Program Slides. - Association of Corporate Counsel

Lost in Cyberspace?
Best Practices for Maintaining
Security on the Internet and in the Cloud
Lost in Cyberspace?
 Preventing, monitoring,  “Best practices”
and responding to
– Physical security
breaches of security
– Contractual agreements
and cyber attacks
– Policies and procedures
 Reducing liability for
 “Damage control”
compromises to third
– Insurance
party data
– Reporting obligations
 Special risks posed by
– Accounting and
valuation
social media and
consequences
mobile devices
– Litigation options
The in-house perspective
Roberto Facundus
Global Compliance Attorney
salesforce.com, Inc.
 Handles regulatory
and compliance issues
 Responsible for public
sector/government
contracting issues
 Significant experience
with internal and
government
investigations
The auditor’s perspective
Orus Dearman, CISA
Director, Advisory Services
Grant Thornton LLP
 Certified Information
Systems Auditor
 Extensive experience with
IT security and privacy
assessments, audits, and
compliance
 Frequent speaker and
author on risks associated
with cloud computing
 Member of Grant Thornton
Cyber Security Committee
The litigator’s perspective
Michael J. Lockerby
Partner
Foley & Lardner LLP
 Litigated cutting edge
issues ─ including
computer crimes and trade
secret matters ─ for past
28 years (22 in Richmond)
 Member of Privacy,
Security & Information
Management and Trade
Secret Noncompete
Practice Groups
 Chair of Foley D.C. office
Litigation Department
The in-house perspective
 Detecting cyberattacks
 Facilities security
 Worldwide securities
certifications
 Best practices
 User awareness
training
What is Cloud Computing?
 Traditional Onpremise
– Servers & Datacenters
– Engineers
– Energy Costs
– Pay for disruptive
upgrades
– Not elastic
 Cloud On-demand
– Cloud company
maintains IT
infrastructure &
costs
– Upgrades included
– Pay by subscription
– Scales with you
Phishing email
Phishing/Malware Email
Malware attack
Maximum Facilities Security
 24/7/365 on-site security
 All doors, including cages, are secured through a
combination of biometrics and/or proximity card
readers
 Multiple security challenges required to reach
Salesforce environment
 Low profile fully anonymous exteriors
 Digital camera (CCTV) coverage of entire facility
 Perimeter bounded by concrete bollards/planters
 A silent alarm and automatic notification of
appropriate law enforcement officials protect all
exterior entrances
 CCTV integrated with access control and alarm
system
 Motion-detection for lighting and CCTV coverage
Worldwide Security Certifications








ISO 27001
SSAE 16 (SOC 1, 2, and 3)
GSA “Authority to Operate”
PCI
JIPDC (Japan Privacy Seal)
Tuv (Germany Privacy Mark)
SysTrust
TRUSTe
Trust & Transparency
 Success is built on trust. And trust starts
with transparency.
 Real-time information on system
performance and security
 Live and historical data on system
performance
 Up-to-the minute information on planned
maintenance
 Updates on phishing, malware, and
social engineering threats
User Awareness Training
 New Hire Training
– All employees and contractors
– Summary of security obligations
 Annual Training Class
– All employees and contractors
– Must take a test and pass
 Newsletters
– Monthly publication to everyone
– Covers relevant and timely security
topics
Best Practices
 Implement IP Restrictions
 Consider Two-Factor Authentication
 Secure Employee Systems
– Use malware/spyware utilities




Strengthen Password Policies
Require Secure Sessions (https://)
Decrease Session Timeout Thresholds
Identify a Primary Security Contact
The auditor’s perspective
 Overview of cloud
computing
– Principal characteristics
– Types and models
– Why management is
buzzing about this trend
 Risks of cloud
computing
 Responding to a
security breach
Principal characteristics
• Network enabled
• Abstraction of infrastructure
• Resource democratization
• Services oriented architecture
• Elasticity and dynamism
of resources
• Utility model of consumption
and allocation
© Grant Thornton. All rights reserved.
Types and models
Types of Clouds
•
Public
-
•
•
•
Private
-
•
Shared computer
resources provided by an
off-site third-party provider
Models of Cloud
Dedicated computer
resources provided by an
off-site third party or use of
cloud technologies on a
private internal network
Hybrid
-
Consisting of multiple
public and private clouds
© Grant Thornton. All rights reserved.
