Intellectual Property Magazine - Cloud Computing: What In-House Counsel Needs to Know

Posted on March 6, 2011 by Sam Conforti

 

Intellectual Property Magazine - Cloud Computing: What In-House Counsel Needs to Know

Intellectual Property Magazine asked me to write an article for their March 2011 issue. We discussed various topics and ultimately settled on the subject matter in the title of this Blog posting above. Our arrangement allows me to publish my work in my Blog. The graphics in the published article are really quite amazing. What follows is the text of my article minus the graphics:

 

Cloud Computing: What In-House Counsel Needs to Know

The only constant is change. I remember being at an Oktoberfest back in the late ‘80’s. My friends and I noticed a young man wearing a phone on his belt. We laughed and thought how self-important he must think he is. Well, I confess that today I do not leave the house without my Smart-Phone firmly attached to my belt. I can make and receive calls, send and receive emails, surf the net, and even take a picture if needed. The old adage “Change, embrace it” holds true in today’s technological environment. 

It is said that the speed of processing chips doubles every 18 months. There does not seem to be an end in sight in the growth in sales for the ubiquitous mobile phones. Apple’s iPad is all the rage and the Apple stores cannot keep them on the shelves. The number of applications to be written for all mobile computing devices in the coming year is staggering. So the next phase in innovation in this burgeoning IT industry is Cloud Computing. The term “Cloud” gives the concept a rather nebulous tone. Studies show the sales in the Cloud Computing marketplace have doubled in the last few years and there is no slowdown in sight. Let’s first define exactly what Cloud Computing is in order to rid ourselves of the uncertainty and then examine its advantages and disadvantages.

Cloud Computing – What is it?

Software as a Service, also known as SaaS or On-Demand, is the term most closely associated with Cloud Computing. The key word is “Service”. SaaS acts similar to a linked network of computers, or a cluster of linked networked computers, to perform different functions. This cluster of networked computers acts as a virtual supercomputer. Each person working on his or her own laptop computer is provided with the exact application they need to work and perform the tasks on their part of a project or to perform their assigned tasks in their area of work in the corporate entity. These applications are provided to that person via the internet. The user can work remotely and the applications needed are accessed by them from the internet through their web-browser. It is a seamless delivery system and it appears to the user that the applications are installed on their lap-top. The software and the data generated are not stored on the premises or the user’s own hard drive, but rather on shared servers at the vendor’s site.

What are its advantages?

The major reason usually given for Cloud Computing is that SaaS is faster to get up and running into a productive environment when compared to a full blown enterprise wide implementation and therefore a much less expensive alternative. Hand in hand with the touted speed to productivity is the claim that the enterprise can avoid the upfront capital expenditures for additional or specialized hardware that are usually required in most Enterprise Resource Planning (“ERP”) implementations. The servers are not on premises. It is a shared server array at the software vendor’s site. Since it is a service, the pricing is based on a per seat use rate and so the millions in the initial cash outlay for the software suite are non-existent. The theory is that the enterprise pays for what one uses and no more. Depending on the application, the pricing might not be exactly pay as you go, but a hybrid. The software vendor may have a subscription based pricing for the estimated number of users or hits required over a shorter period of time. This pricing model can then be adjusted as events require. Another advantage to this delivery model is that it is easily scalable and provides flexibility as projects or the enterprise at large experiences growth. Users, storage space, and upgrades to new versions and releases to the software can all be dealt with as the needs arise.

What are its disadvantages?

Security is the paramount concern. Where’s my software? Where’s my data? We have government regulations to adhere to. There are new banking regulations and new privacy rules. What about protecting non-public personal information? How do you assure me that my data does not get mixed up with another entity’s data? And the list can go on and on. 

How do we address these concerns?

Cloud Computing is inevitable. Given the centralized nature of Cloud Computing, security becomes more efficient. Instead of fighting the concept, it might be wiser to prepare for its eventual acceptance and implementation.  It is a good idea to train your IT department personnel for the change so they can have a shorter learning curve when the switch is made. One way to approach this matter is to initiate trials for your personnel by creating an innovation sandbox in the cloud. Contractually, this is the time when in-house counsel needs to lean on the “techies” on the business team. Actually both sides must feel comfortable with the solutions to the security issues. Let the business teams gather all the questions and all the means to address those concerns. Then it is the contract draftsman’s job to memorialize these areas of concern and the consequences into the contract to be signed if such matters are not met. 

