Aujas US

An IDG Ventures Company

Windows Azure: Build Secure Applications by Design

Introduction to Azure

The Windows Azure Platform is a Microsoft cloud platform offering that enables customers to deploy applications and data into the cloud. Windows Azure Platform is classified as ‘platform-as-a-service’ and is part of Microsoft’s cloud computing strategy. It provides developers with on-demand computing and storage space to host, scale and manages web applications on the Internet through Microsoft datacenters. The platform provides a cloud operating system called Windows Azure that serves as a runtime for the applications and provides a set of services that allows development, management and hosting of applications off-premises.

Windows Azure has three core components: Compute, Storage and Fabric. As the names suggest, Compute provides a computation environment with Web role and Worker role, while Storage focuses on providing scalable storage (Blobs, Tables, Queue, and Drives) for large-scale needs. Fabric makes up the physical underpinnings of the Windows Azure platform similar to the network of interconnected nodes of servers, high-speed connections, and switches.

Conceptually, the repetitive pattern of nodes and connections suggests a woven or fabric-like nature. Compute and Storage components are part of the Fabric. It also provides high-level application models for intelligently managing the complete application lifecycle, including deployment, health monitoring, upgrades, and de-activation.

Microsoft Azure Security

Microsoft Azure

Consumers are responsible for application and data security with Microsoft Azure, which is under the PAAS model

Cloud security is an evolving world with new threats and challenges. A smart customer would look at all the necessary security risks and would handle all data in cloud with clear risk mitigation plans. Security in the Azure platform is of paramount importance and Microsoft has built security controls into the platform.

Cloud computing models and the security responsibility matrix are defined in the table at right.

Microsoft’s Azure Platform falls under the PAAS model. Microsoft has implemented and provided various security features such as:

  • Identity and Access Management at all levels
  • Isolation of data through separate physical containers
  • Encryption of data in the fabric through on demand
  • Run time security Full trust versus Partial trust
  • Security libraries for security

Though Microsoft has built-in security in its architecture with App fabric and SMAPI (Service Management API), companies that move to this platform must ensure the security of their independent applications. The application developers have to use the right tools and APIs to secure and deploy the application. 

There is no “Magic Wand for Security”

Azure has ensured security at various layers within its architecture and at various VM and its Fabric engine. This security will ensure the customers that data is not leaked outside of their VM. Though Azure has security innovations to aid application development and deployment, the responsibility of securing applications is left to customer.

This means if end-customers have to build applications that are secure by design and secure by default it is in the hands of the Azure application developers and architects. Security is not static and it’s a constant threat which has to be mitigated at all levels of the application and platform. Azure provides many security API’s that could be used to protect the data and access but it’s up to the end-customer to decide what is appropriate for the kind of data that needs protection.

As the chart above explains, the PAAS model requires security SME’s with core knowledge on the platform related security, with understanding of the Windows Azure runtime trust models and the security protections and responsibilities of each cloud layer. Companies need to build complex “Gatekeeper” based design with the help of design patterns such as control access context, advisor, interceptor, and web roles patterns.

The latest addition to the foundational technologies in the .Net framework is the Windows Identity Foundation (WIF). It enables Azure developers to offload the identity and authentication logic, providing a solid development mode based on separation of concerns pattern. A simple or traditional role-based access to advanced and sophisticated access control policies can be implemented with the help of WIF.         

When it comes to cloud-based solutions, it is more important for software designers and developers to anticipate threats at design time than is the case with traditional boxed-product software deployed on servers in a corporate datacenter. Designing secure applications in Azure is about choosing the right sets and understanding the responsibilities. A traditional model of application development will result in the same vulnerable application. But with better knowledge on Azure platform, it’s possible to build more secure applications in less time and with less effort.

Developers and designers also need to understand the basics of building applications on cloud:

  • Build cloud apps, not apps in the cloud
  • Design fault tolerant systems, nothing fails
  • Design for scalability
  • Loosely couple application stacks (IOC)
  • Design for dynamism
  • Design distributed
  • Build security into every component
  • Backup application & user data
  • Distribute applications

Conclusion

Computing solutions that use Windows Azure are very compelling to companies wishing to trim capital expenditures. However, security remains an important consideration. Security architects and developers need to understand the threats to the software developed for “the cloud” and use appropriate secure design and implementation practices to counter threats in the cloud environment.

