NIST Unveils Cybersecurity Framework

On February 12th, the National Institute of Standards and Technology (NIST) released its long-anticipated Framework for Improving Critical Infrastructure Cybersecurity together with a companionRoadmap for Improving Critical Infrastructure Cybersecurity. The Framework is issued in accordance with President Obama’s February 19 Executive Order 13636, Improving Critical Infrastructure Cybersecurity Version 1.0, which tasked NIST with developing a cost-effective Framework “to reduce cyber risks to critical infrastructure.” The companion Roadmap discusses NIST’s next steps with the Framework and identifies key areas of development, alignment of cybersecurity standards and practices within the U.S. and globally and collaboration with private and public sector organizations and standards-developing organizations.  K&L Gates attorney Roberta D. Anderson has drafted a white paper describing the Framework and Roadmap, and some of the anticipated impacts on the technology industry.  You can read the white paper here.

The Impact of PRISM on the U.S. Cloud Industry

The Information Technology & Innovation Foundation (ITIF) recently published a white paper addressing the question, "how much will PRISM cost the U.S. cloud computing industry?"  The answer according to ITIF: a lot.  ITIF projects that, over the next three years, the U.S. cloud industry will lose at least $22 to $35 billion as foreign customers find alternatives outside the U.S. 

The U.S. cloud industry will likely lose revenue as more companies consider other options as a result of the PRISM revelations, but non-U.S. companies will not be the primary driver behind those losses.  Instead, the losses will stem from U.S. companies pursuing alternatives such as internal data centers and private, on-premises clouds. 

Continue Reading...

Spotlight On Cyber "Cloud" Insurance Coverage

By Roberta D. Anderson

Every company is at cyber risk. Reports of high-profile cyber attacks make headlines almost every day and confirm the reality: cyber attacks are on the rise with unprecedented frequency, sophistication and scale. And it is abundantly clear that network security alone cannot entirely address the issue; no firewall is unbreachable, no security system impenetrable.

The problem is exacerbated by the trend in outsourcing of data handling, processing and/or storage to third-party vendors, including “cloud” providers. A 2012 Ponemon benchmark study found that over 41% of U.S. data breaches are caused by third parties’ errors, including “when protected data is in the hands of outsourcers, cloud providers and business partners.” Third party errors also increase the average cost of a breach “by as much as $43 per record” according to the new 2013 study — significant considering the average cost is $188 per record.

Continue Reading...

Cybersecurity Webcast Focuses on Risks and What Companies Need to Know

 By Marty Stern

The recent rise in frequency and sophistication of cyber attacks underscores the reality that nearly every company faces some sort of risk. Data security breaches and distributed denial-of-service (DDoS) attacks, among others, can target every industry from financial markets to social media. News headlines have highlighted attacks and breaches involving Sony, Citi, the New York Times, and LivingSocial, among others. These attacks create increasing prevention, regulatory, insurance, and recovery costs, suggesting that companies need to be aware of these risks and implement policies and procedures to protect their infrastructure, data, intellectual property, and other assets in efforts to mitigate and avoid exposure.

A K&L Gates presentation entitled “What Your Company Needs to Know about Cybersecurity,” recently focused on these issues and a series of cybersecurity best practices, featuring K&L Gates partners Roberta Anderson, David Bateman, and Bruce Heiman. The program provided an introduction to managing Advanced Persistent Threats on data and infrastructure, understanding the legal and regulatory developments surrounding cybersecurity, dealing with agency and class-action litigation risks, as well mitigating loss through insurance coverage relating to cyber risks. Noting that no single approach provides a silver bullet, the panel discussed a comprehensive strategy, focusing on prevention and deterrence, pursuit of perpetrators, response to attacks, avoidance of legal/regulatory liability, and loss mitigation.

An audio archive of the webcast is available here (free registration required; password “klgates”). To download the presentation slides, click here. For the additional presentation materials, click here

NIST Developing Cybersecurity Best Practices

K&L Gates lawyers Nickolas Milonas, Marc Martin, and Paul Stimers have posted an article at TMT Law Watch covering the recent Cyberspace Executive Order signed by President Obama.  "Cybersecurity Executive Order Aims to Increase Information Sharing and Strengthen Defenses" addresses  the contents of the order as well as the reception by industry groups, privacy groups and legislators.  A key part of the Executive Order is the requirement that NIST develop cybersecurity best practices within the next eight months:   


The order also directs the Commerce Department’s National Institute of Standards and Technology (NIST) to work with companies that operate critical infrastructure components in developing a set of cybersecurity best practices within 240 days of the order. The order requires that NIST’s framework be “technology neutral” and focused on “cross-sector security standards and guidelines applicable to critical infrastructure.” As part of this process, federal agencies will need to review their existing cybersecurity regulations, in consultation with the industries they regulate, to determine if existing measures are consistent with NIST’s new standards.