•
•
Software as a Service (SaaS)
-
Software applications delivered over
the Internet
Platform as a Service (PaaS)
- Full or partial operating
system/development environment
delivered over the Internet
Infrastructure as a Service (IaaS)
- Computer infrastructure delivered
over the Internet
Desktop as a Service (DaaS)
- Virtualization of desktop systems
serving thin clients, delivered over the
Internet or a private Cloud
Why management is buzzing
about this trend
 Cloud computing is the future of IT
•
A new and flexible model for deploying technology
•
Extremely reliable and infinitely scalable
•
Cost benefits and ease of ownership
•
Allows organizations to expand or contract as needs
dictate
•
Pay for only what you need at any given time
© Grant Thornton. All rights reserved.
Potential risks
 What are the physical components of the
“Clouds”?
– Data Centers: self-hosted, third-party, both, etc.?
– Network circuits and firewalls: who’s managing, who’s
watching, etc.?
– Disaster preparedness and recoverability: is there a plan,
is it tested, etc.?
– Who is aware of and managing vendor SLAs and are
they adequate?
© Grant Thornton. All rights reserved.
Potential risks (continued)
 Where is the data and how is it protected?
–
–
–
–
In-flight, standing still / at-rest, etc.?
Archives and back-up?
Unintended uses?
Data privacy and compliance?
 What is the tone at the top?
– Stakeholder knowledge of attributes and risks
– Have internal controls evolved effectively?
– Who is monitoring internal use of public cloud services?
© Grant Thornton. All rights reserved.
Six additional risk areas
• Security
• Multi-tenancy
• Data location
• Reliability
• Sustainability
• Scalability
© Grant Thornton. All rights reserved.
Security risks
• The cloud provider’s security policies are not as strong as
the organization’s data security requirements
• Cloud systems which store organization data are not
updated or patched when necessary
• Security vulnerability assessments or
penetration tests are not performed to
ensure logical and physical security controls
are in place
• The physical location of organization data is
not properly secured
© Grant Thornton. All rights reserved.
Multi-tenancy risks
• Organization data is not appropriately segregated on shared
hardware resulting in organization data being inappropriately
accessed by third parties
• The cloud service provider has not deployed appropriate
levels of encryption to ensure data is appropriately
segregated both in rest and transit
• The cloud service provider cannot determine
the specific location of the organization’s data
on its systems
• Organization data resides on shared server
space which might conflict with regulatory
compliance requirements for the organization
© Grant Thornton. All rights reserved.
Data location risks
• The organization is not aware of all of the cloud service
provider’s physical location(s)
• The organization does not know where their data is
physically or virtually stored
• The Cloud service provider moves organization data to
another location without informing the organization
• Organization data is stored in international locations and
falls under foreign business or national laws/regulations
© Grant Thornton. All rights reserved.
Reliability risks
• The cloud service provider has quality of service
standards which conflict with operational requirements
• During peak system activity times, the cloud service provider
experiences system performance issues that result in the
following:
― organization employees cannot access the organization’s data
when needed
― Customers are unable to use the organization’s systems (such as
placing an order on the organization’s web site) because of
performance problems with the cloud provider
© Grant Thornton. All rights reserved.
Sustainability risks
• In the event the cloud service provider goes
out of business, the organization might not
be able to retrieve the organization’s data.
In addition, another third party might gain
access/control of the organization’s data
• The cloud service provider does not have
appropriate system recovery procedures
in place in the event of a disaster
• The organization’s business continuity plan does not
address the cloud’s service offering being unavailable
• Organization data is compromised as a result of a disaster
© Grant Thornton. All rights reserved.
Scalability risks
• The cloud service provider’s systems
cannot scale to meet the organization’s
anticipated growth, both for a short-term
spike and/or to meet a long-term strategy
• If the organization decides to migrate all
or part of the organization’s system
and/or data back in-house (or to
another provider), the cloud service
provider cannot (or will not) provide
the data
© Grant Thornton. All rights reserved.
Responding to a breach





2011 data breach statistics
Breaches are costly
Prevention
Incident response
Post incident activity
© Grant Thornton. All rights reserved.
