The Cloud - Florida Gulf Coast ARMA Chapter

advertisement
The Cloud
Earl C. Rich, CRM
We’re Gonna Talk About:
• Define what The Cloud is
• Review Cloud service-types
IT Stuff
• Discuss the different types of Clouds
• Data Security issues in The Cloud
• Legal challenges with The Cloud
RIM Topics
• RIM issues in The Cloud
• Why IT likes The Cloud
• Cloud Horror Stories
More IT Stuff
• Contracts are the key
• Review Cloud Computing Agreements
• Open Discussion / Questions
Contracts
What is “The Cloud”?
“The Cloud” is a metaphor inspired by the cloud symbol used to
represent the Internet in flow charts and diagrams.
Real-World Definition:
Cloud is a style of computing where scalable and elastic ITrelated capabilities are provided as a service to external customers
using Internet technologies.¹
Techie Definition:
Cloud computing describes the disruptive transformation of
IT toward a service-based economy, driven by economic,
technological, and cultural conditions.²
1: Gartner.com
2: Tom Jenkins, “Managing Content in the Cloud” (2011, October)
Cloud Service-Types
Infrastructure as a Service (IaaS)

The capability provided to the consumer is
to provision processing, storage, networks,
and other fundamental computing
resources. Apple iCloud or Google Drive
Platform as a Service (PaaS)

PaaS offerings typically include workflow
facilities for application design, application
development, testing, deployment and
hosting. Google App Engine or
Amazon EC2
Software as a Service (SaaS)

Software is accessible via the client’s Web
browser Instead of on a local network or
hard-drive. Google Apps or webmail
Cloud Computing Diagram
Types of Clouds
Types of Cloud Computing
• Public Cloud – Traditional model where vendors dynamically
allocate resources through web applications.
• Private Cloud – Computing platform is dedicated to a single
customer and can be housed internally or externally.
• Hybrid Cloud – Your organization’s hardware interacts with a
vendor-hosted service (e-mail archiving, web filtering, etc...). This
model can also be used for “Cloud Bursting” where an
organization’s infrastructure is used for normal computing needs,
but cloud resources are used to carry peak loads.
• Community Cloud – Infrastructure is shared between similar
organizations (i.e., all agencies within a government), but not with
other outside parties. This model may also be referred to as a
“government cloud”.
Public, Private and Hybrid Clouds
So Far, So Good… right?
“Cloud computing sounds so sweet and wonderful
and safe ... we should just be aware of the
terminology, if we go around for a week calling it
swamp computing I think you might have the right
mind-set.”
- Ronald Rivest, MIT Computer Science Professor
Source: computerworld.com
The Notorious Nine:
Cloud Computing Top Threats in 2013
1. Data Breaches
2. Data Loss
3. Account Hijacking
4. Insecure APIs
5. Denial of Service (DOS) Attacks
6. Malicious Insiders
7. Abuse and Nefarious Use
8. Insufficient Due Diligence
9. Shared Technology Issues
Data Security Concerns
•
HIPAA:
–
•
FMLA and the ADA:
–
•
If the data contains Protected Health Information (45 C.F.R.
§160.103), then the two groups (yours and theirs) must enter
into a “business associate contract”
(45 C.F.R. §164.504(e)(2))
Both contain confidentiality provisions that restrict access to
first aid and safety personnel, supervisors/managers,
government officials, etc...
(29 C.F.R. §825.500(g); 29 C.F.R. §1630.14 (c)(1))
Section 817.5681, Florida Statutes:
–
Breach of security for “personal information” (§817.5681(5),
Fla Stat.) must be noticed to the owner of the data (you)
within 10 days, and to residents of Florida within 45 days
(§817.5681(1)(a); §817.5681(2)(a), Fla. Stat.)
Legal Matters
•
Subpoenas:
–
•
E-Discovery/Rule 26 and Destruction Holds:
–
•
Cloud vendors may be directly served a subpoena (Section
215 of the U.S. Patriot Act) and may not be allowed to
disclose the existence or nature of the subpoena.
All data, regardless of where it is stored, must be disclosed
(Rule 26(a), F.R.C.P. (2010)). A party is required to produce
data in a reasonably usable form, and is required to
preserve electronically stored information [ESI] once
litigation is anticipated or has commenced (Rule 37(f),
F.R.C.P. (2010)).
Jurisdiction:
–
Both parties should agree on a “home” jurisdiction. If a cloud
computing provider is located outside of the United States, it
may be difficult to enforce any judgement of a U.S. court.
RIM Issues
• Public Records Issues:
•
–
Data stored or created in The Cloud are records (whether F.O.R. or duplicate)!
–
The entity that “owns” the data is responsible for adhering to Chapter 119
–
The data must be retrievable and in a meaningful format to fulfil PRR standards
1B-26.003, F.A.C. (1B-26):
–
•
If the items are File of Record (F.O.R.), then 1B-26 requirements must be met
(storage methods, security standards, maintenance methods, etc...)
Records Retention and Destruction:
–
The Cloud provider must be able to maintain records for the prescribed lifecycle
–
The user (you, not them) must have the ability to initiate destruction of records
Cloud Outages/Issues
• Dropbox: January 10, 2013
–
Length of Outage: 16 hours
Users Impacted: 175,000,000+
• Facebook: January 28, 2013
–
Length of Outage: 3 hours
Users Impacted: 4,500,000 (estimated)
• Amazon.com: January 31, 2013
–
Length of Outage: 49 minutes
Users Impacted: 2,600,000 (estimated)
• Microsoft’s Bing.com: February 2 & 22, 2013
–
Length of Outage: 2 hours & 12 hours
Users Impacted: 313,000 (estimated)
• Google Drive: March 18 - 19, 2013
–
Length of Outage: 17 hours
Users Impacted: 120,000,000+
Source: infoworld.com
Quote of the Day
“Clearly you’re not in control of your data, your
information. It’s a major business interruption. I’m
getting business interruption insurance tomorrow,
believe me.”
- Campbell McKellar, founder of Loosecubes.com
Source: NYTimes.com
Why IT Likes the Cloud
1.
2.
Cloud Computing Value
Pros & Cons of Cloud Computing
A Good Contract is your Key to the Clouds
The main point of this entire presentation is
that care should be taken during the
contracting process to make sure that RIM
issues and concerns are addressed and fully
negotiated in any contract or SLA.
Review of two real-life Cloud Computing agreements
Cloud Computing Roadmap
Questions
Download