PRESENTATION TITLE1

Patriot Act Impact on Canadian Organizations Using

Cloud Services

By Scott WrightThe Streetwise Security Coachhttp://www.securityperspectives.com

November 8, 2013

Copyright 2013. Scott Wright. All rights reserved.2

Why do nation-states do surveillance?

To Fight Terrorism…

Copyright 2013. Scott Wright. All rights reserved.3

Why do nation-states do surveillance?

� To protect their citizens, of course

� Also:

� Economic advantage

� Military advantage

� Idealogy, persecution and other reasons

� Why does this matter to businesses in Canada?

� Shareholders

� Clients

� Stakeholders

Copyright 2013. Scott Wright. All rights reserved.4

What is the Patriot Act?

Provide Appropriate Tools

Required to Intercept and

Obstruct Terrorism

(PATRIOT) Act of 2001

Foreign Intelligence

Surveillance Act (1978)

Copyright 2013. Scott Wright. All rights reserved.5

Risks to business from surveillance

Risk = Assets X Vulnerabilities X Threats

Copyright 2013. Scott Wright. All rights reserved.6

Provisions affecting Canadian organizations?

� Removed the requirement that government prove a surveillance target under FISA is a non-U.S. citizen and agent of a foreign power� USA PATRIOT Act (U.S. H.R. 3162, Public Law

107-56), Title II, Sec. 214.

� Gave authorities the ability to share information gathered before a federal grand jury with other agencies.[34]� USA PATRIOT Act (U.S. H.R. 3162, Public Law

107-56), Title II, Sec. 203.

� Relaxed requirements can allow collection from any US controlled organization

� Even if data centres are not on US soil

Copyright 2013. Scott Wright. All rights reserved.7

Does it matter where the data is?

� For nations that don’t abide by international laws and agreements…

� NO. It doesn’t matter…

Copyright 2013. Scott Wright. All rights reserved.8

Does it matter where the data is?

� Legally, not really…

� Mutual Legal Asssistance

agreements basically

exempt requests for

“legal investigations” from

data protection laws

� Subsidiaries can be

compelled to export data

http://www.zdnet.com/yes-u-s-authorities-can-spy-on-eu-cloud-data-heres-how-7000010653/

Copyright 2013. Scott Wright. All rights reserved.9

Why worry about data in the cloud?

� Represents a “one-stop shop” for attackers

� Businesses have less control

� Security can be complicated

� Terms and conditions are often “one size fits all” to suit the provider

Often the Weakest Link

Copyright 2013. Scott Wright. All rights reserved.10

Who does surveillance of cloud data affect?

� Depends on your assumptions

� Do authorities follow the publicized laws?

� Worry about legal liabilities to your

clients

� Or do they overstep?

� Looks more like a malicious attack

� Worst case?: Any entity that uses the Internet

Copyright 2013. Scott Wright. All rights reserved.11

European concerns in 2011

http://arstechnica.com/tech-policy/2011/12/patriot-act-and-privacy-laws-take-a-bite-out-of-us-cloud-business/

Copyright 2013. Scott Wright. All rights reserved.12

European concerns in 2011

Copyright 2013. Scott Wright. All rights reserved.13

Protecting Public Bodies from PATRIOT Act

� BC Freedom of Information and Protection of Privacy Act (FOIPPA) requires service providers to public bodies:

1. to make reasonable security arrangements to

protect from unauthorized collection, use or

disclosure the personal information disclosed to

them by their public body clients;

2. to ensure their storage of and all access to

such personal information is restricted to

locations within Canada;

3. to report to the B.C. Government any foreign

demands for disclosure of such personal

information made to that service provider; and

4. not to disclose any of such personal

information inside or outside Canada in a

manner that contravenes FOIPPA.

Copyright 2013. Scott Wright. All rights reserved.14

Which Canadian organizations does it affect?

� Assume nation-states are crossing

the line, to some extent

� What could they want with your data

or systems?

� Intellectual property

� Operations

� Critical infrastructure

� High profile clients

� Vocal

� Strategic

� Or your partners’ systems or data?

Copyright 2013. Scott Wright. All rights reserved.15

Rich Data

Metadata

Types of cloud services and risks

� Range of exposures

� Free and impulsive

� Google Search, Maps

� Membership sites

� Social media

� Youtube, G+, Facebook, Linkedin

� Storage sites

� Drive, Dropbox, Box.net

� Value-added services

� Android, Salesforce, PayPal

Copyright 2013. Scott Wright. All rights reserved.16

Why you should care about privacy

� Your clients care about their information

� Not just personal information

� No excuse for allowing misconceptions

Service Providers’ claims

of security shape

Clients’ perceptions

Attacker’s focus on real vulnerabilities

“Their remote admin access is single factor!”

