CSA CCSK – Legal and Compliance

1. Information Management Legal Responsibilities

Hello friends. So welcome to this lecture on information management legal responsibilities. We need to understand the various legal responsibilities from a provider, from a customer and an end user perspective. So this is it. Like there will be various things we’ll be covering in this legal and compliance lectures. So one thing guys need to make sure that all the materials or the lectures are being used are on the basis of best practice in case of for legal and compliance.

So do not consider this as a placement of any competent legal advice or the lawyers which are having good knowledge of the key jurisdictional issues like in which court this case will be handled and the applicable laws which are related to your organization. So it would always be better to have a consultation with your legal adviser for such issues. But all these lectures will be discussing on a best practice basis as discussed in the Cloud Security Alliance or on the basis of experience.

So, in case of information management legal responsibilities, we need to COVID three points. One is from the cloud service provider that in case of CSP, that okay. Liable. We need to understand that okay. It is. The CSP is liable for its subcontractors. Like, let’s say AWS resort for their cloud career means for their back end backbone, depending on the various CSPs, which will help to which help in the data flow or having that link established. So it is the CSP responsibility that okay, they will check for the contractors and they are checking their suppliers and all those things. So it is the CSP responsible for adhering to the legislation enforce at their own location, like wherever the CSP is having their data centers. So it is the CSP that they maintain. That how that means in case of any legal hold or in case of any jurisdictional issues. So they need to take care of the legislation wherein they are having their data centers.

So, from a customer end customer is a kind of a custodian for the end user information means, see, there is a difference over here. One is the cloud provider who is the providing the service to the customer. Now the cloud customer who has taken the service. Then there is end user who are using the application or who are hosting their applications onto the cloud. So, from a customer perspective, it is like custodian for the end user information and it is the customer responsibility for protecting the information according to the jurisdiction in which they operate.

Let’s say if a customer operates in India or in EU, then they get it is the responsibility of the customer that okay, it is protecting. He knows the jurisdiction that according to which he needs to operate and which laws are applicable so that he can store the information. Let’s say what kind of encryption standards are required, how the key management should be used to all these things. Customer should be should have done their search proactively.

And the user perspective, like, he’s the information owner. He knows that, okay, what is the real classification of the information? What kind of protection that information need? And it is the end user who is responsible for monitoring the misuse. That information is not misuse. Someone has not tempered the data. So it is the responsibility of the customer. Because when any of the you can say that the case is there or law enforcement is there. So each and every at each and every level, in case of cloud, it is clear that, okay, rules and responsibilities are pretty clear. So that there is no confusion in the going. And so in the next lecture, we’ll also discuss the key concepts in case of legal issues. So this is it, friends, in this lecture. Thank you for watching this lecture. Meet you in the next lecture.

2. Legal issues in Cloud and their Types

Hello friends. So welcome to this lecture on legal issues in cloud and their types. So there are like we already discussed that legal issues are already complex, but when we are, when we move to the cloud, we’re planning to move to cloud. So it is like someone else is holding the data. There are different locations and geographical locations where the data is hosted. So there are different countries. So as the countries change, regulations change. So legal issues tend to be more complex with the cloud deployment due to complex business relationships, jurisdictional issues and some of the key concepts we need to understand from this perspective is what are the functional issues. These three main categories we need to discuss in the case of legal issues.

So when we say functional issues, like what’s involved, what different functions are involved, what laws. So all these things we need to break down. So functional issues refer to some specific services you offer or have legal implications, like good example would be like human resource. There are many employee requirements that could be effective if you move HR functions to a cloud provider. So we need to break down things into certain issues and then jurisdictional issues when we talk about there’s another thing we need to think of what jurisdictions are involved which will take preference, right as we discuss this.

This is for the contracts and we need to maintain this contract and from a regulation perspective it is required which court will take presidents and the case will be handled. Then contractual considerations like what all is mentioned in the contract because that is the legal document which will represent in the court if such kind of incident or a breach happens. You need to sue your CSP in case of any breach and sue your CSP in case of any such infringement in the court. So in that case, contractual issues which also needs to be discussed. And these all are the three main categories which are the type of legal issues and help you to represent your case in case of court and in case of, let’s say we’ll break down like we already discussed, function is like breakdown.

The function services down to those have legal implications. Like you discussed the example of HR and then jurisdiction. We have already discussed jurisdiction issues when we say include where things are physically liquidated, like including you and your provider, any subcontractors and what jurisdictions are specified in the contracts where your customers are located. Or maybe also maybe an issue and its data privacy laws may define where you have physically located functions.

