Enhancing Cloud Security and Privacy: The Cloud Audit Problem

Publisher PD

Cloud outsourcing:Theoretical & practical evidence of cloud governance strategies by financial institutions in Europe, the United States and Canada

This study examined the risk and governance challenges experienced by financial institutions that outsource cloud technologies. Cloud outsourcing prompts a new way of working and fosters an environment in which technology and data are shared across groups and are housed in regional hubs, according to global standards that are influenced by various countries’ policies. Therefore, to effectively manage the cloud, institutions need a thorough understanding of the applicable laws governing the cloud relationship and those that influence the internal control environment. The study explains that, conceptually, the framework nature of cloud contracts and flexibility of the regulation makes it especially difficult for institutions to efficiently manage risks. A real case study on a cloud outsourcing transaction and survey data from financial institution experts were used to study expert perceptions on the severity of various types of cloud risks and the effectiveness of institutional risk management approaches. These findings were also confirmed in a comparative institutional study, where similarities were found in the risk and governance concerns of experts working at 13 different institutions in the United States, Europe, and Canada. Through this investigation, it was found that efficient governance can be more difficult for institutions that comply with US regulations owing to considerable differences in state policies on data privacy. Finally, this study examined how uncertainties in the evaluation of data breaches and network failures become visible in other internal practices, such as cloud risk assessments. A series of cloud risk experiments was created and distributed to 131 cloud risk experts working at financial institutions in the EU and the US to compare whether their risk assessments would differ significantly. The results show that the lack of specification in the regulations and experience of cloud experts can contribute to considerable differences in their risk and disclosure choices. In practice, most experts face significant challenges in assessing the severity of cloud risk events, which have broader implications for enterprise risk management. The results suggest that internal governance continues to be a challenge for firms as they outsource cloud technologies. The knowledge derived from this Ph.D. is useful, as it shows that institutions can benefit if they prioritize the evaluation of liability provisions in their cloud contracts, especially in cases where cloud risk events are a consequence of third-party risks. The findings also establish that internal governance is necessary to reduce the spillover effects of cloud contracts and that institutions can devise sufficient governance structures by implementing data policies and mechanisms that promote cooperation and coordination to oversee data management responsibilities. _Dit onderzoek onderzocht de risico- en governance-uitdagingen van financiële instellingen die cloudtechnologieën uitbesteden. Het uitbesteden van de cloud leidt tot een nieuwe manier van werken en bevordert een omgeving waarin technologie en data worden gedeeld tussen groepen en worden ondergebracht in regionale hubs, volgens wereldwijde standaarden die worden beïnvloed door het beleid van verschillende landen. Om de cloud effectief te beheren, moeten instellingen daarom een grondig begrip hebben van de toepasselijke wetten die de cloudrelatie regelen en van de wetten die de interne controleomgeving beïnvloeden. In dit onderzoek wordt uitgelegd dat, conceptueel gezien, het kaderkarakter van cloudcontracten en de flexibiliteit van de regelgeving het bijzonder moeilijk maakt voor instellingen om hun risico's effectief te beheren. Een echte casus over een cloud outsourcing-transactie en enquêtegegevens van experts van financiële instellingen zijn gebruikt om de percepties van experts te bestuderen over de ernst van verschillende soorten cloudrisico's en de effectiviteit van institutionele risicomanagementbenaderingen. Deze bevindingen werden ook bevestigd in een vergelijkende institutionele studie, waar overeenkomsten werden gevonden in de zorgen rondom risico en governance van experts bij 13 verschillende instellingen in de Verenigde Staten, Europa en Canada. Uit dit onderzoek blijkt dat effectieve governance moeilijker kan zijn voor instellingen die de Amerikaanse regelgeving naleven vanwege de aanzienlijke verschillen in het beleid van de staten met betrekking tot dataprivacy. Tot slot wordt in dit onderzoek gekeken naar hoe onzekerheden in de evaluatie van datalekken en netwerkstoringen zichtbaar worden in andere interne praktijken zoals cloudrisicobeoordelingen. Er is een reeks experimenten met cloudrisico's gemaakt en verspreid onder 131 deskundigen op het gebied van cloudrisico's die werkzaam zijn bij financiële instellingen in de EU en de VS om te vergelijken of hun risicobeoordelingen significant zouden verschillen. De resultaten laten zien dat het gebrek aan specificatie in de regelgeving en de ervaring van cloudexperts kan bijdragen aan aanzienlijke verschillen in risico- en openbaarmakingskeuzes. In de praktijk krijgen de meeste experts te maken met aanzienlijke uitdagingen bij het inschatten van de ernst van cloudrisicogebeurtenissen, die bredere implicaties hebben voor het risicomanagement van bedrijven. De resultaten suggereren dat interne governance een uitdaging blijft voor bedrijven die cloudtechnologieën uitbesteden. De bevindingen van dit proefschrift zijn nuttig, omdat ze laten zien dat instellingen er baat bij kunnen hebben als ze prioriteit geven aan de evaluatie van aansprakelijkheidsbepalingen in hun cloudcontracten, vooral in gevallen waarin cloudrisico's het gevolg zijn van risico's van derden. De bevindingen tonen ook aan dat interne governance nodig is om de overloopeffecten van cloudcontracten te verminderen en dat instellingen toereikende governancestructuren kunnen ontwikkelen door databeleid en -mechanismen te implementeren die samenwerking en coördinatie bevorderen om toezicht te houden op de verantwoordelijkheden voor databeheer

