Source: Congressional Research Service (via Federation of American Scientists)
Cloud computing is fast becoming an integral part of how we communicate with one another, buy music, share photos, conduct business, pay our bills, shop, and bank. Many of the activities that once occurred solely in the physical world, including communications with one another, are increasingly moving to the digital world. What was once a letter to a friend is now a Facebook message; a call to a loved one is now a Skype chat; a private meeting with a business partner is now a video conference call. In short, the cloud is revolutionizing not only how we compute, but also how we live. Where individuals once locked personal or business papers solely in a desk drawer or filing cabinet, they now also store them on someone else’s computer.
In short, cloud computing is a web-based service that allows users to access anything from e-mail to social media on a third-party computer. For instance, Gmail and Yahoo are cloud-based email services that allow users to access and store emails that are saved on each respective service’s computer, rather than on the individual’s computer. As more communications are facilitated through these cloud-based programs, it is no surprise that government and law enforcement would seek to access this stored information to conduct criminal investigations, prevent cyber threats, and thwart terrorist attacks, among other purposes. This prompts the following questions: (1) What legal protections are in place for information shared and stored in the cloud? (2) What legal process must the government follow to obtain this information? and (3) How do these rules differ from those applied in the physical world?
Protections of communications in the physical world flow from the Fourth Amendment and various federal statutes such as the Electronic Communications Privacy Act of 1986 (ECPA), which includes the Stored Communications Act (SCA). Under the Fourth Amendment, government officials are generally prohibited from accessing an individual’s communication, such as tapping into a telephone call or opening a postal letter, without first obtaining judicial approval. In the digital world, courts have by and large required law enforcement to acquire a warrant before accessing the contents of electronic communications, but have permitted law enforcement to access non-content information such as routing data with lesser process. These cases do not seem to distinguish between cloud-based and traditional forms of Internet services.
Federal courts have applied the SCA to various electronic communications including e-mails, messages sent on social networking sites like Facebook and MySpace, and movies posted on video-sharing sites like YouTube. The process for obtaining these communications under the SCA depends on how long the information has been stored with the service provider and how the provider is classified under the SCA. The relatively few cases dealing with cloud computing have required lesser legal process for accessing electronic communications sent via cloud-based services than traditional forms of Internet computing.
In light of this rapidly changing technology, there have been several legislative proposals to augment the Fourth Amendment’s protections for digital communications and update existing statutory protections like the SCA for information shared and stored in the cloud.
As cloud computing and virtualization technologies become mainstream, the need to be able to track data has grown in importance. Having the ability to track data from its creation to its current state or its end state will enable the full transparency and accountability in cloud computing environments. In this paper, we showcase a novel technique for tracking end-to-end data provenance, a meta-data describing the derivation history of data. This breakthrough is crucial as it enhances trust and security for complex computer systems and communication networks. By analyzing and utilizing provenance, it is possible to detect various data leakage threats and alert data administrators and owners; thereby addressing the increasing needs of trust and security for customers’ data. We also present our rule-based data provenance tracing algorithms, which trace data provenance to detect actual operations that have been performed on files, especially those under the threat of leaking customers’ data. We implemented the cloud data provenance algorithms into an existing software with a rule correlation engine, show the performance of the algorithms in detecting various data leakage threats, and discuss technically its capabilities and limitations.
Tracking of Data Leaving the Cloud
Source: HP Labs
Data leakages out of cloud computing environments are fundamental cloud security concerns for both the end- users and the cloud service providers. A literature survey of the existing technologies revealed the inadequacies of current technologies and the need for a new methodology. This position paper discusses the requirements and proposes a novel auditing methodology that enables tracking of data transferred out of Clouds. Initial results from our prototypes are reported. This research is aligned to our vision that by providing transparency, accountability and audit trails for all data events within and out of the Cloud, trust and confidence can be instilled into the industry as users will get to know what exactly is going on with their data in and out of the Cloud.
New GAO Reports
Source: Government Accountability Office
1. Information Technology Reform: Progress Made but Future Cloud Computing Efforts Should be Better Planned. GAO-12-756, July 11.
Privacy, Security and Trust in Cloud Computing
Source: HP Labs
Cloud computing refers to the underlying infrastructure for an emerging model of service provision that has the advantage of reducing cost by sharing computing and storage resources, combined with an on-demand provisioning mechanism relying on a pay- per-use business model. These new features have a direct impact on information technology (IT) budgeting but also affect traditional security, trust and privacy mechanisms. The advantages of cloud computing – its ability to scale rapidly, store data remotely, and share services in a dynamic environment – can become disadvantages in maintaining a level of assurance sufficient to sustain confidence in potential customers. Some core traditional mechanisms for addressing privacy (such as model contracts) are no longer flexible or dynamic enough, so new approaches need to be developed to fit this new paradigm. In this chapter we assess how security, trust and privacy issues occur in the context of cloud computing and discuss ways in which they may be addressed.
