Wright - Patriot Act Impact - CounterMeasure 2019...1. to make reasonable security arrangements to...
Transcript of Wright - Patriot Act Impact - CounterMeasure 2019...1. to make reasonable security arrangements to...
PRESENTATION TITLE1
Patriot Act Impact on Canadian Organizations Using
Cloud Services
By Scott WrightThe Streetwise Security Coachhttp://www.securityperspectives.com
November 8, 2013
Copyright 2013. Scott Wright. All rights reserved.2
Why do nation-states do surveillance?
To Fight Terrorism…
Copyright 2013. Scott Wright. All rights reserved.3
Why do nation-states do surveillance?
� To protect their citizens, of course
� Also:
� Economic advantage
� Military advantage
� Idealogy, persecution and other reasons
� Why does this matter to businesses in Canada?
� Shareholders
� Clients
� Stakeholders
Copyright 2013. Scott Wright. All rights reserved.4
What is the Patriot Act?
Provide Appropriate Tools
Required to Intercept and
Obstruct Terrorism
(PATRIOT) Act of 2001
Foreign Intelligence
Surveillance Act (1978)
Copyright 2013. Scott Wright. All rights reserved.5
Risks to business from surveillance
Risk = Assets X Vulnerabilities X Threats
Copyright 2013. Scott Wright. All rights reserved.6
Provisions affecting Canadian organizations?
� Removed the requirement that government prove a surveillance target under FISA is a non-U.S. citizen and agent of a foreign power� USA PATRIOT Act (U.S. H.R. 3162, Public Law
107-56), Title II, Sec. 214.
� Gave authorities the ability to share information gathered before a federal grand jury with other agencies.[34]� USA PATRIOT Act (U.S. H.R. 3162, Public Law
107-56), Title II, Sec. 203.
� Relaxed requirements can allow collection from any US controlled organization
� Even if data centres are not on US soil
Copyright 2013. Scott Wright. All rights reserved.7
Does it matter where the data is?
� For nations that don’t abide by international laws and agreements…
� NO. It doesn’t matter…
Copyright 2013. Scott Wright. All rights reserved.8
Does it matter where the data is?
� Legally, not really…
� Mutual Legal Asssistance
agreements basically
exempt requests for
“legal investigations” from
data protection laws
� Subsidiaries can be
compelled to export data
http://www.zdnet.com/yes-u-s-authorities-can-spy-on-eu-cloud-data-heres-how-7000010653/
Copyright 2013. Scott Wright. All rights reserved.9
Why worry about data in the cloud?
� Represents a “one-stop shop” for attackers
� Businesses have less control
� Security can be complicated
� Terms and conditions are often “one size fits all” to suit the provider
Often the Weakest Link
Copyright 2013. Scott Wright. All rights reserved.10
Who does surveillance of cloud data affect?
� Depends on your assumptions
� Do authorities follow the publicized laws?
� Worry about legal liabilities to your
clients
� Or do they overstep?
� Looks more like a malicious attack
� Worst case?: Any entity that uses the Internet
Copyright 2013. Scott Wright. All rights reserved.11
European concerns in 2011
http://arstechnica.com/tech-policy/2011/12/patriot-act-and-privacy-laws-take-a-bite-out-of-us-cloud-business/
Copyright 2013. Scott Wright. All rights reserved.12
European concerns in 2011
Copyright 2013. Scott Wright. All rights reserved.13
Protecting Public Bodies from PATRIOT Act
� BC Freedom of Information and Protection of Privacy Act (FOIPPA) requires service providers to public bodies:
1. to make reasonable security arrangements to
protect from unauthorized collection, use or
disclosure the personal information disclosed to
them by their public body clients;
2. to ensure their storage of and all access to
such personal information is restricted to
locations within Canada;
3. to report to the B.C. Government any foreign
demands for disclosure of such personal
information made to that service provider; and
4. not to disclose any of such personal
information inside or outside Canada in a
manner that contravenes FOIPPA.
Copyright 2013. Scott Wright. All rights reserved.14
Which Canadian organizations does it affect?
� Assume nation-states are crossing
the line, to some extent
� What could they want with your data
or systems?
� Intellectual property
� Operations
� Critical infrastructure
� High profile clients
� Vocal
� Strategic
� Or your partners’ systems or data?
Copyright 2013. Scott Wright. All rights reserved.15
Rich Data
Metadata
Types of cloud services and risks
� Range of exposures
� Free and impulsive
� Google Search, Maps
� Membership sites
� Social media
� Youtube, G+, Facebook, Linkedin
� Storage sites
� Drive, Dropbox, Box.net
� Value-added services
� Android, Salesforce, PayPal
Copyright 2013. Scott Wright. All rights reserved.16
Why you should care about privacy
� Your clients care about their information
� Not just personal information
� No excuse for allowing misconceptions
Service Providers’ claims
of security shape
Clients’ perceptions
Attacker’s focus on real vulnerabilities
“Their remote admin access is single factor!”
