Posted on 08/11/2009 1:16:58 PM PDT by nickcarraway
Firms embracing Software as a Service (SaaS) are not protected from government and civil search and seizure actions and may not be informed if their SaaS data is seized from their provider, according to a researcher studying the issue.
"In cloud computing, you will not have the ability to fight seizure before it happens," said Alex Stamos, co-founder and partner of security consultancy iSEC Partners Inc.. "You may not even know. There are no legal requirements for [SaaS providers] to notify you, and in fact, they may be gagged from doing so."
Black Hat USA 2009
Get the latest news and interviews from this year's Black Hat USA in Las Vegas.
Stamos is referring to the SaaS model, in which the entire IT stack, from the servers to the front-end JavaScript software, is hosted outside the company walls. Since the SaaS data is off premise, it could be considered unprotected by the Fourth Amendment, which guards against unreasonable searches and seizures. As a result, law enforcement could potentially only be required to get a subpoena to seize a company or individual's data residing in a SaaS vendor's servers, Stamos said. To issue subpoenas, which command a person to appear before court or produce documents, there are less legal hurdles to overcome. A search warrant, by contrast, requires probable cause to get approved.
Stamos highlighted the issue during a presentation on cloud computing models and vulnerabilities given Thursday at the 2009 Black Hat conference in Las Vegas. He was joined by fellow researchers Andrew Becherer and Nathan Wilcox, who examined a variety of security issues presented by platform and infrastructure service providers.
The Electronic Frontier Foundation, a non-profit free speech and digital rights organization, has weighed in on the issue, warning that "storing data yourself, on your own computers -- without relying on the cloud -- is the most legally secure way to handle your private information, generally requiring a warrant and prior notice."
Stamos said he contacted Google Inc. and was told that Google policy is to inform a customer of any legal orders it receives. Stamos, however, points out that there is no such statement written into end-user license agreements (EULAs) for Google Docs and other cloud-based services it offers. Its privacy policy states that the company will share data with the government to satisfy "any applicable law, regulation, legal process or enforceable government request."
"By letter of the law, physical ownership of machines is very important, no matter what different lawyers say," Stamos said.
In addition, most EULA agreements for SaaS and other cloud-based service providers fail to promise anything to the customer. Stamos urges people who are negotiating with a SaaS vendor to try to get a written promise from the service provider to help in the event of a data breach, data loss or other disaster where information needs to be recovered.
Even if the SaaS provider could offer assistance, Stamos found that many lacked the audit and log data necessary to aid in an investigation. Although some providers, like Salesforce.com, support login and admin events, Google Apps and Microsoft Office Live do not. Still, all three offerings fail to support the ability to read document-read records.
Also, not all service providers allow external penetration testing. Amazon Web Services, however, does allow the practice, and Salesforce.com and Google similarly allow application-level pen testing of hosted applications.
Companies can take over some controls from the SaaS provider. Although the approach obviously defeats the purpose of SaaS, Stamos said, it does provide more security controls. Enabling Security Assertion Markup Language (SAML), for example, could give IT the ability to closely control and monitor authentication. SAML also gives a company the option to place the SaaS portal behind a VPN.
Ultimately, enterprises need to set strong security policies with regard to SaaS and educate users on basic security procedures.
"It's difficult to teach all non-technical people, but user education is key," Stamos said. "Phishing attacks are not just a personnel issue, but an enterprise issue, too."
Ping
Good Hunting... from Varmint Al
This not only applies to SAAS, but also telecoms, any anyone that handles your data in any way. It has been upheld in the court of law that once a 3rd party has your data, they have no obligation (except perhaps contractual) to not disclose that data to government agencies, etc. They can do so on their own free will as the data is considered ‘disclosed/public’, and is not covered under the 4th or 5th amendment.
Working for a health care organization that is considering this, I am scared to death. Our EMR (Electronic Medical Record) initiative is hosted in Kansas City while we’re in the Tampa Bay area. If they can seize personal stuff from a cloud, what’s to stop them from going into medical records?
Storage is so cheap these days, it’s a wonder to me why large organizations don’t setup their own SANs.
Working for a health care organization that is considering this, I am scared to death. Our EMR (Electronic Medical Record) initiative is hosted in Kansas City while we’re in the Tampa Bay area. If they can seize personal stuff from a cloud, what’s to stop them from going into medical records?
Storage is so cheap these days, it’s a wonder to me why large organizations don’t setup their own SANs.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.