These best practices will certainly filter down to cloud providers and could eventually be viewed as the minimum industry standard security practices for the cloud industry.  For this reason, cloud providers and cloud customers should pay special attention as they develop.

You can read the full article here.


The Trouble with Rogue Clouds

A recent Symantec survey shows some troubling issues in cloud usage among businesses, including "rogue clouds" and how using them them might expose a company's confidential information.

Continue Reading...

The German Cloud

By: Dr. Friederike Gräfin von Brühl

In an effort to ease concerns regarding security of personal information, some European companies and cloud providers are pushing for a “German Cloud” where customer’s data is held in data centers located only in Germany. This would not only help companies comply with Germany’s strict data protection requirements, but would also keep cloud data out of the reach of other governments, including requests by the US government under the US Patriot Act.

Continue Reading...

Cloud Security Alliance Seeks to Certify Cloud Providers

The Cloud Security Alliance (CSA), a non-profit coalition of industry practitioners, corporations, associations and other key stakeholders, today announced the CSA Open Certification Framework, an initiative aimed at allowing global, trusted certification of cloud service providers.  The CSA's goal is to increase trust and confidence in cloud security by providing for a level of security certification or attestation for cloud service providers similar to the SAS 70 / SSAE 16 standard in the public accounting industry.

Continue Reading...

A Guide to Security SLAs in Cloud Agreements -- From Across the Pond

The European Network and Information Security Agency (ENISA) is a center of network and information security expertise for the EU, its member states, the private sector and Europe's citizens that works to develop advice and recommendations on good practice in information security.  On April 2, 2012, ENISA published a guide to monitoring of security service levels in cloud contracts, in which ENISA sets forth a number of service levels that can be used to provide a monitoring framework for cloud customers. The main focus of the guide is on the public sector; however, much of the guide is also applicable to the private sector. 

Continue Reading...

Lawyers Rise into the Clouds

By: Susan Altman

With limited exceptions, lawyers across America have an ethical duty to not reveal confidential information relating to the representation of a client unless the client consents, a duty to act with appropriate diligence, and a duty to take appropriate steps to safeguard the client’s property. How these duties translate into practical advice for lawyers using cloud computing is the source of much discussion by state bar associations. 

Continue Reading...

Self-Regulating the Cloud: The CSA STAR Gets Commitment from Vendors

By: Juliana W. Chen

The Cloud Security Alliance (CSA), a non-profit organization that comprises various cloud computing stakeholders, recently announced that several cloud vendors intend to submit reports to the CSA Security, Trust, and Assurance Registry (STAR). What is the CSA STAR, and why have Google, Verizon, Intel, McAfee, and Microsoft agreed to submit reports to it?

Continue Reading...

NIST Issues Cloud Computing Standards Roadmap and Reference Architecture

The National Institute of Standards and Technology ("NIST"), whose definition of cloud computing has been widely referenced and recognized, has a long-term goal of providing leadership and guidance around cloud computing to effectuate its use in industry and government.  NIST also was designated by the Federal CIO to help accelerate the U.S. government's secure adoption of cloud computing as part of FedRAMP.  To further that effort, NIST recently released a cloud computing reference architecture in which NIST sets forth the components and offerings of cloud computing, as well as a cloud computing standards roadmap in which NIST identified current standards, standards gaps, and standardization priorities.  

Continue Reading...

Security in an Era of Cloud Computing -- Panel Discussion in Dallas, Texas

For those of you in Dallas, Texas, I'll be on a panel this Thursday, August 25th at the Dallas Technology Summit discussing "Security in an Era of Cloud Computing" .  The free event is from 3:00 - 5:00 p.m. at the Hilton Lakes in Grapevine, Texas.  If you're a tennis fan, there will be complimentary tickets to the WTA Texas Open at the same venue immediately after the discussion. 


