Group items tagged

Federal regulators on Tuesday met to hear about whether the benefits of cloud computing justify increased regulation, as privacy activists claim, or whether such an approach would do more harm than good. "We need to be smarter about dealing with technology, and cloud computing is posing (a) risk for us," said Hugh Stephenson, deputy director for international consumer protection at the Federal Trade Commission's Office of International Affairs. The FTC convened the two-day meeting in its offices here, which follows a series of similar workshops held in previous years on topics like spam, privacy, and behavioral advertising. The agency may file lawsuits to halt "unfair or deceptive acts or practices," meaning that if cloud computing is not unfair or deceptive, the FTC would likely not have jurisdiction. To secure personal information on the cloud, regulators may have to answer questions such as which entities have jurisdiction over data as it flows across borders, whether governments can access that information as it changes jurisdiction, and whether there is more risk in storing personal information in data centers that belong to a single entity rather than multiple data centers. The current panoply of laws at the state, national, and international level have had insufficient results; FTC Commissioner Pamela Jones Harbour cited a 2008 PricewaterhouseCoopers information security survey (PDF) in which 71 percent of organizations queried said they did not have an accurate inventory of where personal data for employees and customers is stored. With data management practices that are not always clear and are subject to change, companies that offer cloud-computing services are steering consumers into dangerous territory, said Marc Rotenberg, executive director of the Electronic Privacy Information Center. Already, problems of identity theft are skyrocketing, he said, and without more regulation, data management services may experience a collapse analogous to that

The Electronic Privacy Information Center formally asked the Federal Trade Commission on Tuesday to investigate the privacy and security safeguards of Gmail, Google Docs and other so-called cloud computing services offered by Google to consumers. The filing points to a security breach earlier this month that may have improperly exposed the files of Google Docs users to others. It asks the F.T.C. to look into the adequacy of privacy and security safeguards of Google's services and to require Google to be accountable for breaches. It also asks the agency to force Google to make its security policies more transparent and to disclose any breaches. It also asks the F.T.C. to enjoin Google from offering cloud computing services until it establishes verifiable safeguards. The full filing is available here. Marc Rotenberg, EPIC's executive director, said he was concerned about all cloud computing services, which encourage users to store a growing number of documents on the servers of companies like Google, Yahoo, Microsoft and others. But he said that EPIC focused on Google because it is the primary provider of cloud computing services to consumers.

Things to think about for auditors during a downturn

As IT environments are becoming more complex, enterprises are relying on them more than ever before, said Michael Juergens, principle at Deliotte & Touche, told attendees at an ISACA CACS audit and compliance conference. He identified 10 areas in which complexity makes IT more difficult to monitor. "This list is designed to get you thinking about your environments and if currently scheduled IT audit procedures will evaluate this risks," Juergens said. "The list is in no particular order, is by no means a comprehensive list, and will vary by environment. There may be a greater or lesser risk depending on your industry, technology, business processes, and other factors," he added. He said that auditors should make a careful risk assessment at any enterprise that uses external cloud computing solutions. A key risk for compliance is simply keeping track of the data and recovering it if part of the cloud goes down. IT administrators must have insight into the cloud to enable forensics if an investigation is required. Juergens added that virtualization, often a key component of private clouds, carries the same risks as public clouds. The key issue is finding and tracing data, which can move to different servers within a virtualized environment. During this economic downturn, many companies will face disgruntled employees and will need to be able to control their access. "Specific attention items should be: timely removal of access, periphery security, internal security architecture, physical security and badge location, help desk procedures, workstation security and IDS management," Juergens said. Layoffs can harm an organization even without disgruntled employees. Many help desks and incident response teams will be understaffed, and Juergens advised that now is a good time to re-examine security procedures. A related risk could occur if an employee takes on the responsibilities of another, combining tasks that were previously segregated for compliance purposes. En