The progression from classic client-server computing, to web-enabled applications, to applications hosted in the cloud, has changed the boundaries of applications and a striving need for compliance drives security. These boundary shifts and compliance requirements makes understanding the threats to Windows Azure-based software all the more important.

Advertisements

May 20, 2011 Posted by | Cloud Security, identity and access management, Risk management | , , | Leave a comment

Amazon EC2 Failures Are a Wakeup Call for Cloud Customers

Amazon data center crashes

Building Cloud-friendly applications can help your company manage risk and avoid losses when the host's data center crashes

Early in the morning of April 21, Amazon’s EC2 data center in Virginia crashed, bringing down many popular websites, small businesses and social networking sites.

The strange fact is that the outage still ensures that the 99.55% availability as defined in the SLA (Service Level Agreement) is not breached. Let us put aside the other aspects and focus on Cloud services and the new generation of programmers and business who use these services. Though the SLA leads to quite an interesting debate, we will leave that to the legal experts.

More often than not, when we discuss building applications in the Cloud, the basic assumption is that of 24×7 service availability. While Cloud service providers strive to live up to this expectation, the onus of designing a system resilient to failures is on the application architects.  On the other hand, SLA driven approaches are very reactive in nature. In purest sense, SLA’s are just a means of trust between the user and the service provider. The fact is that SLA’s can never repay for losses. It is up to an Architect and CIO to build systems that tolerates such risks (Cloud system failures, connectivity failures, SLA’s, etc).

With Cloud infrastructure, we end up building traditional systems that are so tightly coupled and hosted without taking advantages of the availability factor. These shortcomings maybe part and parcel of software world where functionality takes precedence over all other aspects, but such tolerance cannot be expected in the Cloud paradigm. A failure on part of the Cloud service provider will bring down the business and getting back the data becomes a nightmare when all the affected businesses are trying to do the same.

Accommodating and managing these factors are the business risks, which need to be identified. Businesses that do not envision these risks are sure to suffer large scale losses. The truth is that building such resilient systems is not very complex task. The basics of all software principles have remained same whether they are built for Cloud or enterprise-owned hardware. Mitigating as many risks as possible requires that several basic designs and business decisions be made – while considering the software provider – such as:

  • Loosely couple the application
  • Make sure the application follows “Separation of Concerns”
  • Distribute the applications
  • Backup application & user data
  • Setup DR sites with a different Cloud service provider

These decisions involve software that follows these basic designs and business decision managers who identify various service providers to mitigate such risks. Cloud service will enforce a thinking among the business managers that availability should not and cannot be taken for granted.

These failures will not stop the adoption to Cloud but will make the customers aware of the potential risks and mitigation plans. The Cloud failure will have serious impact on the CTO/ CIO and the operations head. In a non-Cloud model, a CIO’s role has been noted as very limited. The interaction of the CIO with a CTO in the everyday business is much less. These two executives need to work more closely to protect the business and reduce risk.

The best practices for the Cloud application builders are:

  • Build Cloud applications, not applications in the Cloud
  • Design fault tolerant systems, wherein nothing fails
  • Design for scalability
  • Loosely couple application stacks (IOC)
  • Design for dynamism
  • Design distributed
  • Build security into every component

The best practices are necessary for all the architects who build Cloud applications. Do not simply port a traditional application to the Cloud. They are architecturally different and will not take advantage of the underlying services – and most often – will result in failure.

Remember “Everything fails, all the time.” It is time to think and manage risks and not let the SLA stare at you when you are losing business. Be proactive; build Cloud-friendly applications.

The new world on Cloud looks more promising than ever. However, failures can make us realize that functionality without proper foundation and thought process can have serious repercussions. It is essential for every business to review their risks and redefine their new perimeter in the Cloud.

For more information on how Team Aujas is assisting clients with security risk in the Cloud, please contact Karl Kispert, our Vice President of Sales. He can be reached at karl.kispert@aujas.com or 201.633.4745.

April 27, 2011 Posted by | Cloud Security, Data Losss Prevention, Data protection, IT security | , , , , , | Comments Off on Amazon EC2 Failures Are a Wakeup Call for Cloud Customers

Cloud Computing – Security Threats and More…

Privacy and security in the CloudCompanies that struggle to maintain their IT infrastructure often look to cloud computing to provide a significant cost savings. However, you must look into the clouds and understand what risks are swirling around when it comes to storing your data.