Continue Reading...

Strengthening U.S. Leadership in Cloud Computing - A Proposed Roadmap

Yesterday the TechAmerica Foundation released a report from the Commission on the Leadership Opportunity in U.S. Deployment of the Cloud ("Cloud2") titled "Cloud First, Cloud Fast: Recommendations for Innovation, Leadership and Job Creation." The Commission, which consists of 71 companies and organizations primarily from industry, developed the report at the encouragement of the Federal Chief Information Officer and the U.S. Department of Commerce.  The Commission was tasked with developing recommendations for accelerating adoption of cloud technologies and to identify public policies that will help foster U.S. innovation, leadership, and economic growth in cloud computing. 

The report delivers detailed guidance through 14 recommendations that are categorized into four themes: Trust, Transnational Data Flows, Transparency, and Transformation.  Of particular interest to those who draft, structure and negotiate cloud computing contracts are the following five recommendations of the Commission. 

Continue Reading...

Time to Update those Forms -- SAS 70 is Dead

Over the past several years, if a company performed outsourced services (including cloud computing services) that affected the financial statements of another company, the service provider often was required under its customer contract to provide a SAS 70 report.  Indeed, I received a contract last week that contained a provision requiring my client to conduct an annual SAS 70 Type II audit.  The problem is, while SAS 70 has had a nice run, it was replaced in the United States effective June 15, 2011 by Statement on Standards for Attestation Engagements No. 16 ("SSAE 16").  It's time to update those form contracts, because SAS 70 is no longer relevant.


Continue Reading...

The Expanding Role of the IT Security Team

Ask any customers considering cloud computing services to identify their primary concern, odds are that security will be somewhere near the top of the list.  That concern is leading some in the industry to contemplate an expanding role of the IT security professional from developing and implementing corporate security policies to becoming more heavily involved in cloud computing contract negotiations and service level enforcement.   In my experience, however, that is only part of the expanding role of IT security professionals. 

Continue Reading...

German Federal Office for Information Security Publishes Cloud Security Guide

Das BSI veröffentlicht Eckpunktepapier zu Sicherheitsempfehlungen für Cloud Computing Anbieter

By: Dr. Tobias Bosch

[Note: English translation appears below]

Das Bundesamt für Sicherheit in der Informationstechnik (BSI) veröffentlichte Mitte Mai 2011 die finale Fassung seines Eckpunktepapiers zu Sicherheitsempfehlungen für Cloud Computing Anbieter (Cloud Service Provider, CSP). Das Papier entstand auf Grundlage des im September 2010 vom BSI vorgestellten Entwurfs hierzu und seiner Kommentierung durch Anbieter, Anwender, Verbände und sonstige Marktteilnehmer. Die Empfehlungen des BSI sind rechtlich zwar nicht bindend, gleichwohl soll das Eckpunktepapier eine Grundlage zum Austausch zwischen CSPs und Cloud-Anwendern bieten und als Richtschnur zur Absicherung von Cloud-Services genutzt werden.

Continue Reading...

Due Diligence on Cloud Providers

Because cloud computing involves outsourcing an application, infrastructure or function to a third party, cloud computing relationships inherently involve risk.  Examples of these risks include:

  • the third party platform will fail or be severely degraded,
  • the third party will hold data hostage,
  • the third party will use customer data without permission,
  • the third party systems will be susceptible to attacks or hackers, and
  • the third party will "go dark" and data will vanish.

While cloud users can never be immune from these risks, they can mitigate their risks by conducting due diligence on the cloud provider and ensuring that cloud contracts allow for ongoing reviews and audits.

Continue Reading...

Customs and the Cloud

In an effort to protect confidential company information from snooping border and customs agents, more companies appear to be issuing "snoop-proof" laptops, iPads and cell phones to personnel traveling outside the United States.  These devices have minimal software and are configured to work primarily with cloud-based applications and storage approved by the company.  

Continue Reading...

Security in the Cloud: A Differentiator or a Roadblock?

One of the most heavily negotiated provisions of a cloud computing contract is the provision dealing with physical and data security. Several years ago, the typical Application Service Provider (ASP) agreement required the service provider to comply with “industry standard security practices” while performing the services. Customers and service providers soon realized the “industry” didn’t have a defined set of security standards.


Continue Reading...