"We all know that Internet and communications technology is changing rapidly, creating huge opportunities for business innovation and individual self-expression. Most people are probably not aware, however, that privacy law is not evolving nearly as quickly. It is time to update legal protections to reflect the impact the digital revolution is having on modern life. Cloud computing -- a bit of tech-jargon meaning the use of remote servers to store and process data -- is a great example. The movement of personal and proprietary data off desktop computers and into "the cloud", which is made up of server farms and broadband connections, is a major disruptive trend in computing. Unless our laws change to account for cloud computing and other equally momentous technology developments, the Constitution's protection against unreasonable search and seizure will become a relic of the past. The federal law setting standards for government access to personal communications -- the Electronic Communications Privacy Act (ECPA) -- was written more than two decades ago, before the Internet took off. "

Do you know what your data did last night? Almost none of more than 27 million people who took the RealAge quiz realized that their personal health data was sold to drug companies, who in turned used that information for targeted e-mail marketing campaigns. There's a basic consumer protection principle at work here, and it's the concept of "unfair and deceptive" trade practices. Basically, a company shouldn't be able to say one thing and do another: sell used goods as new, lie on ingredients lists, advertise prices that aren't generally available, claim features that don't exist, and so on. RealAge's privacy policy doesn't mention anything about selling data to drug companies, but buried in its 2,400 words, it does say that "we will share your personal data with third parties to fulfill the services that you have asked us to provide to you." They maintain that when you join the website, you consent to receiving pharmaceutical company spam. But since that isn't spelled out, it's not really informed consent. That's deceptive. Cloud computing is another technology where users entrust their data to service providers. Salesforce.com, Gmail, and Google Docs are examples; your data isn't on your computer -- it's out in the "cloud" somewhere -- and you access it from your web browser. Cloud computing has significant benefits for customers and huge profit potential for providers. It's one of the fastest growing IT market segments -- 69% of Americans now use some sort of cloud computing services -- but the business is rife with shady, if not outright deceptive, advertising.

One of the more interesting panel discussions at the IDC Cloud Computing Forum on Feb 18th in San Francisco was about managing the complexities of security, privacy and compliance in the Cloud. The simple answer according to panelists Carolyn Lawson, CIO of California Public Utilities Commission, and Michael Mucha, CISO of Stanford Hospital and Clinics is "it ain't easy!" "Both of us, in government and in health, are on the front-lines," Lawson proclaimed. "Article 1 of the California Constitution guarantees an individual's right to privacy and if I violate that I've violated a public trust. That's a level of responsibility that most computer security people don't have to face. If I violate that trust I can end up in jail or hauled before the legislature," she said. "Of course, these days with the turmoil in the legislature, she joked, "the former may be preferable to the later." Stanford's Mucha said that his security infrastructure was built on a two-tiered approach using identity management and enterprise access control. Mucha said that the movement to computerize heath records nationwide was moving along in fits and starts, as shown by proposed systems likeMicrosoft (NSDQ: MSFT)'s Health Vault and Google (NSDQ: GOOG)'s Personal Health Record. "The key problem is who is going to pay for the computerized of health records. It's not as much of a problem at Stanford as it is at a lot of smaller hospitals, but it's still a huge problem." Mucha said that from his perspective security service providers in the cloud and elsewhere are dealing with a shrinking security parameter or fence, which is progressing from filing cabinets, to devices, to files, and finally to the individual, who under the latest Health Insurance Portability and Accountability Act (HIPAA) privacy rules has certain rights, including rights to access and amend their health information and to obtain a record of when and why their Protected Health Information (PHI) record has bee

Consumers save their e-mail and documents on Google's data centers, put their photos on Flickr and store their social lives on Facebook. Now a host of companies including Amazon and Microsoft wants government agencies to similarly house data on their servers as a way to cut costs and boost efficiency. But federal officials say it's one thing to file away e-mailed jokes from friends, and another to store government data on public servers that could be vulnerable to security breaches. The push toward "cloud computing," so named because data and software is housed in remote data centers rather than on-site servers, is the latest consumer technology to migrate to the ranks of government. Companies such as Amazon and Salesforce, which do not typically sell services to the government, want a piece of the business. Google opened a Reston office last year to sell applications such as Google Docs to federal employees. Silicon Valley-based Salesforce, which has focused on selling to corporations, established a team dedicated to government contracting. Microsoft spent $2.3 billion in 2007 to build data centers for cloud computing, and IBM, Sun Microsystems and HP want to provide the government cloud.

