Risks and Legal Issues

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
9 hours 59 minutes
Difficulty
Intermediate
CEU/CPE
10
Video Transcription
00:01
>> In this video, we'll review the risks and
00:01
legal issues identified in the ENISA report.
00:01
We'll start by examining the risk assessment section,
00:01
take a deeper look at the high risks identified,
00:01
and then finish off by looking at key legal issues.
00:01
After the ENISA report
00:01
outlines security benefits of the Cloud,
00:01
it then provides a description of
00:01
a systematic method that they
00:01
used to assess the various scenarios
00:01
and use cases in the Cloud.
00:01
They focused on three different use cases,
00:01
an SME perspective on Cloud computing,
00:01
the impact of Cloud computing on service resilience,
00:01
and Cloud computing in e-government such as e-health.
00:01
Here we can see the rating scale they
00:01
adopted from IEC 27005.
00:01
I'm not going to go through the details of
00:01
how they performed the risk assessment,
00:01
but it's a great example to see how you can qualify
00:01
different scenarios to create
00:01
a numeric risk rating based on probabilities,
00:01
business impact, and other factors.
00:01
If you come into a situation where you
00:01
need to qualify risks,
00:01
I recommend taking a look at this report,
00:01
not just to examine
00:01
the specific risks that they identify,
00:01
but also to get a feel for the procedure and
00:01
structure that they used when going about this exercise.
00:01
This table summarizes the distribution of
00:01
different risks that they identified
00:01
and examined in the ENISA report.
00:01
Each risk was assessed
00:01
relative to its probability level,
00:01
impact level, made reference to
00:01
different vulnerabilities that they also identified,
00:01
and they make reference to the affected assets,
00:01
the Cloud assets that the risk is going to impact,
00:01
and then they concluded it all
00:01
with a defined level of risk,
00:01
high, medium, or low.
00:01
The risks were then put into three different categories,
00:01
policy and organizational type risks,
00:01
technical risks, and legal risks.
00:01
For time sake, we're not going to examine each and every
00:01
one of the risks identified in the ENISA report,
00:01
I recommend you give those a skim.
00:01
However, in this video, we're going to take a look
00:01
across all three of the categories
00:01
and examine each and every one of
00:01
the risks deemed as a high-level risk.
00:01
First risk to talk about is vendor lock-in.
00:01
Before diving into the specifics,
00:01
let's take a moment to examine the table,
00:01
I took a screenshot from the ENISA report.
00:01
Here you can see how they examined each one of the risks
00:01
using the different attributes that I
00:01
discussed earlier in this video.
00:01
You have probability ranking,
00:01
how likely is this risk to occur?
00:01
You have impact, if it does occur,
00:01
how severe will it be?
00:01
You have an enumeration of
00:01
applicable vulnerabilities to this particular risk,
00:01
and in the report itself,
00:01
you could see the full itemization of
00:01
all the different vulnerabilities they've
00:01
identified and brainstormed on.
00:01
Then below that you have the effected assets,
00:01
what are the different materials and assets,
00:01
whether they're Cloud specific assets or other assets,
00:01
that are going to be impacted by this risk?
00:01
Then finally, there's the bottom line conclusion,
00:01
what is the overall risk score?
00:01
Lock-in has a high overall risk score
00:01
and as we've discussed in earlier videos and modules,
00:01
SaaS and PaaS based services are
00:01
much more inclined to vendor lock-in,
00:01
but even IaaS services.
00:01
When you're employing concepts
00:01
like infrastructure as code,
00:01
what works with one vendor and builds out that
00:01
virtualized infrastructure may not be
00:01
directly translatable into another vendor because
00:01
each particular Cloud vendor is going to have
00:01
their own nuances and how you
00:01
provision specific resources,
00:01
the specific resource types,
00:01
the rules around firewalls,
00:01
what you do, how you structure things.
00:01
Vendor lock-in is definitely
00:01
a high-risk, very understandable.
00:01
Next up, we have loss of governance.
00:01
This may lead an organization to be unable to meet
00:01
security requirements or quality of
00:01
service expectations of their own customers.
00:01
Looking at the table, we can
00:01
see the probability of this is
00:01
very high and there's a variety of vulnerabilities.
00:01
In fact, quite a few that
00:01
impact a loss of governance risk.
00:01
Below the vulnerabilities we have the affected assets,
00:01
this can include loss of company reputation,
00:01
loss of customer trust,
00:01
reduction of service delivery,
00:01
loss of different data, personal data,
00:01
even your employee loyalty and experience
00:01
can be impacted by the loss of governance.
00:01
Moving on, there's a very high probability
00:01
that compliance challenges can occur.
00:01
In particular, if a provider cannot produce
00:01
the necessary evidence to demonstrate
00:01
compliance and they don't allow external audits,
00:01
demonstrating improving compliance of
00:01
the providers levels of
00:01
shared responsibilities can be very difficult.
00:01
Ultimately, this impacts your ability as
00:01
a Cloud customer to assert compliance because
00:01
you're really relying on
00:01
the shared responsibilities in the
00:01
PaaS-through model to achieve compliance.
00:01
In prior videos, we've talked about tenant isolation.
00:01
An isolation failure is exactly that,
00:01
just the way the ENISA report phrases it,
00:01
this is the isolating tenants.
00:01
It includes the hypervisor vulnerabilities,
00:01
the spectrum meltdown that we spoke about,
00:01
making sure that computed self
00:01
between virtual machines can't be penetrated,
00:01
and then of course, it also includes the tenant data,
00:01
particularly in the SaaS and PaaS models.