In a recent survey by CIO Research, respondents rated their greatest concerns about cloud adoption. Security was their top concern, with loss of control over data number two:

  • Security  45%
  • Loss of control over data  26%
  • Integrations with existing systems 26%
  • Availability concerns 25%
  • Performance issues 24%
  • IT governance issues 19%
  • Regulatory/compliance concerns 19%
  • Dissatisfaction with vendor 12%
  • Ability to bring systems back in 11%
  • Lack of customization opportunities 11%
  • Measuring ROI 11%
  • Not sure 7%

Is there security in the cloud?
Security is often an afterthought for cloud service providers. It isn’t built into their applications and is often added as a plug-in. What’s more, if a cloud storage system crashes, millions and millions pieces of information can be lost, often in spite of backup procedures.  In contrast, when we are in the thick client world, the information that is lost can be more easily tracked by the number of PCs or notebooks affected or stolen.

How different should security be in the cloud world?
Business technologies may change, but security fundamentals and lessons learned are still applicable. Some areas to consider for the cloud:

Physical security is a must for any strong security program. The data centre should have a high level of physical security. If sensitive data is being stored, consider deploying biometrics, surveillance camera monitored by professionals, and very stringent policies for physical access to the system.

Authentication is crucial, whether cloud or corporate individual network authentication will remain the same. Given the processing power of the cloud, you may choose to implement two-factor authentication, one-time passwords or other authentication tools. In spite of a highly secured processing environment, a weak password has the potential to ruin other safeguards. Maintaining password standards is a must.

Access rights are critical for all the objects inside the cloud. This part of the security will not change in the user’s point of view. There are some levels of changes required to manage multiple corporate accesses inside the single cloud service provider’s organization.

Strong firewalls are another integral part of today’s security. Even in the cloud, the same rule applies: cloud clients should secure their own networks. The only advantage is they have less information to be secured within their network. The cloud service provider should secure their network with firewalls.

Data integrity is one of the key aspects in security. Today for example, it’s hard for every notebook to implement a cryptographic checksum or hash. But in cloud service this could become commonplace.

Security threats in the cloud

Security threats can come in all forms; let’s consider some of them here.  In the cloud-based service, the provider decides where your data is stored and how your data is accessed. If your provider offers virtual boxes, a mischievous user can gain control over a virtual box, attack your data and exploit it. Another security threat in cloud computing is the attack on the perimeter of the cloud. This may be a simple ping sweep to DoS. A cloud service provider must ensure the data of each company is properly isolated and partitioned, if not, data leakage can be expected.

Another important factor that has to be addressed in the cloud world is the privileges of the power user. How do we handle the administrators and data access? The administrator’s rights are not part of the customer anymore; it is part of the cloud service provider. There should be clear transparency and access records to prevent any misuse by an administrator.

Implementing security in the cloud environment is different than what we are used to in a traditional environment.  However, remembering the fundamentals of information risk management and lessons learned along with an understanding of cloud provider risks, may help you to weather the storms looming in a dark Cloud.

Why should the cloud customer implement security?

Though the cloud promises high security, it’s essential for the cloud customer to implement their own security and maintain standards. An unsecured customer network will attract hackers and is an easy entrance to the cloud.

Data transfer between the cloud service provider and customer should be on a secured connection and the customer should take necessary steps to secure his network from attacks such as the Man in the Middle (MITM).

The applications hosted on the customer network should also be secured. Customers using the cloud to deploy applications should ensure that their software is secured. Unsecured applications can be dangerous for both the cloud service provider and customer.

Cloud security can help a little if there is a vulnerable system unmaintained or not patched.

Virus attacks are not going to change in-spite of moving your data into the cloud.

How can you do business securely over the cloud?

Before you decide to buy a cloud service, go security shopping. We always bargain based on price, but that is not enough here. You need to bargain for security rights, transparency and privacy.

The legal agreement is the first level of security that you will always require, no matter where you do business. A well prepared agreement can provide all the legal benefits over your data in the cloud. Make sure to include the ownership of the following:

  • Data
  • Data backups
  • Log files

Your day-to-day business runs with the help of data. It’s essential that the cloud service provider shows transparency in his data centre location, physical security, containment measures, and time taken to recover in case of any catastrophe.

End-to-end encryption is must in cloud computing to ensure the security of data transfer. The customer should require this capability from the provider.

Authentication and proper access rights must also be secured. Given that you can access the applications in cloud from anywhere, it’s essential to block the entire user account for former employees. This has to be an integral part of the customer’s HR policies.

