On Friday the Obama administration released the second draft version of the National Strategy for Trusted Identities in Cyberspace (“NSTIC”). The trusted ID plan is part of the Obama administrations Cyberspace Policy Review, released in May 2009. This new draft focuses the effort to create an online identification system on the private sector with the government serving in a coordinating capacity.
The press release emphasizes the importance of the Internet to commerce but also its “online fraud and identity theft, that harm consumers and cost billions of dollars each year.” By making online transactions trustworthy “we will prevent costly crime, we will give businesses and consumers new confidence, and we will foster growth and untold innovation.”
Key elements of the trusted identification systems suggested by the strategy include the ability to opt into the system, different types of credential for different categories of access and preservation of an anonymous option. The strategy promises benefits such as faster transaction processing, age restriction for content, easier smartphone transactions and enhance public safety.
Much criticism of the strategy has come from privacy advocates. This latest draft emphasizes that identification systems will be optional and will not abolish anonymity. At the announcement of the latest draft Commerce Secretary Gary Locke dismissed such worries as conspiracy theories.
Your company may soon face more regulations in how it gathers and maintains customer data online. On Tuesday April 11, 2011, Sens. John Kerry (D) of Massachusetts and John McCain (R) of Arizona introduced a new bill titled the Commercial Privacy Bill of Rights Act of 2011. If passed the bill would impose new responsibilities on companies to disclose what data is collected from online visitors to their sites and would entitle users to opt out.
The bill seems to be explicitly directed at re-advertisers. It explicitly states that it will target companies that take information solely for the purpose of advertising, and will be more lenient towards companies that have “existing relationships with customers.” “The bill does not allow for the collection and sharing of private data by businesses that have no relationship to the consumer for purposes other than advertising and marketing,” McCain said in the joint statement with Kerry. “It is this practice that American consumers reject as an unreasonable invasion of privacy.”
An additional factor that is likely to be the object of scrutiny as the bill advances through congress is a requirement that data that is collected by adequately secured once it has been gathered. The FTC would be empowered to publish rules setting forth security requirements. This portion of the bill responds to growing consumer concerns at unauthorized personal information leaks in the news.
On Wednesday April 6, 2011, the Senate Judiciary Committee met to discuss overhauling the Electronic Communications Privacy Act of 1986 (“ECPA”). This law governs privacy related to data collection and electronic communications but is lacking in any provisions regarding new technologies and practices such as mobile phones, mobile hotspots, social networking and cloud computing.
At least one party opposed to changing the law is the Department of Justice. (“DOJ”) James A. Baker, associate deputy attorney general for the DOJ, told the committee that “the government’s ability to access, review, analyze, and act promptly upon the communications of criminals that we acquire lawfully, as well as data pertaining to such communications, is vital to our mission to protect the public from terrorists, spies, organized criminals, kidnappers, and other malicious actors.”
Mr. Baker tried to persuade the panel that great government access to our private and corporate information actually provides for a more private environment. “By authorizing law enforcement officers to obtain evidence from communications providers, ECPA enables the government to investigate and prosecute hackers, identity thieves, and other online criminals. Pursuant to ECPA, the government obtains evidence critical to prosecuting these privacy-related crimes.”
What solution does the DOJ offer? Well, for the moment none, however, Cameron F. Kerry, general counsel for the U.S. Department of Commerce, told the committee that the departments of Commerce and the DOJ “have been working together to develop a specific set of legislative proposals.” No suggested tie frame for these proposals was stated.
Senator Patrick Leahy, chairman of the committee, opening remarks at the hearing suggest that the committee might be deferential to the DOJ and DOC on these topics.
The money flowing into cloud computing seems to grow from year to year. This week alone several significant announcements portend substantial growth.
- Dell, Inc., well known manufacturer and reseller of ms-dos based computers and laptops, announced that it plans to invest over $1 billion on cloud computing initiatives during the next fiscal year. The bulk of the investment will be centered on building data centers that will provide customers with computer infrastructure services (IAAS). Dell announced 12 new such data centers this coming year with more to follow. The data centers will be built worldwide. Dell will brand some of their new data centers as vStart. vStart data centers are planned to allow customers simple virtualized system environments. According ton Dell, up to 200 virtual machines for a single customer. These environments will be created in cooperation with VMWare.
- Microsoft Corporation and Toyota Media Service Co. are working together to tie your car to the Internet. The initial goal is to provide power-savings tools for hybrid cars such as tracking the best time of day to charge the car, avoiding peak hours and higher electricity costs. The remote control system might also be extended to the home allowing the user to turn on air conditioning automatically or control energy systems at home remotely. The system is expected to be controllable via smartphones. A presenter for Toyota predicted that consumers will soon learn to demand Internet connectivity for their cards.
- On April 6 IBM announced two new products: Smartcloud and Workload Deployer. Smartcloud is an IBM managed online cloud infrastructure for enterprises to host environments on the Internet. One option under Smartcloud are IBM SAP Managed Application Services which will allow cloud based SAP solutions for customers. Workload Deployer is an appliance for developing private corporate clouds.
