RSA 2013: CSA provides legal resources for cloud computing; issues list of top threats

It’s a busy week for the people at the CSA, as they have taken the wraps off a host of initiatives, including the formation of a new Legal Information Center, which it describes as “an expert-led community resource for global legal issues impacting cloud computing”.

“We are not lawyers”, admitted John Howie, COO of the CSA. “But we do recognize there is a need for people to go somewhere without going into too many specifics”.

The resource is open to all, and aims to provide guidance for both cloud providers and cloud customers, including questions about how government access to data varies across countries, privacy laws, and trans-national exporting of data. It’s not a resource for definitive legal advice, Howie added, but a resource for information on higher-level issues surrounding privacy and data protection.

In a related vein, the CSA has also released guidelines from its Privacy Level Agreement working group, intended for cloud providers (CSPs) that deliver services in the EU. “The guideline offers a structured approach for CSPs to consistently disclose information “about the privacy and data protection policies, procedures and practices used when processing personal data that customers upload or store in the CSP’s servers”, according to a CSA statement.

This information will become ever-more critical as the EU considers revisions to its Data Protection Directive in the coming year, the CSA acknowledged.

“There has been some particular sensitivity to use of US-based clouds in Europe for a long time…there is a large amount of confusion and misunderstanding about how the Data Protection Directive applies to cloud computing”, Howie told Infosecurity. “It is perfectly legal for EU organizations to group data in clouds run by US companies, as long as you know what they are doing, and as long as they are doing it right. The PLA seeks to inform people and raise a level of knowledge, and provide a structured means to provide that information to customers”.

Top Cloud Threats for 2013 – The “Notorious Nine”

In a revision of a similar report from 2010, the CSA surveyed experts in the field to develop a revised list of the top nine cloud computing threats. This year’s list includes:

  1. Data Breaches
  2. Data Loss
  3. Account Hijacking
  4. Insecure APIs
  5. Denial of Service
  6. Malicious Insiders
  7. Abuse and Nefarious Use
  8. Insufficient Due Diligence
  9. Shared Technology Issues

When compared to the 2010 list, Howie says the lone newcomer is “denial of service”, which clocks in at fifth place on the list. The list was compiled using an academic research approach, he added, collecting feedback from across numerous industries and respondents worldwide, “to ensure a truly representative list of results”.

What’s Hot on Infosecurity Magazine?