00:01
It's very important that
00:01
the data of the tenants and that you yourself,
00:01
which you are going to have some controls
00:01
around that data, hopefully,
00:01
you make sure that the underlying provider
00:01
has good isolation mechanisms,
00:01
maybe using customer specific encryption keys,
00:01
some of the other methods
00:01
that we've discussed previously.
00:01
What's the problem with a little troublemaker
00:01
inside the Cloud provider? Well, a lot.
00:01
In fact, the malicious insiders
00:01
such as Cloud administrators, auditors,
00:01
and others that have intimate understanding
00:01
of the setup can do a lot of harm,
00:01
this includes both current and former employees.
00:01
In fact, in mid-2019,
00:01
a former AWS employee was
00:01
arrested for exfiltrating large amounts of
00:01
personally identifiable information from
00:01
Capital One's AWS storage.
00:01
I haven't been closely following this case and I
00:01
certainly haven't looked at the court proceeding notes,
00:01
but you can put a large guess that
00:01
this individual's prior employment
00:01
with AWS provided them with a level
00:01
of familiarity and knowledge
00:01
on AWS's underlying system that they
00:01
were able to navigate things to access
00:01
this data in ways that the normal person couldn't,
00:01
that's why this is overall perceived as a very high-risk.
00:01
Subpoena and e-discovery is and other high-risk area.
00:01
We talked about e-discovery and
00:01
the collection of information and the chain of custody.
00:01
Because one of the problems in the Cloud is
00:01
information can be stored across
00:01
multiple jurisdictions and you can
00:01
lose some transparency into the information.
00:01
You want to be very mindful of that,
00:01
so that evidence can be considered
00:01
admissible in court and depending
00:01
on the particular jurisdiction
00:01
where the court case is being located,
00:01
is it in the United States,
00:01
is it in the EU, is it in a particular country,
00:01
the specific laws that they're going to have in
00:01
each region may vary a little bit,
00:01
which makes this a high-risk area for Cloud.
00:01
Building on specific jurisdictional laws,
00:01
we have the problem that's just generally
00:01
associated with having change of jurisdictions,
00:01
not having that direct insight into the Cloud provider,
00:01
the physical locations of the data,
00:01
the applicable jurisdictions of the citizens of the data.
00:01
We've talked about these before,
00:01
so it should be evident that this is
00:01
indeed a clear risk area.
00:01
Finally, we have data protection risks.
00:01
Back in 2009, this group,
00:01
over in Europe,
00:01
looked at the Cloud, they looked at that model,
00:01
they saw a lot of benefits,
00:01
but they saw that data protection was
00:01
a big risk in many facets.
00:01
We've spent a lot of time talking about
00:01
data protection techniques and
00:01
strategies that you can use,
00:01
so it should be no surprise that
00:01
this risk level is sitting
00:01
as one of the top risks identified in the ENISA report.
00:01
Annex 1 of the ENISA report identifies many legal issues.
00:01
I'm going to cover the top five here so you don't have to
00:01
spend large amounts of time reading in detail,
00:01
as it's unlikely you'll be tested
00:01
on the nuances of these different points.
00:01
We ended the last slide talking about data protection as
00:01
a high probability risk and it's to
00:01
no surprise that it's also a major legal issue.
00:01
For your general understanding of this section,
00:01
just remember data containing
00:01
personally identifiable information needs to be
00:01
strongly protected because this type of data,
00:01
if any compromise,
00:01
it can lead to legal issues for your organization,
00:01
class action lawsuits, large government fines.
00:01
Data is clearly an area that you want to focus
00:01
on and manage and maintain well in a Cloud environment.
00:01
Confidentiality means data should only be
00:01
accessed by those authorized individuals
00:01
that need the access and nobody other than
00:01
those individuals should have such access.
00:01
Intellectual property and ownership of
00:01
the data sent to the Cloud providers is a concern.
00:01
Make sure the contracts you have with
00:01
the providers address this and
00:01
establish if the provider uses
00:01
that data in unauthorized manners.
00:01
This includes not just personally identifiable data,
00:01
but even schematics, source code,
00:01
other trade secrets that you might be storing,
00:01
the secret recipe for
00:01
Kentucky Fried Chicken's seven herbs and spices,
00:01
for example, all things that are going to be of
00:01
a particular value to your company.
00:01
Professional negligence and disputes over
00:01
mistakes which result in the loss of data.
00:01
Unfortunately, if you are a Cloud user,
00:01
you're going to have your own customers.
00:01
If the cloud provider is
00:01
cause for an error, the end-users,
00:01
your own customers, well,
00:01
they're going to sue you,
00:01
they're not going to sue the Cloud provider.
00:01
In fact, the Cloud customer may need to
00:01
go after the Cloud provider.
00:01
In fact, I was just talking about
00:01
the Capital One data heist from AWS storage,
00:01
Capital One was hit with
00:01
a class action by all the people whose data was leaked.
00:01
Capital One, they then came after
00:01
Amazon declaring negligence on their part.
00:01
Finally, outsourcing service and changes in control.
00:01
Cloud customers are in effect,
00:01
outsourcing certain services to the provider.
00:01
Providers may further outsource to
00:01
other parties creating multiple layers.
00:01
ENISA recommends the additional sub-contracting
00:01
that a provider does be made very clear.
00:01
The provider makes guarantees on
00:01
certain service levels and the customer may be given
00:01
control to approve changes
00:01
made in the provider's outsourcing agreements.
00:01
Now, if you're a small fish working with a big provider,
00:01
your ability to influence the negotiations and
00:01
have this level of control is highly unlikely.
00:01
In this video, we went over the risk assessment process,
00:01
we looked at top security risks,
00:01
all those things ranked high and we examined
00:01
key legal issues from Appendix A of ENISA report.
Up Next