Cloud services are now vulnerable to malicious use, a security company has suggested, after a techie worked out how Amazon's EC2 service could be used as a BitTorrent file harvester and host. Amazon's Elastic Compute Cloud (EC2) is a web service software developers can use to access computing, compilation and software trialling power on a dynamic basis, without having to install the resources locally. Now a developer, Brett O'Connor, has come up with a step-by-step method for using the same service to host an open source BitTorrent application called TorrentFlux. Getting this up and running on Amazon would require some technical know-how, but would be within the reach of a moderately experienced user, right down to following O'Connor's command line low-down on how to install the public TorrentFlux app straight to Amazon's EC2 rather than a user's local machine. Finding an alternative way of using BitTorrent matters to hardcore file sharers because ISPs and admins alike are increasingly keen to block such bandwidth-eating traffic on home and business links, and O'Connor's EC2 guide was clearly written to that end - using the Amazon service would make such blocking unlikely. "I created a web-based, open-source Bittorrent 'machine' that liberated my network and leveraged Amazon's instead," says O'Connor. He then quips "I can access it from anywhere, uploading Torrent files from wherever, and manage them from my iPhone." However, security company GSS claims the guide shows the scope for possible abuse, using EC2 to host or 'seed' non-legitimate BitTorrent file distribution. "This means, says Hobson, that hackers and other interested parties can simply use a prepaid (and anonymous) debit card to pay the $75 a month fee to Amazon and harvest BitTorrent applications at high speed with little or no chance of detection," said David Hobson of GSS. "The danger here is that companies may find their staff FTPing files from Amazon EC2 - a completely legitimate domain -

What would you think if I told you that I could walk into your datacenter, grab 10 of your servers and walk out without lifting any equipment or leaving any trace forensic evidence behind? With the growing momentum in the federal government for cloud computing and virtualization, this worst case scenario will become reality for some agencies leading the charge into the cloud. Here's why:

A group of computer scientists at the University of Washington has developed a way to make electronic messages "self destruct" after a certain period of time, like messages in sand lost to the surf. The researchers said they think the new software, called Vanish, which requires encrypting messages, will be needed more and more as personal and business information is stored not on personal computers, but on centralized machines, or servers. In the term of the moment this is called cloud computing, and the cloud consists of the data - including e-mail and Web-based documents and calendars - stored on numerous servers.

Proof that George Bush was actually protecting us by limiting access to government information!

At the National Archives and Records Administration's annual conference Thursday, one keynote speaker asked the crowd of several hundred how many of the archivists in attendance were sold on the use of social media. Only a smattering raised their hands. Clearly, it's a challenge for the government to figure out how to navigate complex archival and e-discovery regulations that require it to capture and store all sorts of new content in the age of social media, cloud computing, and seemingly endless storage. "The federal government is in a constantly evolving records environment," Adrienne Thomas, acting archivist of the United States, said in a luncheon speech to the conference. "These are exciting and challenging times." Obama administration ambitions toward cloud computing and more openness only make that issue more complicated. "Many of us in the federal records administrations have struggled with the implications of this new direction," Paul Wester, director of modern records programs at the National Archives, said in an interview. "We deeply believe in transparency and openness, but we are concerned about FOIA, HIPAA, the Privacy Act, personally identifiable information, and compliance with the Disability Act and Federal Records Act."

