Banking in the cloud: Part 2 – regulation of cloud as ‘outsourcing’

This paper looks at EU banks' use of public cloud computing services. It is based primarily on anonymised interviews with banks, cloud providers, advisers, and financial services regulators. The findings are presented in three parts. Part 1 explored the extent to which banks operating in the EU, including global banks, use public cloud computing services.Part 2 of this paper covers the main legal and regulatory issues that may affect banks' use of cloud services. It sets out how EU banking regulators have approached banks' use of cloud services and considers regulators' lack of cloud computing knowledge. The paper further considers how the regulation of outsourcing applies to banks' use of cloud services, including whether cloud computing constitutes “outsourcing”. It analyses the contentious issue of contractual audit rights for regulators as well as legal and practical issues around risk assessments, security, business continuity, concentration risk, bank resolution, and banking secrecy laws.Part 3 looks at the key contractual issues that arise between banks and cloud service providers, including data protection requirements, termination, service changes, and liability.All three parts of the paper can be accessed via Computer Law and Security Review's page on ScienceDirect at: http://www.sciencedirect.com/science/journal/02673649?sdc=2. The full list of sources is available via the same link and will be printed alongside the third part of the article.     

Banking in the cloud: Part 1 – banks' use of cloud services

This paper looks at EU banks' use of public cloud computing services. It is based primarily on anonymised interviews with banks, cloud providers, advisers, and financial services regulators. The findings are presented in three parts. Part 1 explores the extent to which banks operating in the EU, including global banks, use public cloud computing services. It describes how banks are using cloud computing and the key drivers for doing so (such as time to market), as well as real and perceived barriers (such as misconceptions about cloud and financial services regulation), including cultural and technical/commercial aspects. It summarises how banks have approached the cloud and how cloud providers have approached the banking sector.Part 2 of this paper will cover the main legal and regulatory issues that may affect banks' use of cloud services, including how the regulation of outsourcing applies to banks' use of cloud services. Part 3 will look at the key contractual issues that arise between banks and cloud service providers, including data protection requirements, termination, service changes, and liability.All three parts of the paper can be accessed via Computer Law and Security Review's page on ScienceDirect at: http://www.sciencedirect.com/science/journal/02673649?sdc=2. The full list of sources is available via the same link and will be printed alongside the third part of the paper.     

Banking in the cloud: Part 3 – contractual issues

This paper looks at EU banks' use of public cloud computing services. It is based primarily on anonymised interviews with banks, cloud providers, advisers, and financial services regulators. The findings are presented in three parts. Part 1 of this paper explored the extent to which banks operating in the EU, including global banks, use public cloud computing services. Part 2 of this paper covered the main legal and regulatory issues that may affect banks' use of cloud services.Part 3 looks at the key contractual issues that arise in negotiations between banks and cloud service providers, including data protection requirements, complexities caused by the layering of cloud services, termination, service changes, and liability. It also presents the overall conclusion derived from the studies conducted, as set out in the three parts of the paper.All three parts of the paper can be accessed via Computer Law and Security Review's page on ScienceDirect at: http://www.sciencedirect.com/science/journal/02673649?sdc=2. The full list of sources is available via the same link and will be printed at the end of this part of the article.     

The role of government regulations in the adoption of cloud computing: A case study of local government

Cloud computing is a technology that facilitates improved productivity, improved efficiency and lower costs. This technology has the potential to improve the reliability and scalability of organizational systems and leads to an enhanced focus on core business and strategy. Despite the Australian Federal Government's ‘cloud-first’ strategy and policies and the Queensland State Government's ‘digital-first’ strategy, the adoption of cloud services at the local government level has been limited, largely due to a lack of specificity among government regulations and a lack of regulations that provide support to local governments. This empirical study deploys a mixed research method designed to develop a cloud regulations model to assist governments in adopting cloud computing services. By integrating Australian Cloud Policy Frameworks with the extant research on cloud computing, this study conducted 21 field interviews with Information Technology (IT) managers and surveyed 480 IT staff from Australia's 47 local governments. This research paper presents and validates a revised set of factors used to develop government regulations specific to cloud computing adoption. The factors that we found to be statistically significant were cost, quality of services, security, privacy, management, government-based facilitating conditions, and firm-based facilitating conditions regulations. Based on these findings, this research concludes that government regulation is a significant aspect in decision making for the adoption of any new technology such as cloud computing.     