2011 data breach statistics
 Of 855 security breach incident
investigations:
–
–
–
–
98% stemmed from external agents
81% utilized some form of hacking
69% incorporated malware
85% took a week or more to discover (92% by a third
party)
– 97% were preventable through intermediate controls
Source: Verizon RISK Team 2012 Data Breach Investigations Report
© Grant Thornton. All rights reserved.
Breaches are costly
 6M per event or $197 per record (Ponemon Institute)
 TJX
– 47M+ card numbers stolen, $200M+ in costs
 Hannaford Brothers and Sweetbay
– 4.2M card numbers stolen, 1,800 cases of fraud
 ABN Amro
– 2 million customer records "lost in mail" (DHL)
 DuPont
– $400M in trade secrets breached by inside
© Grant Thornton. All rights reserved.
Prevention
 Best Practices:
– Establish a data security policy and promote
organizational awareness
– Implement appropriate management,
operational, and technical security controls
– Collect the minimum amount of personal
information necessary to perform a job
– Adhere to local and federal data disposal laws
© Grant Thornton. All rights reserved.
Incident response
 Prioritize: Consider the
functional/information impact
and recoverability of the incident
 Notify:
– Determine response requirements based on
state law for physical possession, copied, or
utilization of personal information
– Notify internal and external stakeholders
including government agencies
© Grant Thornton. All rights reserved.
Incident response (continued)
 Contain: Criteria for determining appropriate
strategy
– Need for evidence preservation
– Service availability
– Time and resource requirements
– Duration of the solution (temporary vs.
permanent)
Source: NIST Special Publication 800-61 Revision 2, August 2012
© Grant Thornton. All rights reserved.
Post incident activity
 Lessons Learned
– Incident reporting
– Adherence to policies and procedures
– Corrective and preventable actions
– Symptoms and precursors for future monitoring
– Additional tools or resources needed to detect,
analyze, and mitigate future incidents
Source: NIST Special Publication 800-61 Revision 2, August 2012
© Grant Thornton. All rights reserved.
Resources




The ABCs of Cloud Computing: A comprehensive cloud computing portal where
agencies can get information on procurement, security, best practices, case studies and
technical resources.(GSA / http://www.info.apps.gov)
Successful Case Studies: A report which details 30 illustrative cloud computing case
studies at the Federal, state and local government levels.(CIO Council /
http://www.info.apps.gov/sites/default/files/StateOfCloudComputingReportFINALv3_508.pdf)
Cloud Computing Definition: Includes essential characteristics as well as service and
deployment models.(NIST / http://csrc.nist.gov/publications/drafts/800-145/Draft-SP-800145_cloud-definition.pdf )
Centralized Cloud Computing Assessment and Authorization: The Federal Risk and
Authorization Management Program (FedRAMP) has been established to provide a
standard, centralized approach to assessing and authorizing cloud computing services and
products. FedRAMP will permit joint authorizations and continuous security monitoring
services for government and commercial cloud computing systems intended for multiagency use. It will enable the government to buy a cloud solution once, but use it many
times.(CIO Council / http://www.fedramp.gov)
© Grant Thornton. All rights reserved.
Resources (continued)



Guidelines on Security and Privacy in Public Cloud Computing: This draft
publication provides an overview of the security and privacy challenges pertinent
to public cloud computing and points out considerations organizations should
take when outsourcing data, applications, and infrastructure to a public cloud
environment (NIST / http://csrc.nist.gov/publications/drafts/800-144/Draft-SP800-144_cloud-computing.pdf)
Cloud Security Alliance: To promote the use of best practices for providing
security assurance within Cloud Computing, and provide education on the uses
of Cloud Computing to help secure all other forms of computing.
(https://cloudsecurityalliance.org/)
CloudAudit - To provide a common interface and namespace that allows cloud
computing providers to automate the Audit, Assertion, Assessment, and
Assurance (A6) of their infrastructure (IaaS), platform (PaaS), and application
(SaaS) environments. (http://cloudaudit.org/)
© Grant Thornton. All rights reserved.