Patching the patchwork: appraising the EU regulatory framework on cyber security breaches

Breaches of security, a.k.a. security and data breaches, are on the rise, one of the reasons being the well-known lack of incentives to secure services and their underlying technologies, such as cloud computing. In this article, I question whether the patchwork of six EU instruments addressing breaches is helping to prevent or mitigate breaches as intended. At a lower level of abstraction, the question concerns appraising the success of each instrument separately. At a higher level of abstraction, since all laws converge on the objective of network and information security – one of the three pillars of the EU cyber security policy – the question is whether the legal ‘patchwork’ is helping to ‘patch’ the underlying insecurity of network and information systems thus contributing to cyber security. To answer the research question, I look at the regulatory framework as a whole, from the perspective of network and information security and consequently I use the expression cyber security breaches. I appraise the regulatory patchwork by using the three goals of notification identified by the European Commission as a benchmark, enriched by policy documents, legal analysis, and academic literature on breaches legislation, and I elaborate my analysis by reasoning on the case of cloud computing. The analysis, which is frustrated by the lack of adequate data, shows that the regulatory framework on cyber security breaches may be failing to provide the necessary level of mutual learning on the functioning of security measures, awareness of both regulatory authorities and the public on how entities fare in protecting data (and the related network and information systems), and enforcing self-improvement of entities dealing with information and services. I conclude with some recommendations addressing the causes, rather than the symptoms, of network and information systems insecurity

ERP implementation methodologies and frameworks: a literature review

Enterprise Resource Planning (ERP) implementation is a complex and vibrant process, one that involves a combination of technological and organizational interactions. Often an ERP implementation project is the single largest IT project that an organization has ever launched and requires a mutual fit of system and organization. Also the concept of an ERP implementation supporting business processes across many different departments is not a generic, rigid and uniform concept and depends on variety of factors. As a result, the issues addressing the ERP implementation process have been one of the major concerns in industry. Therefore ERP implementation receives attention from practitioners and scholars and both, business as well as academic literature is abundant and not always very conclusive or coherent. However, research on ERP systems so far has been mainly focused on diffusion, use and impact issues. Less attention has been given to the methods used during the configuration and the implementation of ERP systems, even though they are commonly used in practice, they still remain largely unexplored and undocumented in Information Systems research. So, the academic relevance of this research is the contribution to the existing body of scientific knowledge. An annotated brief literature review is done in order to evaluate the current state of the existing academic literature. The purpose is to present a systematic overview of relevant ERP implementation methodologies and frameworks as a desire for achieving a better taxonomy of ERP implementation methodologies. This paper is useful to researchers who are interested in ERP implementation methodologies and frameworks. Results will serve as an input for a classification of the existing ERP implementation methodologies and frameworks. Also, this paper aims also at the professional ERP community involved in the process of ERP implementation by promoting a better understanding of ERP implementation methodologies and frameworks, its variety and history

The Electronic Silk Road: How the Web Binds the World in Commerce

On the ancient Silk Road, treasure-laden caravans made their arduous way through deserts and mountain passes, establishing trade between Asia and the civilizations of Europe and the Mediterranean. Today’s electronic Silk Roads ferry information across continents, enabling individuals and corporations anywhere to provide or receive services without obtaining a visa. But the legal infrastructure for such trade is yet rudimentary and uncertain. If an event in cyberspace occurs at once everywhere and nowhere, what law applies? How can consumers be protected when engaging with companies across the world? In this accessible book, cyber-law expert Anupam Chander provides the first thorough discussion of the law that relates to global Internet commerce. Addressing up-to-the-minute examples, such as Google’s struggles with China, the Pirate Bay’s skirmishes with Hollywood, and the outsourcing of services to India, the author insightfully analyzes the difficulties of regulating Internet trade. Chander then lays out a framework for future policies, showing how countries can dismantle barriers while still protecting consumer interests

Trust and transparency in an age of surveillance

Investigating the theoretical and empirical relationships between transparency and trust in the context of surveillance, this volume argues that neither transparency nor trust provides a simple and self-evident path for mitigating the negative political and social consequences of state surveillance practices. Dominant in both the scholarly literature and public debate is the conviction that transparency can promote better-informed decisions, provide greater oversight, and restore trust damaged by the secrecy of surveillance. The contributions to this volume challenge this conventional wisdom by considering how relations of trust and policies of transparency are modulated by underlying power asymmetries, sociohistorical legacies, economic structures, and institutional constraints. They study trust and transparency as embedded in specific sociopolitical contexts to show how, under certain conditions, transparency can become a tool of social control that erodes trust, while mistrust - rather than trust - can sometimes offer the most promising approach to safeguarding rights and freedom in an age of surveillance. The first book addressing the interrelationship of trust, transparency, and surveillance practices, this volume will be of interest to scholars and students of surveillance studies as well as appeal to an interdisciplinary audience given the contributions from political science, sociology, philosophy, law, and civil society