“We use SSL!”

Copyright 2013. Scott Wright. All rights reserved.17

When is there risk to corporate data?

� When you don’t have total control

� Cloud use by “apparently self-contained” products

� Hard to migrate

� Hard to audit

� When should you avoid?

� Risk averse

� Business operations could be compromised

� Competitive risks

� Sensitive information assets

� Potentially targeted clients or partners

Copyright 2013. Scott Wright. All rights reserved.18

How did Snowden change the perceived risks?

� PRISM

� BULLRUN

� Email and other unencrypted transmissions

� Potentially weak or weakened security products or features

� What can be decrypted? How?

� Insiders are a different aspect of the same problem

Copyright 2013. Scott Wright. All rights reserved.19

How should we view the risks?

Risk = Assets X Vulnerabilities X Threats

Copyright 2013. Scott Wright. All rights reserved.20

Options for Canadian organizations?

� Don’t use cloud for sensitive data

� Use end-to-end or persistent encryption

� What about Cloud services with value added services and specialized functionality

� Don’t assume they are encrypted

� What about encryption of “data in use”?

� Open source security products

� E.g. Dark Mail, TrueCrypt

Copyright 2013. Scott Wright. All rights reserved.21

Practical internal options?

� When using cloud our any outsourced services� Negotiate agreements that closely match your security

policies

� Explicit provisions in case of lawful access requests

� Cloud providers should follow developments� Try to implement security to reduce likelihood of data

exposure

� Plausible deniability when asked for lawful access

� Try to encrypt and wipe when not processing

� Implement private clouds, virtualized remote access

� Defence in diversity; layers of open source and proprietary safeguards

Copyright 2013. Scott Wright. All rights reserved.22

What about policies?

� Assume lawful access requests will happen

� Assume nation states will attempt to access your data, or use your infrastructure as a stepping stone

� Be clear on policies for protecting operational data

� Understand legal positioning around lawful access� Formulate policies to support legal position

� Educate staff on workflow security� Should be no need for “emailing work home”

� Efficient control

Your clients and partners put trust in your policies

Copyright 2013. Scott Wright. All rights reserved.23

What if your cloud provider is breached

� Know your commitments to your:

� Employees

� Clients

� Partners

� Shareholders/Stakeholders

� Reporting

� Remediation

� Compensation/Liabilities

Your clients and partners put trust in your policies

Copyright 2013. Scott Wright. All rights reserved.24

Preparing for a lawful access request

� Should be specific

� How does it affect your SLAs and agreements?

Copyright 2013. Scott Wright. All rights reserved.25

Rethinking “Open Source” solutions

� Momentum is swinging

� Occasional signs of “tampering” with open source software

� TrueCrypt

� Value in “peer review” must be realized

� Hosting Open Source software internally

� Outsourcing open source software operation to a hosting provider?

http://www.computerweekly.com/feature/Open-source-software-security

Copyright 2013. Scott Wright. All rights reserved.26

Wrap up

1. The USA PATRIOT Act and FISA have always been

concerns for Canada and European countries

2. Recent revelations show “worst fears realized”

3. Businesses should be seriously concerned

� Not just their own data

� Not just against “normal” hackers

4. Due diligence and risk management can help

internally

5. Well-governed Open Source solutions can help

externally

Copyright 2013. Scott Wright. All rights reserved.27

Consider risks in both technical and legal contexts

Risk = Assets X Vulnerabilities X Threats

…plus VISA, Walmart, Future Shop,

Yahoo, frequent flyer and bonus programs

Copyright 2013. Scott Wright. All rights reserved.28

Don’t forget to fill out a feedback form

Scott Wright

The Streetwise Security Coach

Email: swright@securityperspectives.com

Website: http://www.securityperspectives.com

LinkedIn: http://linkedin/in/scottwright

Twitter: http://twitter.com/streetsec

Podcast: http://socialmediasecurity.com

http://www.securityperspectives.com

613-859-7800

28

Copyright 2013. Scott Wright. All rights reserved.29

Don’t forget to fill out a feedback form

Scott Wright

The Streetwise Security Coach

Email: swright@securityperspectives.com

Website: http://www.securityperspectives.com

LinkedIn: http://linkedin/in/scottwright

Twitter: http://twitter.com/streetsec

Podcast: http://socialmediasecurity.com

http://www.securityperspectives.com

613-859-7800

29