Cybersecurity: Authoritative Reports and Resources (PDF)
Source: Congressional Research Service (via Federation of American Scientists)
Cybersecurity vulnerabilities challenge governments, businesses, and individuals worldwide. Attacks have been initiated by individuals, as well as countries. Targets have included government networks, military defenses, companies, or political organizations, depending upon whether the attacker was seeking military intelligence, conducting diplomatic or industrial espionage, or intimidating political activists. In addition, national borders mean little or nothing to cyberattackers, and attributing an attack to a specific location can be difficult, which also makes a response problematic.
Congress has been actively involved in cybersecurity issues, holding hearings every year since 2001. There is no shortage of data on this topic: government agencies, academic institutions, think tanks, security consultants, and trade associations have issued hundreds of reports, studies, analyses, and statistics.
This report provides links to selected authoritative resources related to cybersecurity issues. This report includes information on
- “Hearings in the 112th Congress”
- “Executive Orders and Presidential Directives”
- “Data and Statistics”
- “Cybersecurity Glossaries”
- “Reports by Topic”
- Government Accountability Office (GAO) reports
- White House/Office of Management and Budget reports
- Cloud Computing
- Critical Infrastructure
- National Strategy for Trusted Identities in Cyberspace (NSTIC)
- Research and Development (R&D)
- “Related Resources: Other Websites”
The report will be updated as needed.
With the introduction of cloud computing and Web 2.0, many applications are moving to the cloud environment. Version control systems have also taken a first step towards this direction. Nevertheless, existing systems are either client-server oriented or completely distributed, and they don’t match exactly the nature of the cloud. In this paper we propose a new cloud version control system focusing on the requirements imposed by cloud computing, that we identified as: concurrent editing, history rewrite, accountability, scalability, security, and fault tolerance. Our plan is to tackle these issues in a systematic way, and we present in this paper an overview of the solutions organized in three separate layers: access API, logical structure, and physical storage.
+ Full Paper (PDF)
How To Track Your Data: The Case for Cloud Computing Provenance
Source: HP Labs
Provenance, a meta-data describing the derivation history of data, is crucial for the uptake of cloud computing to enhance reliability, credibility, accountability, transparency, and confidentiality of digital objects in a cloud. In this paper, we survey current mechanisms that support provenance for cloud computing, we classify provenance according to its granularities encapsulating the various sets of provenance data for different use cases, and we summarize the challenges and requirements for collecting provenance in a cloud, based on which we show the gap between current approaches to requirements. Additionally, we propose our approach, DataPROVE, that aims to effectively and efficiently satisfy those challenges and requirements in cloud provenance, and to provide a provenance supplemented cloud for better integrity and safety of customers’ data.
+ Full Paper (PDF)
The National Institute of Standards and Technology (NIST) has finalized its first set of guidelines for managing security and privacy issues in cloud computing.Guidelines on Security and Privacy in Public Cloud Computing (NIST Special Publication 800-144) provides an overview of the security and privacy challenges facing public cloud computing and presents recommendations that organizations should consider when outsourcing data, applications and infrastructure to a public cloud environment. The document provides insights on threats, technology risks and safeguards related to public cloud environments to help organizations make informed decisions about this use of this technology.…The key guidelines include:
- Carefully plan the security and privacy aspects of cloud computing solutions before implementing them.
- Understand the public cloud computing environment offered by the cloud provider.
- Ensure that a cloud computing solution—both cloud resources and cloud-based applications—satisfy organizational security and privacy requirements.
- Maintain accountability over the privacy and security of data and applications implemented and deployed in public cloud computing environments.
The technology industry has long succeeded on the heels of innovation and information being readily available to drive growth and decisions. As organizations capitalize on emerging technology within the fields of mobile, cloud computing, social media and privacy, the opportunity to continually innovate while utilizing the most relevant and available information is critical to success.
As risks in technology continue to evolve, it is important for technology companies to access the most up-to-date information and data-driven insights so they can make fast and right decisions. With our operations in more than 120 countries staffed by 59,000 colleagues, Aon is uniquely positioned to assist clients in this endeavor. Aon’s Technology and Communications (T&C) Industry Report is such an example.
Our second annual T&C report captures the perspectives of the world’s leading risk professionals from the T&C industry and joins that with proprietary research and databases such as Aon’s Global Risk Management Survey and Aon’s Global Risk Insight Platform® (Aon GRIP). We provide this report to allow organizations to benchmark their risk management and risk financing practices and help them identify practices or approaches that may improve the effectiveness of their own risk management strategies.
Download full report in PDF or ePub. Free registration required.
Illegal Internet Streaming of Copyrighted Content: Legislation in the 112th Congress (PDF)
Source: Congressional Research Service (via Pierce Law IP Mall)
Technological developments related to the Internet benefit consumers who want convenient ways to view and hear information and entertainment content on a variety of electronic devices (such as televisions, radios, computers, mobile phones, video game consoles, and portable media players). New technologies offer the potential to help copyright holders promote their creative works for artistic, educational, and commercial reasons. However, new technologies may increase the risk of infringement of the copyright holders’ rights because they often provide faster, cheaper, and easier means of engaging in unauthorized reproduction, distribution, and public performance of copyrighted works than previous technologies. The widespread consumer use of high-speed Internet connections as well as increased reliance on data storage offered by “cloud computing” services may also contribute to infringement problems.