Property and the cloud

Data is a modern form of wealth in the digital world, and massive amounts of data circulate in cloud environments. While this enormously facilitates the sharing of information, both for personal and professional purposes, it also introduces some critical problems concerning the ownership of the information. Data is an intangible good that is stored in large data warehouses, where the hardware architectures and software programs running the cloud services coexist with the data of many users. This context calls for a twofold protection: on one side, the cloud is made up of hardware and software that constitute the business assets of the service provider (property of the cloud); on the other side, there is a definite need to ensure that users retain control over their data (property in the cloud). The law grants protection to both sides under several perspectives, but the result is a complex mix of interwoven regimes, further complicated by the intrinsically international nature of cloud computing that clashes with the typical diversity of national laws. As the business model based on cloud computing grows, public bodies, and in particular the European Union, are striving to find solutions to properly regulate the future economy, either by introducing new laws, or by finding the best ways to apply existing principles.     

How much privacy do clouds provide? An Australian perspective

Cloud computing is becoming the standard operating process, communications system and underlying infrastructure of the Internet. This is of paradigm-shifting significance to the law. Multinationals, such as Google, Amazon, Apple, Facebook, and Microsoft, own and operate the cloud computing infrastructure of the Internet as well as influencing its culture. They have been called the Four Horsemen of Technology and consider Microsoft their inspiration.¹ Business can now be transacted at the speed of thought. The digital nervous system that Bill Gates envisioned is blossoming as cloud computing. However, sovereign nations can no longer effectively regulate the telecommunications systems within their borders without the tacit compliance of these cloud operating multinationals. The aim of this paper is to determine whether or not cloud computing infrastructure can support privacy regulation yet remain practical.     

云计算服务平台适用避风港规则的局限性及其破解

相较于其他的网络服务提供者,云计算平台在技术特征上具有服务的糅合性。云平台需要遵循“回避用户内容”的伦理要求,同时具有“糅合服务层级”的实践样态,导致其在适用避风港规则时在主体适格性和对策可能性等方面存在局限。我国应当坚持避风港规则在平台知识产权治理中的原有地位,作为回应,建议将以云平台为代表的新型网络服务提供者在立法中加以明确,强化避风港规则的包容性。必要措施上,秉承比例原则的思路,对于一般侵权行为,云平台可以采取相对缓和的“三振出局”结合合同责任的“分段式措施”;只有对于重复侵权、恶意侵权等情节严重的行为,方能采取“釜底抽薪”式的制裁手段。     

Protecting the privacy and security of sensitive customer data in the cloud

The global ubiquity of cloud computing may expose consumers' sensitive personal data to significant privacy and security threats. A critical challenge for the cloud computing industry is to earn consumers' trust by ensuring adequate privacy and security for sensitive consumer data. Regulating consumer privacy and security also challenges government enforcement of data protection laws that were designed with national borders in mind. From an information privacy perspective, this article analyses how well the regulatory frameworks in place in Europe and the United States help protect the privacy and security of sensitive consumer data in the cloud. It makes suggestions for regulatory reform to protect sensitive information in cloud computing environments and to remove regulatory constraints that limit the growth of this vibrant new industry.     

Patching the patchwork: appraising the EU regulatory framework on cyber security breaches

Breaches of security, a.k.a. security and data breaches, are on the rise, one of the reasons being the well-known lack of incentives to secure services and their underlying technologies, such as cloud computing. In this article, I question whether the patchwork of six EU instruments addressing breaches is helping to prevent or mitigate breaches as intended. At a lower level of abstraction, the question concerns appraising the success of each instrument separately. At a higher level of abstraction, since all laws converge on the objective of network and information security – one of the three pillars of the EU cyber security policy – the question is whether the legal ‘patchwork’ is helping to ‘patch’ the underlying insecurity of network and information systems thus contributing to cyber security. To answer the research question, I look at the regulatory framework as a whole, from the perspective of network and information security and consequently I use the expression cyber security breaches. I appraise the regulatory patchwork by using the three goals of notification identified by the European Commission as a benchmark, enriched by policy documents, legal analysis, and academic literature on breaches legislation, and I elaborate my analysis by reasoning on the case of cloud computing. The analysis, which is frustrated by the lack of adequate data, shows that the regulatory framework on cyber security breaches may be failing to provide the necessary level of mutual learning on the functioning of security measures, awareness of both regulatory authorities and the public on how entities fare in protecting data (and the related network and information systems), and enforcing self-improvement of entities dealing with information and services. I conclude with some recommendations addressing the causes, rather than the symptoms, of network and information systems insecurity.     