Patch management is also very important. Though cloud acts like a versionless world, it is essential that the service provider either informs you about the patches required to access his network or provide automatic patch management. If you use third party clients to access the customer application, you should ensure that these clients are up-to-date with security-related patches.

You should also require log analysis reports, user accounts and privileges reports, uptime/downtime reports, and penetration test/vulnerability assessment reports from the service provider on a regular basis. To ensure more transparency, require that these reports be provided by a third party security company. You should also demand real time security alerts from the service provider.

The last level of security that is often exploited is the application security. How secure is the cloud service provider’s application? There is no real way of knowing it. There are third party security companies and tools available to certify application security. This should be done on a routine rather than a one-off basis.

Social engineering is another threat that has to be addressed. It is essential for the cloud service provider and customer to be aware of such threats and educate their employees.

Phishing attack will also target the cloud consumers. Strong phishing filters should be deployed.

You will also want to involve third party security companies as partners to verify the cloud service provider’s security policies and verify his reports.

Summary

Security should be built as an integral part of the cloud. This is a must for the cloud service provider to gain trust from their customers. Gaining customer trust is the key to winning the cloud service game. Security is an ongoing measure to protect and deal with everyday threats. No matter where you do business you should secure yourself with the best practices.

February 23, 2011 Posted by | Cloud Security, Data Losss Prevention, IT security | , , , | Leave a comment

Right to Internet Use

social networkingThe United Nations advocates making “Right to Internet Access” a human right, one which countries such as Estonia, France, Finland, Greece and Spain have already implemented. This got me thinking about how we would look at “Right to Internet Use”, e.g., social networking.

We all know the power of social networking, its adaption and growth. According to Facebook, more than 500 million users spend over 700 billion minutes per month on the site. However, not many of us could have imagined its impact on reshaping the political landscape of countries. Perhaps the most talked about example is that of a 26-year-old woman, worried about the state of her country, who wrote on Facebook, “People, I am going to Tahrir Square”. The message soon snowballed into a movement to oust Egyptian President Hosni Mubarak. As another example, China’s reaction to what is called the “Jasmine Revolution” was swift, with filtering and monitoring on popular social media websites and services.

The buzz is about the CSM (Cloud, Social Media, Mobile) phenomenon which is reshaping the Internet world. It’s already established that social networking has overtaken search as the primary reason for users to access the Internet. Facebook has more than 200 million active users who use mobile for access, and these users are twice as active as non-mobile users.

Consumerization of the Enterprise, combined with the CSM phenomenon and recent political events, make me feel that this is not just about adaption of new technologies but more about changes and impact on the history of mankind. It’s not just about using new technologies and models to provide better services at lower cost to a larger user base. It’s about a medium to communicate, participate and influence changes in the world.

One can think of several positive and negative uses of this phenomenon. If used well, it can bring about necessary changes and revolutions. But it can also be used to spread panic and lead to concepts like “social networking terrorism”.

The CSM phenomenon is too strong and important to be ignored. Would censoring of this medium be possible? Like the Internet, CSM could be considered as a human right, leading to positions on “Right to Internet Use”.

At an Enterprise level, blocking and not adopting CSM is a risk management control which is not sustainable. Users and business would not accept this posture. We need to find answers for the two main reasons why some Enterprises are staying away from adoption of CSM, which are “Confusion and Fear”.

February 23, 2011 Posted by | Cloud Security, Enterprise Security, Social networking | , , , , , , , | Leave a comment

Service Oriented Architecture (SOA) Security in the Cloud

Privacy and security in the CloudAccording to Gartner, cloud computing is “a style of computing where massively scalable IT-related capabilities are provided ‘as a service’ across the Internet to multiple external customers”. Service-oriented architecture (SOA), on the other hand, is a collection of services that communicate with each other. Says David Linthicum, a widely acknowledged SOA expert, “SOA is an architectural pattern, while cloud computing is a set of enabling technologies as a potential target platform or technological approach for that architecture.” Therefore, SOA and cloud computing are complementary and not mutually exclusive.

For a while now, companies and business leaders have been interested in moving to a cloud environment to enable growth at lower costs. By combining SOA and cloud computing, it becomes possible to reduce the time taken to implement technology, enhance business performance and expose the existing legacy application over the Internet.

Clouds enable outsourcing of many or all IT functions, making regulatory, operational and baseline compliance difficult. Moreover, the complexity involved in combining data, applications and infrastructure with the cloud requires securing the underlying architecture.