The teams must agree on the specifications of how the data is to be isolated and protected. Include language that allows and mandates that the customer’s data is retrievable in a format that is desirable and safe. The ability to retrieve your data in the right format should be part of any Disaster Recovery language and the policies and procedures discussed and inserted into the contract. Your data should be backed-up periodically on a regular basis and copies of the back-ups should be stored off-site at another secure facility. Support levels and upgrades are part of the selling feature of any SaaS initiative and so these must be clearly spelled out in the contract, usually via a separate Support Schedule attached to the terms and conditions and incorporated by reference. In addition to clearly defining what is included in Support, make sure to have your team develop in conjunction with in-house counsel and the vendor’s team a Software Support Response Schedule for inclusion into the contract. Such a Response Schedule should have up-time availability percentages for the Productive System and a sufficient penalty if these availability percentages are not met. Do not be afraid to include tough penalties for failure to achieve the agreed upon up-time availability to adequately incentivize the On-Demand vendor to meet their promised availability times. These penalties usually are a dollar percentage credit to the customer’s monthly or quarterly use fees. The teams should work on clearly defining different levels of priority and the times to respond to such calls for support (e.g. Level 1 is Very High Priority due to Productive System Shutdown. Response time after reported is 1 hour).   The contract must clearly state that the vendor is SAS 70 certified and such certificate must be made available to the customer upon signing of the contract. It should go without saying, but verify that all of the promises made have been confirmed by a team from the customer by an on-site visit to the vendor’s facilities. The on-site visit should be able to confirm all the physical security claims and the policies and procedures discussed in the contract negotiations. Once the promised savings materialize due to reduced costs on maintenance and upfront costs for specialized hardware, the enterprise can use these funds and direct its efforts to more innovative ways of running the business.

Is complete surrender the only alternative?

Depending on the type of business your company is engaged in, considering the move to Cloud Computing and the nature of the data to be processed, the concerns over security might be just too high a hurdle to overcome. The new Privacy Laws and computer hacking and new government regulations sometimes present an insurmountable obstacle.  Another approach is to perform a cost benefit analysis of just certain parts of your business and the results might make the transition to Cloud Computing more palatable. On-demand service providers, another name of SaaS software vendors, are coming up with hybrid delivery approaches to Cloud Computing. If the enterprise has a myriad of smaller customer interfacing transactions at a multitude of cites, why not make use of the Cloud with all its advantages of scalability and pricing based on use while leaving the more sensitive data processed and stored on premises in a single tenancy traditional approach. This allows the enterprise to take advantage of the cost savings of using Cloud Computing while still maintaining the integrity of the more sensitive data stored on premises.

Where do we go from here?

The worldwide recession has kept the lid on software vendors raising prices. But this economic downturn cannot last forever. During this time, there has been a consolidation of software developers in the ERP industry. In April 2009 Oracle purchased Sun Microsystems. This purchase alone gave Oracle, one of the prime players in the ERP market space, access to not only Sun’s premiere hardware capabilities, but also the keys to some of Sun’s stalwart software applications, most importantly the Java programming language. Along with Oracle’s purchase of Sun came the Solaris operating system asset as well. With all the assets of the Sun Microsystems purchase, including both the software and hardware, Oracle has placed itself in a position to provide the foundation to build its SaaS and Cloud Computing services. 

SAP, who has been partnering with IBM since the late 90’s, plans on developing along with IBM a product that will facilitate the creation of an in-house cloud. SAP’s new endeavor, the “Reservoir” cloud computing project’s aim is to spread the utilization of requested applications across the enterprise’s servers thus addressing under utilization and spikes in usage.

Intel, the world’s prime chip manufacturer, purchased McAfee, a leader in network security industry. With this purchase Intel hopes to integrate security directly into the architecture of its chip. If this is accomplished, Intel’s potential to enter such new markets as network security, smart phones, and PC tablets is boundless.  

Google, purveyor of the prime search engine of choice, has recreated itself into a vendor of mobile devices, operating systems, and Cloud Computing. Other big IT players such as CISCO, IBM, and HP, now flush with cash and seeing the impending paradigm shift in the industry, have gone on a shopping spree purchasing unified communications vendors, and network security companies, and business intelligence vendors. Oddly enough all of these companies apparently are perceived as being outside of the acquirer’s original area of expertise.  

With this consolidation in the market many of the potential ERP customer’s choices will be eroded as only a handful of ERP vendors will remain. It’s a fair assumption that prices will be on the rise. Your IT budgeters should expect the need to request increases in funding for the usual items that accompany an ERP Business Suite purchase such as increased costs for support, higher rates for users, and the ever burdensome costs of a full blown enterprise wide implementation with all its foibles and miscues.   One way to counteract the consolidation in the ERP market space is to examine the alternative methods for deployment of the needed IT services. Cloud Computing, Software as a Service, a hybrid approach, or Managed Services are options your IT department should be considering. As I have discussed the insurmountable hurdles to Cloud Computing can be overcome. With the right contracting model, adequate assurances and protections, along with sufficient penalties to incentivize adherence to agreed upon terms of protection, Cloud Computing can be the viable alternative for your IT department. Change is coming. Embrace it.