Legal aspects of cloud security

Enterprise (large organisation) computing workloads are moving from ‘on-prem’ to ‘in-cloud’ increasingly quickly, and the cloud is forecast to account for almost half of enterprise IT by 2026, up from 10% today. But the benefits of the enterprise cloud need to be weighed against increasingly burdensome duties around cloud and data security. This comment piece provides a checklist of the sources of enterprise cloud security duties and a checklist of best practices to manage them.     

BitTorrent Sync: First Impressions and Digital Forensic Implications

With professional and home Internet users becoming increasingly concerned with data protection and privacy, the privacy afforded by popular cloud file synchronisation services, such as Dropbox, OneDrive and Google Drive, is coming under scrutiny in the press. A number of these services have recently been reported as sharing information with governmental security agencies without warrants. BitTorrent Sync is seen as an alternative by many and has gathered over two million users by December 2013 (doubling since the previous month). The service is completely decentralised, offers much of the same synchronisation functionality of cloud powered services and utilises encryption for data transmission (and optionally for remote storage). The importance of understanding BitTorrent Sync and its resulting digital investigative implications for law enforcement and forensic investigators will be paramount to future investigations. This paper outlines the client application, its detected network traffic and identifies artefacts that may be of value as evidence for future digital investigations.     

Defence against the dark artefacts: Smart home cybercrimes and cybersecurity standards

This paper analyses the assumptions underpinning a range of emerging EU and UK smart home cybersecurity standards. We use internet of things (IoT) case studies (such as the Mirai Botnet affair) and the criminological concept of ‘routine activity theory’ to situate our critique. Our study shows that current cybersecurity standards mainly assume smart home environments are (and will continue to be) underpinned by cloud architectures. This is a shortcoming in the longevity of standards. This paper argues that edge computing approaches, such as personal information management systems, are emerging for the IoT and challenge the cloud focused assumptions of these standards. In edge computing, data can be stored in a decentralised manner, locally and analysed on the client using federated learning. This can have advantages for security, privacy and legal compliance, over centralised cloud-based approaches, particularly around cross border data flows and edge based security analytics. As a consequence, standards should start to reflect the increased interest in this trend to make them more aspirational and responsive for the long term; as ultimately, current IoT architectures are a choice, as opposed to inherent. Our paper unpacks the importance of the adoption of edge computing models which could enable better management of external cyber-criminality threats in smart homes. We also briefly discuss challenges of building smart homes that can accommodate the complex nature of everyday life in the home. In addition to technical aspects, the social and interactional complexities of the home mean internal threats can also emerge. As these human factors remain unresolved in current approaches to smart home cybersecurity, a user's security can be impacted by such technical design choices.     

Cloud computing and its implications for cybercrime investigations in Australia

The advent of cloud computing has led to a dispersal of user data across international borders. More than ever before, law enforcement investigations into cybercrime and online criminal activity require cooperation between agencies from multiple countries. This paper examines recent changes to the law in Australia in relation to the power of law enforcement agencies to effectively investigate cybercrime insofar as individuals and organisations make use of cloud infrastructure in connection with criminal activity. It concludes that effective law enforcement operations in this area require harmonious laws across jurisdictions and streamlines procedures for granting assistance between law enforcement agencies. In conjunction with these mechanical developments, this paper posits that law enforcement officers require a systematised understanding of cloud infrastructure and its operation in order to effectively make use of their powers.     

Cloud forecasting: Legal visibility issues in saturated environments

The advent of cloud computing has brought the computing power of corporate data processing and storage centers to lightweight devices. Software-as-a-service cloud subscribers enjoy the convenience of personal devices along with the power and capability of a service. Using logical as opposed to physical partitions across cloud servers, providers supply flexible and scalable resources. Furthermore, the possibility for multitenant accounts promises considerable freedom when establishing access controls for cloud content. For forensic analysts conducting data acquisition, cloud resources present unique challenges. Inherent properties such as dynamic content, multiple sources, and nonlocal content make it difficult for a standard to be developed for evidence gathering in satisfaction of United States federal evidentiary standards in criminal litigation. Development of such standards, while essential for reliable production of evidence at trial, may not be entirely possible given the guarantees to privacy granted by the Fourth Amendment and the Electronic Communications Privacy Act. Privacy of information on a cloud is complicated because the data is stored on resources owned by a third-party provider, accessible by users of an account group, and monitored according to a service level agreement. This research constructs a balancing test for competing considerations of a forensic investigator acquiring information from a cloud.     