The role of SOA in cloud computing is important because a successful cloud solution requires an in-depth understanding of the architecture, the services offered and how to leverage them. Finally, cloud computing becomes part of the architectural arsenal to create a successful SOA.

Security Considerations for SOA

The most common security considerations involving cloud-based services include the following:

Governance control – In a governance-free environment, coordinated cloud service planning and monitoring mechanisms, which are needed to meet security standards, become difficult. In addition, rogue cloud services could wreak havoc on the delicate trust between providers and businesses. Concerns here include not knowing where data resides, what happens to the data if a decision is made to change services, and how the service provider guards customer privacy. Contracts must outline the service provider responsibility in case of a breach. The cloud is still evolving and as a result, processes do not yet have a standard format. Quality-of-service terms, mechanisms for security and privacy are developing, business continuity issues around failed providers are not well established and regulatory issues raise many questions. 

Infrastructure Security – As the cloud’s infrastructure and resource pool are shared among multiple users, unified monitoring and control has become almost impossible. Relying on the host’s security controls might compromise data, especially as the service provider cannot separate data. The data and the service provider’s hosting process are executed and managed in shared environments. This requires extending trust to external services and permitting secure data residing on company servers to be moved into a less-secure environment. With a heterogeneous infrastructure, the more individual technologies and processes in play, the harder it gets to ensure control and consistency. If the service is hosted on a heterogeneous cloud-based platform, managing security or even changing vendors becomes difficult.

Communication Security – As the cloud inherently provides an elastic platform for providing services, there is a need for these services to communicate with each other to perform various tasks. SOA is moving us from User-to-Business communication to Business-to-Business communication. This new way of communicating brings in many decoupled software components to interact with each other in a standard format. The lack of trusted authorities and lack of security in communication protocols could create havoc for the services.

Software Security – Most of the services today are enabled as stateless machines providing optimized solutions for B2B interactions. This has inherent security issues that have to be addressed through the entire software life cycle, starting from specification through to the release stage.

Service Integration – In an SOA, services integration is often overlooked. “Silo” services have to interact with each other to provide end user solutions. Hence there is high need for security in the SOA integration stage. 

Summary

Contrary to the popular notion that cloud computing will make SOA redundant, they actually complement each other. In fact, having a strong SOA can make the transfer to cloud-based services easier, less complicated and more secure. Cloud-based SOA is all about delivering services with increased agility and efficiency keeping companies competitive and contemporary. To keep up with the new technology, improved security measures, a strong understanding of the cloud plus selection of the right vendor are critical.

January 11, 2011 Posted by | Cloud Security, Service oriented architecture | , , , , | Leave a comment

Ephemeral Borders: Privacy and Security of Data in the Cloud

Privacy and security in the CloudBusiness is expanding across national borders at an accelerating rate.  Most corporations of significant size have facilities in many countries.  Cloud applications and storage offer savings and efficiencies, such as 24/7 availability of data and applications, enhanced access and elimination of costs associated with server maintenance.  Multinational corporations considering implementation or expansion of Cloud use should, however, tread cautiously, and obtain guidance on applicable privacy and security issues.

For example, litigation or government oversight proceedings involving such companies may result in demands for data originating in, say, France, yet stored in Cloud repositories in other countries  The servers will, for the most part, be located beyond the borders of France.  Personal data, which includes emails by definition, are subject to the European Union Privacy Directives and local enabling law, which hold that the personal data of an individual may not be sent outside the European Economic Area (the E.U. member states plus Norway, Switzerland, Iceland and Liechtenstein) without the individual’s consent.  Appropriately informed consent documents, then, must be drafted.  Additionally, no data of any kind may be sent outside France, pursuant to the Blocking Statute, for use in a foreign judicial proceeding.  Other states, such as Switzerland, have similar statutes.  Criminal penalties lie for violation of these provisions.  Data sent to Cloud repositories, then, with the intent of onward transfer for litigation, may run afoul of these laws.  In addition, The Data Protection Authority of the German state of Schlewsig-Holstein recently opined that it is a violation of German law to send data to Cloud repositories for which the servers are located outside the European Union.

Those companies registered with the U.S. Safe Harbor Program would require amendment to comprise personal data in the Cloud repositories. The Service Level Agreements with the Cloud providers must contain provisions for E.U. levels of security and privacy in the Cloud repositories (other countries where the company does business will have similar provisions) or, perhaps, provisions that the data will not be transferred to or stored in locations outside the country in which the data were created.

