9 hours 29 minutes
in this video will review the risks and legal issues identified in the an Nisa report.
We'll start by examining the risk assessment section,
take a deeper look at the high risks identified, and then finish off by looking at key legal issues
after the initial report outlines security benefits of the cloud. That then provides a description of a systematic method that they used to assess the various scenarios and use cases in the cloud.
They focused on three different use cases. An SME perspective on cloud computing, the impact of cloud computing on service, resilience and cloud computing. An E government such as E health.
Here we can see the rating scale they adopted from I E. C 27,005. I'm not gonna go through the details of how they performed the risk assessment, but is in a great example, to see how you can qualify different scenarios to create a numeric risk rating based on probabilities, business impact
and other factors.
If you come into a situation where you need to qualify risks, I recommend taking a look at this report not just to examine the specific risks that they identify, but also to get a feel for the procedure and structure that they used when going about this exercise.
This table summarizes the distribution of different risks that they identify, then examined in the UNECE report. Each risk was assessed relative to its probability level. Impact level made reference to different vulnerabilities that they also identified. And they make reference to the affected assets the cloud assets that the risk is going to impact.
And then they concluded it all with a defined level of risk
high, medium or low.
The risks were then put into three different categories. Policy and organizational type risks, technical risks and legal risks.
Your time's sake. We're not going to examine each and every one of the risks identified in the knees a report. I recommend you give those a skim. However, in this video, we're gonna take a look across all three of the categories and examine each and every one of the risks deemed as a high level risk. First risk to talk about his vendor lock in
before diving into the specific Let's take a moment to examine the table.
Yes, I took a screenshot from the Nisa Report here. You can see how they examined each one of the risks using the different attributes that I discussed earlier in this video you have probability ranking. How likely is this risk to occur? You have impact. If it does occur, how severe will it be? Given enumeration of applicable vulnerabilities to this particular risk?
And then the report itself. You could see the full item ization of all the different vulnerabilities they've identified and brainstormed on and then below that you have the affected assets, whether the different materials and assets, whether the cloud specific assets or other assets that are gonna be impacted by this risk. And then finally, there's the bottom line conclusion. What is the overall risk score?
So lock in is, ah, high overall risk score. And as we've discussed in earlier videos and modules,
Sassen past based services are much more inclined to vendor lock in. But even I as services and when you're employing concepts like infrastructure is code, what works with one vendor and builds out that virtualized infrastructure may not be directly translatable into another vendor because each particular cloud vendor is gonna have their own nuances and how you
provision specific resource is
the Pacific Resource types the rules around firewalls, what you do, how you structure things. So vendor lock in is definitely a high risk. Very understandable.
Next up, we have loss of governance. This may lead an organization to be unable to meet security requirements or quality of service expectations of their own customers.
Again, the table we can see the probability of this is very high. And there's a variety of vulnerabilities. In fact, quite a few that impact that a loss of governance risk and below the vulnerabilities we have the affected assets. This can include loss of company reputation, loss of customer trusts,
reduction of service delivery, loss of different kinds of data, personal data, even your employee Loyalty and experience can be impacted by the loss of governance.
Moving on. There's a very high probability that compliance challenges can occur in particular if a provider cannot produce the necessary evidence to demonstrate compliance and they don't allow external audits. This demonstrating improving compliance of the providers levels of shared responsibilities could be very difficult.
And ultimately this impact. Your ability is a cloud customer
to assert compliance because you're really relying on the shared responsibilities in the pastor model to achieve compliance and prior videos. We've talked about 10 and isolation and isolation failure is exactly that just the way they Anisa report phrases it. This is the isolating tenants. So it includes
the hyper visor vulnerabilities right? The spectrum meltdown that we spoke about,
making sure that compute itself between virtual machines can't be penetrated. And then, of course, it also includes the tenant data, particularly in the SAS and past models. It's very important that the data of the tenants and that you yourself, which you're gonna have some controls around that data. Hopefully, you make sure that that
that the underlying provider
has good isolation mechanisms and maybe using customer specific encryption keys some of the other methods that we've discussed previously. So what's the problem with a little troublemaker inside the cloud provider? Well, a lot. In fact, the malicious insiders such as cloud administrators, auditors and others that have intimate understanding of the set up conduce a lot of harm.