Trust and Transparency in an Age of Surveillance

Investigating the theoretical and empirical relationships between transparency and trust in the context of surveillance, this volume argues that neither transparency nor trust provides a simple and self-evident path for mitigating the negative political and social consequences of state surveillance practices. Dominant in both the scholarly literature and public debate is the conviction that transparency can promote better-informed decisions, provide greater oversight, and restore trust damaged by the secrecy of surveillance. The contributions to this volume challenge this conventional wisdom by considering how relations of trust and policies of transparency are modulated by underlying power asymmetries, sociohistorical legacies, economic structures, and institutional constraints. They study trust and transparency as embedded in specific sociopolitical contexts to show how, under certain conditions, transparency can become a tool of social control that erodes trust, while mistrust—rather than trust—can sometimes offer the most promising approach to safeguarding rights and freedom in an age of surveillance. The first book addressing the interrelationship of trust, transparency, and surveillance practices, this volume will be of interest to scholars and students of surveillance studies as well as appeal to an interdisciplinary audience given the contributions from political science, sociology, philosophy, law, and civil society

Urban Informatics

This open access book is the first to systematically introduce the principles of urban informatics and its application to every aspect of the city that involves its functioning, control, management, and future planning. It introduces new models and tools being developed to understand and implement these technologies that enable cities to function more efficiently – to become ‘smart’ and ‘sustainable’. The smart city has quickly emerged as computers have become ever smaller to the point where they can be embedded into the very fabric of the city, as well as being central to new ways in which the population can communicate and act. When cities are wired in this way, they have the potential to become sentient and responsive, generating massive streams of ‘big’ data in real time as well as providing immense opportunities for extracting new forms of urban data through crowdsourcing. This book offers a comprehensive review of the methods that form the core of urban informatics from various kinds of urban remote sensing to new approaches to machine learning and statistical modelling. It provides a detailed technical introduction to the wide array of tools information scientists need to develop the key urban analytics that are fundamental to learning about the smart city, and it outlines ways in which these tools can be used to inform design and policy so that cities can become more efficient with a greater concern for environment and equity

Urban Informatics

This open access book is the first to systematically introduce the principles of urban informatics and its application to every aspect of the city that involves its functioning, control, management, and future planning. It introduces new models and tools being developed to understand and implement these technologies that enable cities to function more efficiently – to become ‘smart’ and ‘sustainable’. The smart city has quickly emerged as computers have become ever smaller to the point where they can be embedded into the very fabric of the city, as well as being central to new ways in which the population can communicate and act. When cities are wired in this way, they have the potential to become sentient and responsive, generating massive streams of ‘big’ data in real time as well as providing immense opportunities for extracting new forms of urban data through crowdsourcing. This book offers a comprehensive review of the methods that form the core of urban informatics from various kinds of urban remote sensing to new approaches to machine learning and statistical modelling. It provides a detailed technical introduction to the wide array of tools information scientists need to develop the key urban analytics that are fundamental to learning about the smart city, and it outlines ways in which these tools can be used to inform design and policy so that cities can become more efficient with a greater concern for environment and equity

The Right to Privacy and Data Protection in Times of Armed Conflict

Contemporary warfare yields a profound impact on the rights to privacy and data protection. Technological advances in the fields of electronic surveillance, predictive algorithms, big data analytics, user-generated evidence, artificial intelligence, cloud storage, facial recognition, and cryptography are redefining the scope, nature, and contours of military operations. Yet, international humanitarian law offers very few, if any, lex specialis rules for the lawful processing, analysis, dissemination, and retention of personal information. This edited anthology offers a pioneering account of the current and potential future application of digital rights in armed conflict. In Part I Mary Ellen O’Connell, Tal Mimran and Yuval Shany, Laurie Blank and Eric Talbot Jensen, Jacqueline Van De Velde, Omar Yousef Shehabi and Emily Crawford explore how various IHL regimes, ranging from the rules regarding the protection of property to these regulating the treatment of POWs, protect the rights to digital privacy and data protection. Part II, which contains contributions by Leah West, Eliza Watt and Tara Davenport, and concentrates on the extent to which specific technological tools and solutions, such as facial recognition, drone surveillance and underwater cables. Part III of this collection examines the obligations of militaries and humanitarian organizations when it comes to the protection of digital rights. Tim Cochrane focuses on military data subject access rights, Deborah Housen-Couriel explores data protection in multinational military operations, and Asaf Lubin expounds the role of ICRC as a data controller in the context of humanitarian action. In Part IV Kristina Hellwig, Yaël Ronen and Amir Cahane focus on digital rights in the post bellum phase. This part takes a closer look at the role of the right to privacy in the investigation and prosecution of international crimes, the ‘right to be forgotten’ in cases concerning information about international crimes and the protection of the digital identities of individuals caught up in humanitarian disasters.https://www.repository.law.indiana.edu/facbooks/1297/thumbnail.jp