The security of access to accounts under the PSD2

The revised Payment Services Directive (‘PSD2’) has been adopted to stimulate the development of an integrated internal market for payment services. In particular, it facilitates payment initiation services and account information services by granting the providers of these services access to the accounts of the payment service users. At the same time, the recitals state that the PSD2 guarantees a high level of consumer protection, security of payment transactions and protection against fraud.This paper answers the following question: To what extent does the access to accounts of the payment initiation service providers and account information service providers balance the development of the market for payment services with the security of the payment account and the privacy of the user? An analysis of the PSD2 shows that the development of the market for payment services has a higher priority. Security and privacy are ultimately subordinate.First, the PSD2 does not adequately protect the personal data of the users. The definition of ‘account information service’ is broad and covers a wide range of services. This allows the payment service providers to circumvent the limitations of the access to accounts.Next, the payment service providers have a ‘fall back option’ that allows ‘screen scraping’ if the dedicated interface is not functioning properly. Although this access is constrained by several safeguards, the fall back option gives the payment services provider unlimited access to the account of the user.Finally, the payment service providers have considerable freedom to arrange their authentication process as they see fit. The banks seem to be required to trust this process. The PSD2 and regulatory technical standards do not demand that a bank is able to verify the authentication or the integrity of the payment order.     

Acquiring forensic evidence from infrastructure-as-a-service cloud computing: Exploring and evaluating tools,trust, and techniques

We expose and explore technical and trust issues that arise in acquiring forensic evidence from infrastructure-as-a-service cloud computing and analyze some strategies for addressing these challenges. First, we create a model to show the layers of trust required in the cloud. Second, we present the overarching context for a cloud forensic exam and analyze choices available to an examiner. Third, we provide for the first time an evaluation of popular forensic acquisition tools including Guidance EnCase and AccesData Forensic Toolkit, and show that they can successfully return volatile and non-volatile data from the cloud. We explain, however, that with those techniques judge and jury must accept a great deal of trust in the authenticity and integrity of the data from many layers of the cloud model. In addition, we explore four other solutions for acquisition—Trusted Platform Modules, the management plane, forensics-as-a-service, and legal solutions, which assume less trust but require more cooperation from the cloud service provider. Our work lays a foundation for future development of new acquisition methods for the cloud that will be trustworthy and forensically sound. Our work also helps forensic examiners, law enforcement, and the court evaluate confidence in evidence from the cloud.     

Digital evidence in cloud computing systems

Cloud computing systems provide a new paradigm to the distributed processing of digital data. Digital forensic investigations involving such systems are likely to involve more complex digital evidence acquisition and analysis. Some public cloud computing systems may involve the storage and processing of digital data in different jurisdictions, and some organisations may choose to encrypt their data before it enters the cloud. Both of these factors in conjunction with cloud architectures may make forensic investigation of such systems more complex and time consuming. There are no established digital forensic guidelines that specifically address the investigation of cloud computing systems. In this paper we examine the legal aspects of digital forensic investigations of cloud computing systems.     

Design and implementation of FROST: Digital forensic tools for the OpenStack cloud computing platform

We describe the design, implementation, and evaluation of FROST—three new forensic tools for the OpenStack cloud platform. Our implementation for the OpenStack cloud platform supports an Infrastructure-as-a-Service (IaaS) cloud and provides trustworthy forensic acquisition of virtual disks, API logs, and guest firewall logs. Unlike traditional acquisition tools, FROST works at the cloud management plane rather than interacting with the operating system inside the guest virtual machines, thereby requiring no trust in the guest machine. We assume trust in the cloud provider, but FROST overcomes non-trivial challenges of remote evidence integrity by storing log data in hash trees and returning evidence with cryptographic hashes. Our tools are user-driven, allowing customers, forensic examiners, and law enforcement to conduct investigations without necessitating interaction with the cloud provider. We demonstrate how FROST's new features enable forensic investigators to obtain forensically-sound data from OpenStack clouds independent of provider interaction. Our preliminary evaluation indicates the ability of our approach to scale in a dynamic cloud environment. The design supports an extensible set of forensic objectives, including the future addition of other data preservation, discovery, real-time monitoring, metrics, auditing, and acquisition capabilities.     

Trust in the clouds

The “cloud” is not new, and its roots go back to the original plans for computing from the 1950s. Now that computing is moving back to the original cloud-based models that were envisioned more than 60 years ago, with it, consumers are realizing the increases in security and safety that accompany the move to centralized servers. Yet the perception of “trust” in this context is often still formed by views that people have from their use of computers over the past two decades, which is localized in nature (“if I can see it, I can control it”). This view is based on perception more than fact. Our paper discusses different views of trust in other contexts (such as banking and travel) and concludes that users of cloud computing should recast their view of trust in a similar way that consumers of banking and travel have changed their perceptions of trust in the last 100 years.