GoogleApps is an upgade to the Los Angeles computer systems security? Doesn't that explain a lot?! Google Inc. this week came swinging at critics who have cited privacy and security concerns in calling on the city of Los Angeles to rethink its plan to implement the Google Apps hosted e-mail and office applications. In an interview yesterday, Matt Glotzbach, director of product management for Google Enterprise, said the angst voiced by consumer groups and others about the Los Angeles project is overstated and based on incomplete information. In fact, he contended that transitioning the applications to Google will strengthen the security of the city's data and better maintain its privacy. "From what I know of the city's operation, this is a security upgrade," Glotzbach said. "Those who may be unfamiliar with cloud computing see this as a security risk simply because it is new and because it is something different," he said. Glotzbach said he believes that at least some of the concerns raised originated from Google's competitors. Meanwhile top managers at the Los Angeles Information Technology Agency (ITA), which oversees technology implementations in the city, yesterday said the city is still committed to implementing Google Apps. The agency insisted that provisions are in place for addressing the security and privacy issues raised by critics. A spokesman for Mayor Antonio Villaraigosa said the city council will sign off on the project only after it is assured that the privacy and security concerns have been properly addressed.

Google Inc. this week came swinging at critics who have cited privacy and security concerns in calling on the city of Los Angeles to rethink its plan to implement the Google Apps hosted e-mail and office applications. In an interview yesterday, Matt Glotzbach, director of product management for Google Enterprise, said the angst voiced by consumer groups and others about the Los Angeles project is overstated and based on incomplete information. In fact, he contended that transitioning the applications to Google will strengthen the security of the city's data and better maintain its privacy. "From what I know of the city's operation, this is a security upgrade," Glotzbach said. "Those who may be unfamiliar with cloud computing see this as a security risk simply because it is new and because it is something different," he said. Glotzbach said he believes that at least some of the concerns raised originated from Google's competitors. Meanwhile top managers at the Los Angeles Information Technology Agency (ITA), which oversees technology implementations in the city, yesterday said the city is still committed to implementing Google Apps. The agency insisted that provisions are in place for addressing the security and privacy issues raised by critics. A spokesman for Mayor Antonio Villaraigosa said the city council will sign off on the project only after it is assured that the privacy and security concerns have been properly addressed.

"If you live in Texas, your medical records are definitely up for sale by the state. If you live anywhere else in the United States, they probably are for sale there, too. Medical health records provide key information to researchers, who have lobbied hard to keep them accessible, despite government concerns about the privacy of patient data. The controversy dates back to 1996, when Congress passed the Health Insurance Portability and Accountability Act (HIPAA) to protect patients. "Researchers have very broad access rights to health care records under HIPAA," says Pam Dixon, director of a non-profit called the World Privacy Forum "The rules are pretty loose, and there are a lot of ways to get around them." That's especially true since the act wasn't designed to cover common scenarios today: records stored online in a vast, hackable cloud. In the rush to digitize all electronic health records, Dixon says not everyone is taking the proper steps to de-personalize the data and protect patients."

"The Federal Trade Commission will host a series of day-long public roundtable discussions to explore the privacy challenges posed by the vast array of 21st century technology and business practices that collect and use consumer data. Such practices include social networking, cloud computing, online behavioral advertising, mobile marketing, and the collection and use of information by retailers, data brokers, third-party applications, and other diverse businesses. The goal of the roundtables is to determine how best to protect consumer privacy while supporting beneficial uses of the information and technological innovation."

With increasing dependency on information systems and advances in cloud computing, the smart grid and mobile computing, maintaining the confidentiality and integrity of citizens' personally identifiable information is a growing challenge. A new draft document from the National Institute of Standards and Technology (NIST) addresses that challenge by adding privacy controls to the catalog of security controls used to protect federal information and information systems.