So all these things we need to think from a jurisdiction perspective finally is the contract law, which is again a very important one. Cloud implication is that even if you are big, right, or you may be very little, have flexibility in negotiating the terms with the provider. As a provider, the more you negotiate the terms, the less operational efficiencies you have. And contract is such a thing that needs to be paid a very high attention because if nothing is mentioned in the contract like I discussed, it is the responsibility of the customer, financial penalties, rules and responsibilities, how BCP IDR will be there at a bigger, higher level.

All roles and responsibilities which are divided within the customer and within the CSP needs to be mentioned in the contract because it is the contract which will help you to help you to fight the case with your CSP in case something happens, right? So this is your legal document. Contract is the legal document. So some of the CSP is small, then they may agree on your terms, but in that case just to win the contract, but in that case they may over promise, you may not get those responsibilities and if CSP is big enough, they might not be such flexibility. So these needs to be clearly negotiated and mentioned in the contract. So these are the type of legal issues which we need to discuss and pay attention to. So this is it. Friends in this lecture. Thank you for watching this lecture. Meet you the next lecture.

3. Legal Particulars – E discovery in Cloud

Hello friends so welcome to this course on legal particulars or Ediscovery. See, in case of cloud we have already discussed there are a couple of challenges due to the nature and the roles and responsibilities and the dependencies which customer and the provider has. So similarly, we need to think from the legal perspective that when there is eDiscovery that there is such a thing environment. So in that case, what needs to be done? So let’s study that okay, what is Ediscovery and then we’ll take further that okay, what are the different challenges and what all needs to be done? See, Ediscovery is like you can say a federal rules for civil procedure wherein provide requirements around the electronic and stored information which is stored on the different systems.

So you discover is any process in which electronic data is collected secured the process right searched with the intent that okay, that particular information or data about the metadata needs to be present as evidence in case of civil proceedings or in case there is a civil or a criminal case. And all this process applied to ESA we call it as electronic stored information which is your emails, computer files, databases, anywhere that information is stored, that information is basically needs to be located and searched because quote need all such information which is related to that particular data. So Ediscovery is a challenge in the cloud due to the nature why? Because the need to collect, store, manage large quantities of data which is required to present in a quote is really difficult in Cloud because in Cloud we have multi tenant environment.

In Cloud we have different service models are there and cloud data is dispersed across the regions and Availability Zones and different locations are present. So that is why it is difficult to gather data, because in such cases we need data, complete data, as well as the metadata of the data. So to collect metadata there might be a dependency with the CSP that okay, you need to contact the CSP and CSP will provide you the metadata for that. Apart from that, the devices for which there is no visibility for the customer is also cloud. Customer is also having visibility where an end users are working, the kind of applications they are using. And as 40% of the enterprise data is created and stored outside of the enterprise network, such as mobile devices, cloud applications and due to this nature, the data it’s very difficult and you can say a tricky for a person also. And the tool which is used for Ediscovery that can capture the whole data.

So these are the couple of challenges which are there in the Ediscovery and there is a lot of help as well as dependency on the CSP as well. So that also needs to be taken care. And apart from that, we have different service models like infrastructure as a service, pass, platform as software as a service. Seeing these in is you might have some kind of more permissions wherein you have access to the virtual machine and then you can perform some kind of some kind of operation. Not all. And then you have password and you are getting platform only to deploy your different kind of software. You have less control. And in SaaS you’re totally dependent on your cloud service provider to give you such data. So these are a couple of challenges which are there in the discovery and this is not the final list. You may go ahead and discuss with the teams, with the CSP and people who are already there in the cloud, that okay, what are the different challenges, how they faced when such issue has happened? So these are the different challenges from the Ediscovery perspective.

So when there is a proceeding in the code, so what proactively that a customer can do? So what can be done? So as a user organization or a customer, discuss with the CSP whatever the representative has been assigned to you, who you have, with whom you have meetings, make sure that a provider must plan capability, respond to such requests for legal holds and documents. Make sure they have the capability where in such documents can be put on legal hold so that there should be no changes. Because when such cases happen, there is a requirement that okay, there should be no one should be touching that file, those documents should be completely freeze. Check with your CSP, what kind of feasibility, what kind of options CSP provides to you, right? How often you can contact and what is the response time in such cases.

Customer also need to ensure that because due to the name multitenancy, multi tenant nature of the environment, that all the data which is required should not be compromised by the discretion against other customers. Let’s say on the same virtual machine, on the same hypervisor, there are two virtual machines and the virtual machine too, which is used by some other organization, right? And in that case, for that particular organization there is a civil or a civil proceeding for that and in case that system needs to be seized, make sure that your systems are not affected by that.