The litigator’s perspective
 Litigation: the
nuclear option
 Lessons learned
in litigation
 When litigation is
unavoidable
Litigation: the nuclear option
 Unavoidable under
certain circumstances
 Preliminary injunction
may be only way to
protect trade secrets
 If trade secrets are
particularly sensitive,
litigation may be “bet
the company” case
Lessons learned in litigation
 Physical and electronic
security
 Contract provisions
 Marking
 Exit interviews
 Computer forensics
 Use of the Internet
 When litigation is
unavoidable:
– Obtaining preliminary
injunctive relief
– Effective use of federal
and state computer
crimes laws
Physical and electronic security
 Locked or limited
access
– Physically
– Electronically
 Restrict to those with
“need to know”
 Forensic examination
Contract provisions
 Employees and
contractors
 Prospective merger or
joint venture partners
 Suppliers
 Dealers, distributors
and franchisees
 Covenant not to use,
disclose, or copy
 Right of audit and
inspection
 Consent to preliminary
injunctive relief in court
 Choice of forum
“Marking” trade secrets
 Clearly identify
confidential information
 Avoid over-designation
 Restrict copying (e.g.,
numbered paper copies,
use of “security paper,”
“read only” electronic
copies)
Maintaining confidentiality
 Exit interviews with
departing employees
and dealers,
distributors, or
franchisees
– Review policies and
procedures
– Obtain written
certification of
compliance
Trust, but verify
 Use computer
forensic experts to
monitor activity:
– During employment
and upon departure
– During contract term
and after termination
or nonrenewal
Computer forensic experts
 Determine whether
sensitive files were
accessed, emailed,
downloaded, printed
 Review email history
 Recover “deleted” files
 “Clone” computer hard
drives of departing
employees
 Ensure that employees
have no “reasonable
expectation of privacy”
– Written policies and
procedures
– Periodic reminders
– Informed consent to
monitoring
Trade secrets on the Internet?
 Early view:
– “Once a trade secret is
posted on the Internet,
it is effectively part of
the public domain,
impossible to retrieve.”
 RTC v. Lerma, 908 F. Supp.
1362, 1368 (E.D. Va. 1995)
 RTC v. Netcom, 923 F.
Supp. 1231 (N.D. Cal.
1995)
 Later view:
– Not lost if publication
“sufficiently obscure or
transient or otherwise
limited so that it does
not become generally
known to … potential
competitors”
 DVD Copy Control Ass’n v.
Bunner, 10 Cal. Rptr. 3d
185 (Ct. App. 2004)
Trade secrets on the Internet?
 Key circumstances:
– How long was it
posted?
– How promptly did the
owner act?
– Who saw it?
– How accessible and
popular are the site?
– Where does it show up
in response to search
engine queries?
– How much was
disclosed?
Preliminary injunctive relief
 Warranted in cases of
actual or threatened
use of trade secrets
 If trade secrets not yet
disclosed or used, may
be only remedy
 Prohibitory injunction
 Mandatory injunction:
return of embodiments,
assignment of patents
Preliminary injunctive relief
 Primary purpose to
preserve “status quo”
– “last, actual peaceable
uncontested status ”
 Is “status quo” that trade
secrets already on the
Internet or otherwise
gone?
 Computer crimes laws
require no showing of
trade secret protection
 Effect of contractual
arbitration provision
– What if no “carve-out” for
preliminary injunctive relief?
– Authority that federal courts
can preserve status quo
pending arbitration
– Still good law now that most
ADR rules authorize
preliminary injunctive relief?
Ex parte seizure
 Federal IP law
– Lanham Act permits
ex parte seizure of
counterfeit goods
15 U.S.C. § 1116(d)
– Copyright Act permits
temporary injunctive
relief, impoundment
(17 U.S.C. §§ 502, 503)
 Trade secret law
– No federal private right
of action
– Fed. R. Civ. P. 64
preserves state law
seizure remedies (state
replevin statutes)
– UTSA, Restatement
expressly authorize
mandatory injunctions
Practice pointers
 Seek expedited trial
and preliminary
injunction preserving
status quo
– Federal Rule 26(d):
expedited discovery
– Federal Rule 65(a)(2):
consolidated
preliminary injunction
hearing, trial on merits
 Submit proposed order
with findings and
conclusions
– “set forth the reasons
for its issuance”
– “be specific in terms”
– “describe in reasonable
detail … the act or acts
to be restrained”
 Federal Rule 65(d)
Practice pointers
 Make injunction
binding by service on
“other persons…in
active concert or
participation with” the
parties and their
“officers, agents,
servants, employees,
and attorneys”
– Federal Rule 65(d)(2)
Practice pointers
 Courts have
considerable discretion
whether to award
injunctive relief and
how to fashion it
 May win or lose on
“intangible” factors:
credibility and
reasonableness of
witnesses, parties,
counsel
Federal computer crimes laws
 Electronic
Communications
Privacy Act (ECPA)
– Wiretap Act prohibits
interception of
communications
– Stored Communications
Act prohibits
dissemination or review
 Computer Fraud &
Abuse Act (CFAA)
Computer Fraud & Abuse Act
 Prohibits intentional
access to computer
without authorization,
or beyond the scope of
any authority
 Applied to employee
who erased data on
company laptop before
resigning
– Int’l Airport Ctrs., LLC v. Citrin,
440 F.3d 418 (7th Cir. 2006)
De-CFAA-nated?
