Yesterday the National Institute of Standards and Technology (NIST) released the 4th revision of its "Security and Privacy Controls for Federal Information Systems and Organizations." Despite the long title it will ultimately be a mainstay reference for federal agencies required to comply with provisions of the Federal Information Security Management Act (FISMA) and FIPS 200. As a result it should have a significant affect on cloud security practices effecting commercial non-governmental cloud usage.
The conditions for transborder data flows may become more uniform in the EU under the proposed Data Protection Regulation, but restrictions on foreign data transfers are now appearing in new data privacy laws and regulations in several regions of the world, posing global compliance challenges.
As organizations of all stripes increasingly rely on cloud computing services to conduct their business, the need to balance the benefits and risks of cloud computing is more important than ever. This is especially true when it comes to data security and privacy risks. However, most Cloud customers find it very difficult to secure favorable contract terms when it comes to data security and privacy. While customers may enjoy some short term cost-benefits by going into the Cloud, they may be retaining more risk then they want (especially where Cloud providers refuse to accept that risk contractually). In short, the players in this industry are at an impasse. Cyber insurance may be a solution to help solve the problem.
Yesterday the National Institute of Standards and Technology announced "the final release of Special Publication 800-145, The NIST Definition of Cloud Computing." NIST's definition of Cloud Computing has been very influential in setting tent pegs in the ground to cabin the scope and discussion of the often nebulous definition of cloud computing.
In the next in our series of free webinars on cloud computing, Information Law Group Attorney Richard Santalesa examines implications arising from NIST's "Guidelines on Security and Privacy in Public Cloud Computing," with a focus on the legal considerations any team tasked with implementation of security best practices will need to grapple with.To register for this free one hour webinar on May 24 at 12pm ET, visit - http://bit.ly/kyRdku
As we move into 2011 it should be obvious that cloud computing is not a fad, but rather a computing model that is becoming ubiquitous. Cloud computing offers a slew of advantages including efficiency, instant scalability and cost effectiveness. However, these advantages must be balanced against the control organizations may lose over their information technology operations when they are reliant on a cloud provider to provide key processes. The issues that arise out of this loss of control are apparent when considering data breach response and liability in the cloud. When a cloud customer puts its sensitive data into the cloud it is completely reliant on the security and incident response processes of the cloud service provider in order to respond to a data breach. This situation poses many fundamental problems.
The National Institute of Standards and Technology (NIST) has released for public comment two "new" draft documents centered on cloud computing. The first is a NIST-codified Definition of Cloud Computing (Draft SP 800-145), and the second document is what NIST calls "the first set of guidelines for managing security and privacy issues in cloud computing," titled Guidelines on Security and Privacy in Public Cloud Computing (Draft SP 800-144). In conjunction with the release NIST has also unveiled a new NIST Cloud Computing Collaboration site, which includes various working group listservs and Wikis, to "enable two-way communication among the cloud community and NIST cloud research working groups."
I hope you will tune in Monday, January 31, 2011, 8-9 am Pacific (11-12 Eastern), to Privacy Piracy, audio streaming on www.kuci.org (or locally in Southern California on KUCI 88.9 FM in Irvine, CA). Mari Frank will interview me on hot topics in information law and compliance.
A draft release of a 90-page Proposed Security Assessment and Authorization for U.S. Government Cloud Computing was distributed by the White House CIO Council yesterday, curiously numbered a 0.96 release.
Scott Blackmer provides a "discovery" checklist for global enterprises handling personal data from multiple jurisdictions, as well as advice on a global approach to privacy compliance and risk management.
So, you thought our cloud series was over? Wishful thinking. It is time to talk about ethics. Yes, ethics. Historically, lawyers and technologists lived in different worlds. The lawyers were over here, and IT was over there. Here's the reality: Technology - whether we are talking cloud computing, ediscovery or data security generally - IS very much the business of lawyers. This post focuses on three recent documents, ranging from formal opinions to draft issue papers, issued by three very prominent Bar associations -- the American Bar Association (ABA), the New York State Bar Association (NYSBA), and the State Bar of California (CA Bar). These opinions and papers all drive home the following points: as succinctly stated by the ABA, "[l]awyers must take reasonable precautions to ensure that their clients' confidential information remains secure"; AND lawyers must keep themselves educated on changes in technology and in the law relating to technology. The question, as always, is what is "reasonable"? Also, what role should Bar associations play in providing guidelines/best practices and/or mandating compliance with particular data security rules? Technology, and lawyer use of technology, is evolving at a pace that no Bar association can hope to meet. At the end of the day, do the realities of the modern business world render moot any effort by the Bar(s) to provide guidance or impose restrictions? Read on and tell us - and the ABA - what you think.