Epilogue : My editor asked me to develop a “To Do” list for the readers. The graphics in the published piece consist of a yellow legal pad with the following bullet points:

To-do-list

·         When implementing cloud computing, it is a good idea to train your IT department personnel for the change so they can have a shorter learning curve when the switch is made. 

·         In addition to clearly defining what is included in support, make sure to have your team develop in conjunction with in-house counsel and the vendor’s team a software support response schedule for inclusion into the contract.

·         The contract must clearly state that the vendor is SAS 70 certified and such certificate must be made available to the customer upon signing of the contract.

·         Make use of the cloud with its advantages of scalability and pricing based on use while leaving the more sensitive data processed and stored on premises in a single tenancy traditional approach. 

 

Tags: , , , , , , , , , , , , , , , , , ,

Intellectual Property Magazine: Computer Hacking and IP Theft

Posted on March 1, 2011 by Sam Conforti

 

 

Catherine White, Staff Writer & Sub-Editor for Intellectual Property Magazine, contacted me about an article she was about to write on Computer Hacking and IP Theft. In the interview she asked me a series of in-depth and thought-provoking questions. She has done her research quite well and also interviewed some outstanding experts in the field. Her article appears in the March 2011 issue of Intellectual Property Magazine and is entitled "I spy with my little virtual eye" and the text of the article is as follows:

 

I spy with my little virtual eye...

 

Catherine White taps into the virtual world of computer hacking and its real threat to IP

 

 

 

Hackers who single out their target have done their homework. They do background research on that person, they know their friends, their family, their hobbies and interests. These forms of attacks are very dangerous,” said Kevin Rowney, director of breach response at software security company Symantec.

 

You would be forgiven for thinking that you are reading an excerpt from a fictional spy novel or thriller but what you are actually reading about is the growing reality of cyber crime and IP theft. A virtual world where anything can happen from financial institutions being breached by Russian networks to hacking operations taking place in a church. Plots so inconceivable that even James Bond would be shaken and most definitely stirred.

 

What is computer hacking?

 

Computer hacking involves trying to circumvent computer and network security and then selling the information obtained to criminals, competitors or to use for extortion. President of NetWitness, a network security company, Nick Lantuh said, “Hackers make billions of dollars from cybercrime. The revenues are greater than in the drug trade and far safer. It is much easier, cheaper and informative than sending out spies to countries to perform the act of gathering information. The other main benefit is that it’s anonymous.”

 

Richard LaMagna of consulting firm LaMagna and Associates said that it can also refer to the “ ‘cracking’ (gain unauthorised access to computers with malicious intentions) or by-passing of security features that are intended to prevent unauthorised use of a software programme, often referred to as digital rights management technologies (DRM).”

 

LaMagna continued, “In both cases, the hacker gains unauthorised access to a computer or a system from which he or she can steal information, intellectual property, trade secrets, personal identifying information, user names, passwords, email addresses, contact lists, etc.

 

“Pirates often distribute or sell the criminally hacked versions of software, which have security access controls removed, and the software programmes are either copied onto CDs, offered through peer-to-peer file sharing programmes, or offered for downloading for a fee on websites.”

 

Rowney pointed out that there are three major adversaries that pose a threat to IP:

 

1) Hackers-parties who are breaking into computers via the internet remotely and stealing IP;

2) Malicious insiders – employees who have turned against their organisations and have sought to rip-off IP from their employer or the enterprise they work for; and

3) Well meaning insiders – employees who mean well and stay loyal to their companies but end up making a mistake out of ignorance or haste that results in the breach and the exposure of IP eg, copying large amounts of IP onto laptops without encryption, then leaving that laptop unattended or losing it. Or by loading peer-to-peer file share programmes to download music and not realising that these programmes can also access other information on the computer.

 

There is also the issue of ‘data spill events’. This is when employees copy sensitive data inside a company to a secondary drive and leave it there without any protection. Thus, inside the corporate network, workers are using, updating, browsing content and copying out of the primary system, which is protected and into the secondary location where it has no protection at all. This leaves it open to theft by malicious insiders or hackers. “All three forms of these sources of threat impose significant risk to IP and anyone trying to defend their IP must be aware of all three risks”, Rowney said.

 

What do hackers look for?

 

Most hackers look for vulnerabilities in a company’s computer system and often gain access through third-party partners and collaborators who access the firm’s system via an extranet or virtual private network, commonly the weakest points of access.

 

Sam Conforti of law firm Sam Conforti LLC said, “The new industrial espionage no longer is the tourist taking a factory tour and clicking away with his or her camera. Today industrial espionage is gaining surreptitious access to a company’s network and downloading confidential files.”