So all these things needs to be taken care of. Cloud customer should also make sure that all such things are clearly defined in the contract like discussed earlier. Also that contract is your major part and each and every point which is listed and which we have discussed in previous lecture also contract, contract, contract, everything. Because you can go ahead and sue your CSP with help of contract only. So negotiate well with your CSP about the contracts, that okay, what all needs to be mentioned and each and everything should be mentioned in the contract. So this is it. Friends in this lecture. Hope you have liked the lecture. So thank you. Thank you for watching this lecture. Meet you in the next lecture.

4. Jurisdictional and Location

Hello friends. So welcome to this lecture on jurisdiction and location issues. So one thing we need to understand from the traditional or a cloud perspective like we discussed in the previous lecture, because responsibilities and due to number of jurisdictions involved things become more complex. See one of the potential concern been or a legal concern for some organization is that when things are in the cloud right, they can’t point to a particular thing or a server or a drive say that okay, data lives here, right? We know that there are different availability zones and different data centers across the countries where data is distributed. And often you can’t even say which physical building or the server is in because this is the way the cloud is deployed. And this can in certain cases mean that your data is suddenly living in a different jurisdiction.

And then you think of and largely this isn’t really all different than any other outsourcing agreement. So discussing it with your legal or your audit department and highlight the difference between the cloud and other sourcing agreement like how they work, really speed up the conversation. And one thing I generally say is that when you talk with your legal or your audit teams so just tell them that okay, this is again like any other third party wherein you will be hosting your data.

So think cloud offers same thing along with the different capabilities and the concerns which cloud has. So some of the considerations try to understand legal perspective when we say the cloud versus traditionally is where does the data reside at the time of service? When you have taken the service or procured the service discuss about the lack of control on data due to the number of locations involved and anonymity or the variability of the provider.

So all these things we need to take care of when we say that, we need to consider about the different jurisdiction and the location issues because ultimately we need to understand that Cloud provide does provide a number of benefits. But at the same time, there are different legalities involved due to the number of jurisdictions and the location.

And it is the way the cloud is deployed. Because if you want a high availability and all those things then the way cloud is deployed really helps. But from a legal perspective we also need to take care of certain things and we need to ask certain questions on proactive basis when we think and compare it with that traditional cloud environment. So this is it friends in this jurisdiction and locational issues. So thank you friends. Thank you for watching this lecture. Meet you in the next lecture. Thank you.

5. What Regulations to be followed in Cloud

Hello friends. So welcome to this lecture on what regulations to be followed in cloud. See, this is again a very important lecture. We need to understand from the compliance perspective and to understand that, okay, what are the different regulatory requirements we need to set, how we can check that those regulatory requirements are set so that in future there are no penalties for that. So let’s say that, okay, what is there and what all we need to what all we need to take care of. See, the first is from the regulation perspective, determine the compliance scope and regulatory guidance on the cloud. See, we need to understand that, okay, what is there in the scope and which are regulations we need to adhere to? So that the data which is there in the cloud that is stored as per the regulatory requirement and there are different regulations which are required and might be adhered to, and different regulations might be present due to the kind of data one is managing.

Right. And depending on that data you are managing, there might be different contracts is there, right? And the other thing is there are different jurisdictions involved, so you can say that different things involved, like the data you are managing, location is there, jurisdiction is there, contracts are there. And like we already discussed in the earlier lectures as well, that in many cases, in order to migrate the data to the cloud provider, we need to take extra care that whatever the regulations that we want that needs to be followed, like PCIDSS HIPAA is, there is 27,001. The cloud provider must demonstrate that all these exotic regulations, the CSP is adhering to end, it is performing regular audits on a regular frequency for such kind of regulatory requirements and we should be able to see such reports on their portal. And this all needs to be agreed with the CSP beforehand.

And also we need to make sure that whatever the policy standard procedures are updated with any changes due to the change in the responsibility because each and every customer and the CSP has different responsibility in each service model. So all these things we need to take care of and also that offshore consideration for regulators in both the countries we need to take care of. And the other thing is, in most of the cases these days, regulators, they are sufficient in providing such regulatory reports.

But the thing is, whatever the regulation reports cloud service providers are providing, you need to understand as we discussed in the shared responsibility model that they are providing the base model for which the cloud service provider is responsible. So in that case, whatever VMs you are provisioning application you are installing soon, you need to make sure that you are taking care of the controls and all those controls from the regulation perspective are implemented for the infra for which you are responsible. For example, let’s say the cloud vendor or your cloud service provider says that it is PCI compliant. So it doesn’t mean that, okay, you also have a PCI application installed onto that and you start processing the customer data.

