Cloud Compliance And Privacy presented at SOURCE Boston 2009

by Michael Dahn,

Tags: Security Privacy Compliance Cloud

Summary : How are companies impacted as they move from virtualization of systems to a complete cloud computing platform? Interestingly enough there are a number of regulatory and privacy issues to be charted before moving headlong into the future of corporate computing.
This presentation provides a high-level overview of the various options one can mean when they say 'cloud computing' and the various ways this will impact their regulatory and privacy considerations. First, it is important to understand differences in language including "compliance vs validation", "compromised vs exposed data", and the details behind "red flag rules". Once a proper lexicon is defined and outlined, I'll dispel many myths people have about cloud computing and compliance that have been hotly contested in the public.
Next, I'll discuss the various business and technical issues to consider including: third-party contracts, baseline configurations, audit logging, and client geography demographic. Each of these play an important role when planning the initial configuration of systems through to the point of compromise. Do companies have to use a compliant cloud network? Who is responsible for the security of the consumer data? What must companies do, at a minimum, to secure their systems? What happens in the event of a compromise if the compromised server no longer exists? This presentation will answer each of these questions to better help companies understand their requirements. These requirements are specific to cloud computing implementations due to their shared-hosting nature and the access that such companies have to the operating system.
Finally, we will touch upon the various privacy laws and legislation. Though there are too many laws to address individually, I will explain the difference between data-breach notification, state privacy laws, and federally mandated legislation, and how they apply to the cloud computing platform.
After walking through each of the pitfalls, I will show several case studies and examples of good/poor planning.