This includes both current and former employees.
In fact, in mid 2019 former eight of US employee was arrested for export trading large amounts of personally identifiable information from Capital One's AWS storage.
I haven't been closely following this case, and I certainly haven't looked at the court proceeding notes, But you could put a large guess that this individual's prior employment with a WS provided them with a level of familiarity and knowledge on AWS s underlying system
that they were able to navigate things to access this data in ways that the normal person couldn't.
That's why this is overall perceived as a very high risk subpoena. Andy discoveries another high risk area. We talked about E discovery and the collection of information and the chain of custody because one of the problems in the cloud is information to be stored across multiple gear restrictions and you lose some transparency into the information.
And so you want to be very mindful of that. So that evidence can be considered admissible in court and depending on the particular jurisdiction
where the court cases being located, Is it in the United States? Is it in the U. Is in a particular country? The specific laws that they're gonna have in each region may vary a little bit, which makes this a high risk area for cloud
and building on specific jurisdictional laws we have the problem that's just generally associated with having change of jurisdictions, not having that direct insight into the cloud provider, the physical locations of the data, the applicable jurisdictions of the citizens of the data
we've talked about this before. So should be evident that this is indeed a clear risk area.
And finally, we have data protection risks. So back in 2009 this group over in Europe looked at the cloud that looked at that model. They sell a lot of benefits, but they saw that data protection was a big risk and many, many facets.
We've spent a lot of time talking about data protection techniques and strategies that you can use. So it should be no surprise that this risk level is sitting as one of their top risks. Identified in the An Nisa Report
Annex, one of the initial reports identifies many legal issues. I'm gonna cover the top five here so you don't have to spend large amounts of time reading in detail as it's unlikely you'll you'll be tested on the nuances of these different points.
We ended the last slide, talking about data protection as a high level risk high probability risk, and it's to no surprise that it's also a major legal issue for your general understanding of this section. Just remember, data containing personally identifiable information needs to be strongly protected because this type of data, if any, compromise
it can lead to legal issues for
your organization. Class Action Lawsuits Large government finds data is clearly clearly an area that you want to focus on and manage and maintain well. In a cloud environment, confidentiality means data should only be accessed by those authorized individuals that need the access,
and nobody other than those individuals should have
such access. Intellectual property and ownership of the data sent to the card providers is a concern.
Make sure the contracts you have with the providers address this and establish if the provider uses that data in unauthorized manners.
So this includes not just personally identifiable data, but even schematics. Source code, other trade secrets that you might be storing the secret recipe for Kentucky Fried Chicken's seven herbs and spices, for example, all things that are going to be of a particular value to your company.
Professional negligence and disputes over mistakes which result in the loss of data. Unfortunately, if you are a cloud user, you're gonna have your own customers. And if the cloud provider is cause for an air, the end users your own customers. Well, they're going to sue you. They're not going to sue the cloud provider.
Fact the cloud customer may need to go after the cloud provider. In fact, I was just talking about the capital One data heist from AWS Storage Capital One was hit with a class action by all the people whose data was leaked and Capital One. They then came after Amazon declaring negligence on their part
and finally, outsourcing service and changes in control. Cloud customers are, in effect, outsourcing certain services to the provider. Providers may further outsource toe other parties, creating multiple layers. Anisa recommends the additional subcontracting that a provider does be made very clear. The provider makes guarantees on certain service levels,
and the customer may be given control to approve changes
made in the providers outsourcing agreements. Now, if you're a small fish working with a big provider, your ability to influence the negotiations and have this level of control is highly unlikely.
In this video, we went over the risk assessment process. We looked a top security risks. All those things ranked high, and we examined key legal issues from Appendix A of Unease, a report.
This course prepares you to take the CCSK certification by covering material included in the exam. It explains how the exam can be taken and how CCSK certification process works.