One of these new technologies enables the “streaming” of copyrighted content over the Internet from a website to an end user. There are many legitimate streaming websites such as Hulu, Netflix, YouTube, and HBO GO that offer on-demand streams of television programs, motion pictures, live sporting events, and sound recordings. However, streaming technology can also be misused for facilitating copyright infringement online. So-called “rogue” websites serve as an alternative to the authorized websites, willfully streaming unlawfully obtained copyrighted content to users and thereby infringing the copyright holder’s exclusive right to control public performance of the work. By offering consumers an unlawful alternative for viewing streaming content, these rogue websites may reduce the number of people who would otherwise visit the legitimate providers of copyrighted material.
To enforce their intellectual property rights, copyright holders may file a lawsuit against the alleged infringer. In addition to these civil remedies, the U.S. Department of Justice has the power to criminally prosecute particularly egregious copyright infringers (repeat and large-scale offenders) in order to impose greater punishment and possibly deter other would-be infringers. Yet under the current law, many illegal streaming websites have evaded prosecution due largely to a disparity regarding the criminal penalties available for those who willfully infringe copyrights by means of reproduction and distribution (a felony offense in certain circumstances) and those who infringe copyrights by means of public performance (a misdemeanor).
In March 2011, the U.S. Intellectual Property Enforcement Coordinator recommended Congress amend the law to harmonize penalties for the act of illegally streaming copyrighted content with those applicable to downloading and peer-to-peer file sharing of such protected material: “To ensure that Federal copyright law keeps pace with infringers, and to ensure that DOJ and U.S. law enforcement agencies are able to effectively combat infringement involving new technology, the Administration recommends that Congress clarify that infringement by streaming, or by means of other similar new technology, is a felony in appropriate circumstances.”
Following this recommendation, S. 978 was introduced in the 112th Congress. Commonly referred to as the Commercial Felony Streaming Act, S. 978 would authorize a maximum five-year prison sentence for those who, without authorization, willfully stream commercially valuable copyrighted material for purposes of commercial advantage or private financial gain. It also expands the current felony offense of unauthorized distribution of a pre-release commercial copyrighted work to include “public performance” of such work as an additional basis for prosecution. The Senate Judiciary Committee approved the bill on June 16, 2011, by voice vote, and Senator Leahy reported the bill on June 20 without amendment.
The Cloud: Understanding the Security, Privacy and Trust Challenges
Source: RAND Corporation
The overall objective of The Cloud: Understanding the Security, Privacy and Trust Challenges study is to advise on policy and other interventions which should be considered in order to ensure that European users of cloud environments are offered appropriate protections, and to underpin a world-leading European cloud ecosystem. Cloud computing is increasingly subject to interest from policymakers and regulatory authorities. The European Commission’s recent Digital Agenda highlighted a need to develop a pan-European ‘cloud strategy’ that will serve to support growth and jobs and build an innovation advantage for Europe. However, the concern is that currently a number of challenges and risks in respect of security, privacy and trust exist that may undermine the attainment of these broader policy objectives. Our approach has been to undertake an analysis of the technological, operational and legal intricacies of cloud computing, taking into consideration the European dimension and the interests and objectives of all stakeholders (citizens, individual users, companies, cloud service providers, regulatory bodies and relevant public authorities). We undertook literature and document review, interviews, case studies and held an expert workshop to identify, explore and validate these issues in more depth. The present paper represents the final consolidation of all inputs, suggestions and analyses and contains our recommendations for policy and other interventions.
“The Cloud: Unleashing Global Opportunities” (PDF)
Source: Federal Communications Commission (Chairman Julius Genachowski)
The advent of cloud computing, with its ability to enable collaboration in ways no other technology has before, can multiply the benefits of a free and open Internet.
Consider that in the United States, the number of ads for full-time IT jobs focused on cloud computing grew more than 300 percent last year.
And the benefits of cloud computing and a widely available Internet extend as well to health care, education, and energy – improving quality of life, while also generating new markets and new businesses in each of those categories.
This can be true all over the world. Cloud computing is already a $68 billion global industry, and worldwide cloud adoption is expanding at roughly 17 percent per year, according to Gartner. European companies like Flexiant and Mvine in the U.K. and GreenQloud in Iceland are offering innovative cloud computing solutions.
The opportunities and benefits of cloud computing are not limited by geography. Nor are the challenges to unleashing its opportunities.
Technology Trends 2011: The natural convergence of business and IT
Deloitte’s annual Technology Trends report examines the ever-evolving landscape of technology put to business use. Although it is written from the perspective of the CIO, it will also inform business executives on exciting new possibilities to apply technology to address their most pressing business challenges. This report shares the technology trends we see as relevant for 2011, clustered in two categories:
(Re)Emerging Enablers are trends that many technology executives have spent time, thought and resources on in the past.
- “Almost-Enterprise” Applications
- Cyber Intelligence
- CIOs as Revolutionaries
- The End of the “Death of ERP”
Disruptive Deployments present significant new opportunities to improve business processes, rethink operations or even enter into new business models.
+ Full Report (PDF)