No, it’s not beneficial. So it is like I usually give an example that the society gate in which your house is secure, but your house or your villa gate is open. So in that case, see, the thing is, all the applications which you will be processing, which you’ll be installing for the processing of customer card data, those all needs to be PCA compliant. They also should have antivirus firewall and each and everything should be there. So make an extra care that try to understand the responsibilities that from a regulation perspective, what responsibilities customer has to obey and understand and document that, okay?

What you need to be doing and what the provider CSP will be doing, and all these responsibilities, rules and responsibilities with the CSP, and the roles and responsibility with the consumer and response times, everything, the SLA, all these things needs to be mentioned in the contract, like contract. And this needs to be updated annually and needs to be discussed with the service provider for different changes are there.

So that is why, because the regulations are very important to understand and we need to understand it from the cloud perspective that already there are challenges. So how we can solve the challenges related to the different regulations and it is the customer duty to understand that what regulation he has to follow. So that tomorrow, if there is any issue, he should not blame the service provider itself. So this is it. Friends in this lecture. Thank you for watching this lecture. Meet you in the next lecture. Thank you.

6. Compliance in Cloud

Hello friends. So welcome to this lecture on compliance in cloud. So this is also a very important lecture. We need to understand because maintaining and compliance in cloud is not a straightforward way where you can go ahead and you can say that okay, your cloud is compliant. There are different jurisdictions involved, contracts are there, right? Industry specific regulations are there. So all these things we need to take care of. So let’s see what are the different the points we need to understand from a compliance perspective.

See compliance in cloud. Like we said, compliance is not only about the laws, but also it is tightly integrated with the contracts you think of the contracts, the complexity and the importance of contract. We have discussed varying number of issues you need to mention in the contract. Because for all everything from internal controls to the compliance and to the regulations, everything which you need to mention, it depends on the contract and is tied with your contract, how you negotiate contract with your service provider.

And the other thing is, in case of compliance, obligations arise from the multiple sources. In terms of legislation is there. We have already discussed the different type of legislation, legal issues from the functional issues and contractual issues are there. Then broad based regulations, different regulations are involved, industry specific regulations are there, contracts are there, right? So, like when we say industry specific regulations, so for example, PCI DSS which is there for the payment card industry is not a regulation, it’s an industry standard which is enforced. You can see through a chain of contracts from the different banks, through the acquiring banks, from your merchants to your processor.

So different entities involved. So it is not a regulation. So it is some specific industry has enforced it. From that perspective, there are obligations could arise from that. Like I gave you the example, it doesn’t mean that if your cloud provider is PCI DSS certified, you are also PCI DSS certified because you are having different responsibilities which you need to follow. You need to follow the PCI DSS controls for your application, for you and infra for which you are responsible. CSP has done this part, but in order for you to be compliant, it is the customer who has to follow the same controls. Let’s for example, PCI DSS is that each and every system should have updated antivirus. So if, let’s say, this control, your CSP provider says that this control is applicable and he’s compliant, it means that all the base infrastructure and hypervisors are installed.

All such machines which are the base machines for which, let’s say, for example, in the case of is your customer, your CSP is responsible. CSP has done the sufficient due diligence and he has installed the updated antivirus onto that. Now, when you spin up a virtual machine onto that and install your application, you need to make sure that encryption for the application is there. Antivirus is installed, a vulnerability scanning is happening. So that is why we say that, okay, obligations arise from different sources and from industry specifics and all those things. And the other is the limitation imposed from the multiple sources.

When we say, like legislation, conflicts between the different jurisdictions, because it is difficult to understand that, okay? And we need to understand that which law will be applicable? Like land of law, let’s say customer is in India and again your provider is in US or in Europe, then which law, which jurisdiction? The case will be handled. So all these things affect your compliance and how you’ll maintain compliance. And it should not be like that.

Cost of Reporting let’s say if some incident has happened and you are trying to be compliant with the certain regulation, but the cost of reporting is higher than by using your cloud. Because in that case, if the proceeding will be happening in the US. Or Europe, quotes in that case how much expense you will be doing that. For larger companies, it doesn’t matter, but for smaller companies, they need to take care of all the things when they’ll be moving into the cloud or when they will be considering the cloud. So this is it. Friends in this lecture. Thank you for watching this lecture. Meet you in the next lecture. Thank you.