- Forbes interviewed David Eiswert, manager of T.Rowe Price’s Global Technology Fund, who was quoted as staying “Intel is virtually doubling their capital expenditure this year. And they’re not doing that because PCs are flying off the shelves.”
Below you will find a glossary of Internet and cloud related terms. This glossary is a work in progress and will be kept accessible in the menu on the upper bar of this blog. The glossary will be updated regularly to include new terms as they develop.
The process of providing on-line services, including software, storage and infrastructure services, so that the user is separated and insulated from the burden of procuring, managing and maintaining the underlying technical infrastructure. The National Institute of Standards and Technology definition may be found here.
A program that can copy itself in order to propagate in a computer or from computer to computer over a network. Viruses can be benign or malicious and can be used to propagate other forms of malware such as adware or spyware.
Enterprise Cloud – a private cloud operated by a company for its own internal use.
A set of model clauses published by the European Commission to assist in drafting agreements in compliance with Directive 95/46/EC of the European Parliament and the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data
HAAS – Hardware as a service often used to mean IAAS.
Infrastructure as a service. The delivery of networked services including the storage, software and other services as a full functional infrastructure for the user.
Short for Internetwork. The name given to a network of networks all interconnected using standard Internet Protocol Suite (TCP/IP). Often people confuse the Internet with the world wide web. However, the world wide web and its hypertext linked documents is only one of various technologies that operate on the Internet (Usenet, Archie, Gopher, FTP).
is an internatonally accepted Information Security Management System (ISMS) standard. The standard, which was published in October 2005 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), provides certifiable guidelines for assessing information system security.
Open Source Software
Open source software (as an alternative to commercial software), is software whose source code is published and made available to the public, enabling anyone to copy, modify and improve the software.
Open Virtualization Format
DSP0243 Open Virtualization Format (OVF) V1.1.0. Designated as ANSI INCITS 469 2010, this specification describes an open, secure, portable, efficient and extensible format for the packaging and distribution of software to be run in virtual machines.
Platform as a service. An operating system platform and services which are provided over the Internet. Similar to IAAS but includes the ability to host and develop applications on the platform.
Enterprise specific cloud service accessible only by users with specific access permissions.
Public Cloud – public access cloud service accessible by the public at large. (e.g. Gmail)
Software as a service. Software provided over the Internet where the software resides on the remote server.
Statement on Auditing Standards (SAS) No. 70. A widely recognized auditing standard developed by the American Institute of Certified Public Accountants (AICPA).
A non-standardized marketing term used by various vendors to suggest segregated services which provide a higher level of trust or security than other cloud services.
In negotiating a cloud based services contract a company is going to have to consider may unique and individualized needs. Many of these needs will depend on the corporations industry and its likely use of the cloud service to the transfer or storage of privileged, regulated or restricted information. While no single list can possibly cover all points the following should provide good starting checklist for most companies.
1. Does the cloud provider own all storage and transfer sites for static and dynamic data which will be put on the service?
2. If not, who are the subcontractors?
3. Will the subcontractors be bound to the terms of your contract?
4. Will you have a direct right of action against the subcontractors?
5. If work is subsequently transferred to subcontractors will you be notified in advance to allow you to re-evaluate service? Will identity of intended subcontractors be disclosed in advance?
6. Where are the storage servers located–where will your data reside?
7. If in a foreign state or country, are you comfortable with the foreign law? You may want to restrict the cloud provider to only using local sites or a specific site.
8. Do you need and will the cloud service provide customization? Remember that customization may keep you from benefiting from regular cite upgrades.
9. Do you need up time guarantees? Get a representation as to their prior year’s downtime record.
10. Lock down the provider’s maintenance schedule and its impact on the service.
11. Lock down security guaranties. Are they providing encryption? Who has access to the servers? Other legal security and segregation requirements (e.g., HIPAA, European Union, Gramm-Leach-Bliley, and state information privacy laws such as those in Massachusetts).
12. If your company has environmental guidelines, does the provider comply? One online provider, for example, uses only wind power for their servers.
13. Will the provider agree to certain deletion standards if the contract is terminated?
14. Will the provider agree to procure SAS 70 Type II audits or are they ISO 27001 certified for security?
15. Will they notify you in the event of a breach of security? How and how quickly? What level of detail? This may be necessary for certain regulated information. (e.g. HIPAA, HITECH)
16. Will they notify you in the event of insolvency? Advanced notice of termination?
17. Will they provide you with different format options to recover or transfer your data upon termination of the relationship?
18. What happens to your data in the event of a dispute with the provider? You don’t want to be held hostage.
19. Are damages caps acceptable for the type of data stored? Are intentional or grossly negligent acts exempted?
20. What privacy standards and laws apply?
21. What jurisdiction for a dispute?