“We use SSL!”
Copyright 2013. Scott Wright. All rights reserved.17
When is there risk to corporate data?
� When you don’t have total control
� Cloud use by “apparently self-contained” products
� Hard to migrate
� Hard to audit
� When should you avoid?
� Risk averse
� Business operations could be compromised
� Competitive risks
� Sensitive information assets
� Potentially targeted clients or partners
Copyright 2013. Scott Wright. All rights reserved.18
How did Snowden change the perceived risks?
� PRISM
� BULLRUN
� Email and other unencrypted transmissions
� Potentially weak or weakened security products or features
� What can be decrypted? How?
� Insiders are a different aspect of the same problem
Copyright 2013. Scott Wright. All rights reserved.19
How should we view the risks?
Risk = Assets X Vulnerabilities X Threats
Copyright 2013. Scott Wright. All rights reserved.20
Options for Canadian organizations?
� Don’t use cloud for sensitive data
� Use end-to-end or persistent encryption
� What about Cloud services with value added services and specialized functionality
� Don’t assume they are encrypted
� What about encryption of “data in use”?
� Open source security products
� E.g. Dark Mail, TrueCrypt
Copyright 2013. Scott Wright. All rights reserved.21
Practical internal options?
� When using cloud our any outsourced services� Negotiate agreements that closely match your security
policies
� Explicit provisions in case of lawful access requests
� Cloud providers should follow developments� Try to implement security to reduce likelihood of data
exposure
� Plausible deniability when asked for lawful access
� Try to encrypt and wipe when not processing
� Implement private clouds, virtualized remote access
� Defence in diversity; layers of open source and proprietary safeguards
Copyright 2013. Scott Wright. All rights reserved.22
What about policies?
� Assume lawful access requests will happen
� Assume nation states will attempt to access your data, or use your infrastructure as a stepping stone
� Be clear on policies for protecting operational data
� Understand legal positioning around lawful access� Formulate policies to support legal position
� Educate staff on workflow security� Should be no need for “emailing work home”
� Efficient control
Your clients and partners put trust in your policies
Copyright 2013. Scott Wright. All rights reserved.23
What if your cloud provider is breached
� Know your commitments to your:
� Employees
� Clients
� Partners
� Shareholders/Stakeholders
� Reporting
� Remediation
� Compensation/Liabilities
Your clients and partners put trust in your policies
Copyright 2013. Scott Wright. All rights reserved.24
Preparing for a lawful access request
� Should be specific
� How does it affect your SLAs and agreements?
Copyright 2013. Scott Wright. All rights reserved.25
Rethinking “Open Source” solutions
� Momentum is swinging
� Occasional signs of “tampering” with open source software
� TrueCrypt
� Value in “peer review” must be realized
� Hosting Open Source software internally
� Outsourcing open source software operation to a hosting provider?
http://www.computerweekly.com/feature/Open-source-software-security
Copyright 2013. Scott Wright. All rights reserved.26
Wrap up
1. The USA PATRIOT Act and FISA have always been
concerns for Canada and European countries
2. Recent revelations show “worst fears realized”
3. Businesses should be seriously concerned
� Not just their own data
� Not just against “normal” hackers
4. Due diligence and risk management can help
internally
5. Well-governed Open Source solutions can help
externally
Copyright 2013. Scott Wright. All rights reserved.27
Consider risks in both technical and legal contexts
Risk = Assets X Vulnerabilities X Threats
…plus VISA, Walmart, Future Shop,
Yahoo, frequent flyer and bonus programs
Copyright 2013. Scott Wright. All rights reserved.28
Don’t forget to fill out a feedback form
Scott Wright
The Streetwise Security Coach
Email: [email protected]
Website: http://www.securityperspectives.com
LinkedIn: http://linkedin/in/scottwright
Twitter: http://twitter.com/streetsec
Podcast: http://socialmediasecurity.com
http://www.securityperspectives.com
613-859-7800
28
Copyright 2013. Scott Wright. All rights reserved.29
Don’t forget to fill out a feedback form
Scott Wright
The Streetwise Security Coach
Email: [email protected]
Website: http://www.securityperspectives.com
LinkedIn: http://linkedin/in/scottwright
Twitter: http://twitter.com/streetsec
Podcast: http://socialmediasecurity.com
http://www.securityperspectives.com
613-859-7800
29