Finally, multinationals considering the significant economic and security advantages the Cloud offers would need documented protocols for Legal Holds for data in Cloud repositories.  Legal Holds are considered “processing” of data in the E.U., and must be done in a manner consistent with the Privacy Directives and for retrieval and production of such data to governmental agencies and courts.  

Security consultants, working closely with U.S.-based counsel experienced in cross-border data disclosure conflicts, can assist in navigating the byways of this new and complicated area of information governance.  This is where Aujas can help.

This article provided by Kenneth N. Rashbaum, Esq.     Rashbaum Associates, LLC

January 4, 2011 Posted by | Cloud Security, Data Leak Prevention, Risk management | , , | Leave a comment

Operating in the Cloud – Sunny with a Chance of RISK!

Cloud computing riskHere is a list of some of the most important risks of operating in the cloud today: 

  • Loss of governance
  • Data protection
  • Service provider lock-in
  • Compliance risks
  • e-Discovery and litigation support
  • Management interface compromise
  • Network management failure
  • Isolation Failure
  • Insecure/incomplete data deletion
  • Malicious insider

A risk-based approach is the only way to assess a cloud computing deployment decision.

Establish detective and preventive controls specific to each cloud deployment model:

  • SaaS – Browser patching, endpoint security, access reports
  • PaaS – Browser patching, hardening, endpoint security, access reports and vulnerability scanning
  • IaaS – VPN, configuration and patch management, host IDS/IPS, VirtSec appliance, access reports, vulnerability scanning, logging & event management

Identity management is a key area of preventive control focus for all service models.For more information on how Team Aujas is assisting clients with Security Risks in the Cloud please email me at karl.kispert@aujas.com

January 4, 2011 Posted by | Cloud Security, Data Losss Prevention, Enterprise Security, IT security | , , | Leave a comment

Ephemeral Borders: Privacy and Security of Data in the Cloud

Privacy in the Cloud is fleeting

Can there be privacy in the Cloud?

Business is expanding across national borders at an accelerating rate.  Most corporations of significant size have facilities in many countries.  Cloud applications and storage offer savings and efficiencies, such as 24/7 availability of data and applications, enhanced access and elimination of costs associated with server maintenance.  Multinational corporations considering implementation or expansion of Cloud use should, however, tread cautiously, and obtain guidance on applicable privacy and security issues.

For example, litigation or government oversight proceedings involving such companies may result in demands for data originating in, say, France, yet stored in Cloud repositories in other countries  The servers will, for the most part, be located beyond the borders of France.  Personal data, which includes emails by definition, are subject to the European Union Privacy Directives and local enabling law, which hold that the personal data of an individual may not be sent outside the European Economic Area (the E.U. member states plus Norway, Switzerland, Iceland and Liechtenstein) without the individual’s consent.  Appropriately informed consent documents, then, must be drafted.  Additionally, no data of any kind may be sent outside France, pursuant to the Blocking Statute, for use in a foreign judicial proceeding.  Other states, such as Switzerland, have similar statutes.  Criminal penalties lie for violation of these provisions.  Data sent to Cloud repositories, then, with the intent of onward transfer for litigation, may run afoul of these laws.  In addition, The Data Protection Authority of the German state of Schlewsig-Holstein recently opined that it is a violation of German law to send data to Cloud repositories for which the servers are located outside the European Union.

Those companies registered with the U.S. Safe Harbor Program would require amendment to comprise personal data in the Cloud repositories. The Service Level Agreements with the Cloud providers must contain provisions for E.U. levels of security and privacy in the Cloud repositories (other countries where the company does business will have similar provisions) or, perhaps, provisions that the data will not be transferred to or stored in locations outside the country in which the data were created.

Finally, multinationals considering the significant economic and security advantages the Cloud offers would need documented protocols for Legal Holds for data in Cloud repositories.  Legal Holds are considered “processing” of data in the E.U., and must be done in a manner consistent with the Privacy Directives and for retrieval and production of such data to governmental agencies and courts.  

Security consultants, working closely with U.S.-based counsel experienced in cross-border data disclosure conflicts, can assist in navigating the byways of this new and complicated area of information governance.  This is where Aujas can help.

This article provided by Kenneth N. Rashbaum, Esq.     Rashbaum Associates, LLC

November 15, 2010 Posted by | Cloud Security, Risk management | , | 1 Comment