 U.S. v. Nosal, 676 F.3d 854
(9th Cir. April 2012)
– CFAA provides no remedy
against disloyal employees who
retrieved confidential
information via company user
accounts and transferred it to
competitor
– Because defendants were
authorized to access the
computer, access for an
unauthorized purpose was not
“without authorization” and did
not “exceed[] authorized
access”
 WEC Carolina Energy
Solutions LLC v. Miller, 2012
U.S. App. LEXIS 15441 (4th
Cir. July 26, 2012)
– CFAA provides no remedy
against former employee who,
before resigning, downloaded
employer’s proprietary
information at behest of
competitor
– WEC policies prohibited using
information without
authorization or downloading to
PC but did not restrict Miller’s
authorization to access the
information
Fourth Circuit’s rationale
 CFAA allows for
criminal prosecution
– But the Copyright Act also
criminalizes copying by
unlicensed users and
licensees exceeding scope
of their authorization
 Other “means to reign
in rogue employees,”
e.g., trade secret law
– But trade secret protection
may have been destroyed
Damages for CFAA violations
 Must be > $5,000
– “any reasonable cost to any
victim”
 Can include cost of
computer forensic expert
– “cost of responding to an
offense, conducting a
damage assessment, and
restoring the data, program,
system, or information to its
condition prior to the
offense”
 Some courts require
“interruption of service”
 Statutory provision:
– “any revenue lost, cost
incurred, or other
consequential damages
incurred because of
interruption of service”
State computer crimes laws
 Prohibit “use” of
computers “without
authority”
 Typical remedies:
– Sealing the record
– Injunctive relief
– Costs and attorneys’ fees
 Can combine with
common law claim for
“trespass to chattels”
 Hacker reconstructed
and sold competitor’s
customer list
 Record sealed under
Virginia computer
crimes statute
 Ex parte TRO and
preliminary injunction
– UPS, Inc. v. Matuszek,
Case No. 1:97-cv00744 (E.D. Va. 1997)
State computer crimes laws
 Former dealer accessed
“dealers only” site,
ordered to pay attorneys’
fees + cost of having
forensic expert image
and analyze computers
– NACCO Materials Handling Group,
Inc. v. The Lilly Co., --- F.R.D. ----,
2011 U.S. Dist. LEXIS 143054, 2011
WL 5986649 (W.D.Tenn. Nov. 16,
2011)
 Licensee hired
consultant to “work
around” and avoid
paying for undisclosed
“authorization key” to
relocate software
 Failure to disclose
actionable under CFAA
and Connecticut statute
– Roller Bearing Co. of America, Inc.
v. American Software, Inc., Case
No. 3:07-cv-01516 (D. Conn.)
Questions and answers
Contact information
Roberto Facundus
Global Compliance
Attorney
salesforce.com®
[Address]
Cell: 415.963.2864
rfacundus@salesforce.com
Contact information
Orus Dearman, CISA
Director, Advisory Services
Grant Thornton LLP
2070 Chain Bridge Rd
Vienna, Virginia 22182-2596
Direct: 703.637.4133
Cell: 202.491.6382
orus.dearman@us.gt.com
Contact information
Michael J. Lockerby
Foley & Lardner LLP
Washington Harbour
3000 K Street, N.W.
Washington, D.C. 20007
Direct: 202.945.6079
Cell: 804.399.6089
mlockerby@foley.com