A leading technology advisor to President Obama said in a research note for his investment firm today that privacy and net neutrality will be among the biggest telecommunications issues facing the Federal Communications Commission and the administration going forward. Analyst Blair Levin, who was the co-lead of Obama's technology and innovation team along with nominated FCC Chair Julius Genachowski, wrote in a Stifel Nicolaus research note that the economic crisis and change of administration will shift the focus of telecom policy away from traditional phone companies to "Internet/edge" players. Indeed, Google and other Web video and voice companies like Skype have been increasingly active in recent years at the FCC, pushing particularly for net neutrality rules that would prevent carriers from blocking or charging more for certain content that travels over the Web. Levin said in a note that net neutrality will emerge again as an issue in the new administration for wireless networks. On the other hand, there won't likely be a push for new net neutrality rules for cable, DSL, and fiber network carriers at the FCC. "(There is a) consensus emerging that disputes about whether a wireline network management tool is 'reasonable' (or is actually blocking or degrading traffic) to be resolved on a case-by-case basis," Levin wrote in the note with analysts Rebecca Arbogast and David Kaut. It would be a tough climb to impose rules that force wireless carriers to open their networks. Apple and AT&T successfully argued to lawmakers and regulators to keep their exclusive iPhone contract. Skype's petition to the FCC to force carriers to allow any handset or software to operate on any network was shot down by former FCC Chairman Kevin Martin. He said the biggest "sleeper" issue will be privacy. With a major overhaul of healthcare records to the Web, the rise in behavioral advertising and cloud computing, where information is stored in computers strung across many geographies

IT security typically has been deemed one of those services best provided in-house. But the stigma attached to outsourcing security and Security as a Service -- namely that an outsider does not know your company well enough to protect it -- may be falling away, as businesses look for more ways to cut costs. Certainly, some heavy-hitter providers believe attitudes are changing. This month, McAfee Inc. announced its new SaaS Security Business Unit. Headed by former Hewlett-Packard Co. SaaS executive Marc Olesen, the unit will oversee all McAfee products delivered over the Internet, including security scanning services, Web and email security services and remote managed host-based security software and hardware. Meanwhile, last April, IBM launched some hosted and managed services that it says help midsized businesses better manage risk and improve the security of their IT systems, all while offering cost savings over traditional products. Indeed, much of IBM's security strategy during the next 24 months will focus on moving security technologies into the cloud and expanding its managed services offerings, said Jason Hilling, an enterprise services business line executive with IBM Internet Security Systems. That includes providing some hosted implementations of technologies that once were located only at the customer premises. "Because the economy is struggling, I think there will be enough excitement in the marketplace over the cost benefits of Security as a Service that we are going to see a much higher degree of willingness to look at it as a real viable option," Hilling said. Hilling contended that a midmarket company with between 500 and 700 employees can realize costs savings from 35% to upwards of 60% by doing security as a managed service. Savings diminish as the deployment gets larger and more complicated, and the costs of managed services escalate. Yet outsourcing security is not just about cost. The world is becoming very hostile, said Sadik Al-Abdulla,

Free, vendor-neutral online Data and Privacy in Web 2.0 Summit on August 13th. Thought leaders will present a series of webcasts discussing best practices and case studies on legal issues in online social communities, implications of the smart grid and the Cloud, privacy policies and more: http://www.brighttalk.com/summit/dataprivacy2 Web 2.0 services have been rapidly growing because of the value they offer to businesses and individuals alike. However, with so much information at stake and so little control of employees and customer activities online, how do companies ensure consumer and businesses' data are secure and safe from misuse and malware-related data breach? This summit will focus on minimizing leakage from people, devices and data on the move, keeping consumer and businesses' data secure and safe from misuse and malware-related data breach.

The Federal Trade Commission is planning three public discussions, starting in December, devoted to technology and consumer privacy. According to the FTC, the roundtables will address topics such as social networking, cloud computing, online advertising and mobile marketing, the goal being "to determine how best to protect consumer privacy while supporting beneficial uses of the information and technological innovation." Behavioral advertising, in particular, has come under fire by privacy groups. Earlier this month, Electronic Frontier Foundation, Consumers Union and other related organizations called for stronger rules limiting what kinds of personal information are collected by marketers and how long they can hold on them.

Dropbox's efforts are so potentially meaningful because the FTC states that, among its chief priorities for any federal rules, are clear, reader-friendly contractual language and privacy policies. While Google is fighting such efforts with lobbyists, Dropbox is giving an example of how to cut legalese from a contract and let users know exactly what they're signing up for.