficult to remain compliant, especially during post-merger integration.  Further, the risk profile of the merged entity might be different from the pre-merger entities, as there are significant changes in materiality, processes, supporting technology, and control owners.

Implications- Non compliance, ineffective and inefficient internal audit functions, lack of key risk and control owners, and a higher cost of compliance are some of the common implications.

2.       How to manage access rights for employees, customers, affiliates and third parties in an integrated environment

Mergers bring new users, applications and legacy systems to be integrated for simple, faster and secure access to data.  Therefore managing appropriate access to data is critical from both risk and compliance perspectives.  Inappropriate access to confidential data can lead to information leakage and loss in competitiveness along with non –compliance penalties.

Implications- Failure to manage access rights to business critical applications and data can lead to a) Unauthorized access to critical business data; b) No access to authorized users; c) Excess privileges to some/all users; d) Fewer privileges to authorized user; e) Operational ineffectiveness due to inappropriate access management.

3.       How to address privacy requirements of the combined entity

Two companies storing Personally Identifiable Information (PII) for employees, business partners and customers are managed through separate privacy programs, processes and systems. 

Implications– Disclosure of private information to unauthorized users can lead to regulatory and legal implications.

4.       How to manage business continuity during transition phase while integrating different IT systems, operations and people

Consolidating ERP, CRM, and other business, combining complex infrastructures of two organizations and changing how people access organization data and critical business applications warrants a robust and updated business continuity plan for recovery and continuity in the event of any disaster or malfunction of IT system or access infrastructure.

Implications- Unavailability of business critical applications preventing access to business data.

Next Week – Part 2 – Approach

November 15, 2010 Posted by | identity and access management, IT security, Mergers and Acquisitions, Risk management | , , , , | Leave a comment

Physical Security Controls – Where Are We Lacking?

Physical securityIn the world of increasing security threats, we’re attacked at both the physical and logical fronts. Logical damages hit organization reputations, goodwill, and company brand and trust, whereas physical damage at macro level impacts human lives and the economy. The Mumbai attacks in 2008 (often referred to as 26/11), the London public transit attacks in 2005 (often referred to as 7/7), and of course 9/11, are the real life examples that pointed to deficits in physical security controls.

When we closely examine and measure many current physical security controls, we often identify weaknesses and realize that the controls really do not provide the reliance we are looking for. It’s become important for an organization to adopt a layered approach when building its physical security controls.

Many physical security controls are reactive in nature and often times the responding professionals may not be as skilled when following a standard operating procedure for a response.  To address this situation, if the organization implemented a layered approach to physical security controls, response to complex incidents in real-time will probably reduce the risk.

Here’s a macro view of a layered approach:

  • Level 1 – Basic controls in place
  • Level 2 – Converging physical security in a single integrated system with automated standard operating procedures
  • Level 3 – Enable systems on an IP backbone and build strong IT security controls
  • Level 4 – Building KPI framework for physical security controls

With these levels, we are building a maturity framework for physical security systems, starting with basic physical security controls followed by convergence of the same on a single integrated platform that can be accessed, monitored, SOP enforcement on a web interface from any Web enabled IP device. With this Web advancement it’s important to build an IT security layer around physical security controls.  This results in a true state where there is convergence of both physical and logical controls.

Benefits to an organization by following this approach typically include:

  • Integration of current hybrid physical security controls in a single unified framework that delivers enforcement of procedures on the ground across systems
  • Delivery of strong coordination during incident management
  • Compliance with regulatory physical security control needs
  • Delivery of audit trail from systems that helps in delivering forensic investigation in real-time
  • Monitoring and improvement of physical security control operations
  • Delivery of real-time incident analysis, operation analysis

Attacks are distributed across the enterprise both at a physical and logical level. For security to be effective, it must be organized to react quickly to resolve issues across the enterprise. There is a definite need for systems that can enable a rapid response to security breaches and prompt investigation of events.  Convergence may be the answer!

November 15, 2010 Posted by | IT security, Physical Security controls, Risk management | , , , | Leave a comment