 

These files can be anything of value to the hacker, from personal identifiable information to very targeted products, facts, formula, mergers and acquisition activity, patented processes, design documents and executive emails. Lantuh said, “If it provides a competitive advantage or intelligence which supports technology acquisition or has a monetary value that can be sold or exploited, then it is of value to hackers. The damage which occurs to the victim is a hit to their brand and a hit to their potential market cap.” LaMagna added that when counterfeit brands do enter the market and companies are unable to protect confidential and customer data, “they face serious issues of liability and possible government sanctions”.

 

Employer v employee

 

Theft of IP and other sensitive information from companies is very common. Insider hacking reached 48% of overall hacking activity in the 2010 Data Breach Investigations Report by Verizon Business, an IP communications and information technology service, and the United States Secret Service (USSS).

 

Insiders, who for malicious purposes abused their right to access corporate information, were the most common cases worked by the USSS. This crime increased by 26%. Conforti noted the increase in insider hacking indicated “the new white collar crime of the day is IP theft.”

 

Whilst all companies are exposed to IP theft, LaMagna said that, “healthcare and financial services are the most vulnerable when it comes to data breaches and hacking attempts, while the high-tech sector is most exposed to attempts to steal IP, often by careless or disgruntled insiders or third-party collaborators.”

 

As a result, Rowney noted that there is no definitive measurement of IP loss within enterprises and the main reason for this is because “companies do not report the extent of loss and often hide the event after a security breach because they fear this could harm their reputation”.

 

Lantuh added that if a firm does report a breach there are many others that do not, due to a “lack of visibility in these organisations meaning that these numbers are actually higher since many companies simply don’t know they have been breached”.

 

Countries and hackers

 

Hacking is both an insider and outsider problem. There is a lot of targeting from the cyber crime gangs in Eastern Europe, Latin America and Asia. There is also a significant amount of IP theft that occurs from nations which support home-grown industries/interests in gaining military technology or research and development efforts. There is a consistent top 10 list of countries most responsible for hacking and these include China, Brazil, Germany, UK, Russia and the US.

 

However, Lantuh noted that where a hack is aimed at commonly differs from where it began, “The highest hacker rate is actually in the US, but this is not necessarily indicative of where those hacks originate from. Many hacks from China or Eastern Europe originate their attacks from machines that have been compromised in the US or in another country.”

 

LaMagna offered some insights into why these particular countries are in the lead. “Countries such as the US, the UK and Germany have a high rate of internet use and the high rate of e-commerce and banking presents a target-rich environment for criminals to make money. Countries such as Brazil, India and China are experiencing dramatic growth in internet infrastructure and broadband usage which presents new opportunities for criminals. In many cases, countries lag behind in terms of cyber crime legislation and enforcement—thus there is no risk or deterrence.”

 

Computer hacking growth

 

IP theft is growing rapidly. Conforti said, “In the 21st century it is a foregone conclusion that computer hacking is a part of everyday life, both business and private home computing. If you feel you are immune to such matters or that it could never happen to you, then you are unwise and simply tempting fate.”

 

Research group Osterman published a study which showed that 74% of companies worldwide believed hacking and malware will increase in 2011. Malware refers to software that can destroy data, affect a computer’s performance and allow spammers to send emails to accounts. Malware includes viruses or worms (a software programme capable of reproducing itself that can spread from one computer to the next over a network).

 

There are several reasons why computer hacking is increasing:

 

1) New hacking techniques – the pace of innovations in hacking techniques has developed rapidly over the past few years. Such techniques are called ‘targeted attacks’, which are built around the idea of customising the computer virus in a way that will be effective for single use against a particular target. These customised viruses are called ‘mutated malware’ which have been altered so that no classic, signature-based anti-virus programme can detect them.

2) Information becoming digitised – more data is put online and made accessible via the computer network, resulting in information becoming more portable. The more applications and technology that can access this data, like smartphones, iPads, the more difficult it becomes to secure that data.

3) Profit margins - selling data is extremely profitable for hackers. It is also easy to deploy hacking technology and target it towards organisations.

4) Disregard for IP – there is a prevailing view that digital theft isn’t really theft and that it is a harmless practice with no victims.

In response to the rise in hacking incidences, new technologies are being invented. Many IP products have copy prevention features and DRM, like product activation keys, which notify the IP holder if a piece of software is being hacked or copied. Some products have a “time bomb” which means that after a certain period, if they are not registered with the manufacturer or authenticated, they will no longer function.

 

There is also a mutated malware identification system based on anti-virus technology which builds up an encyclopaedia of software running worldwide and monitors this malware. It has 1.5 billion programmes that help to understand new threats. Therefore, if something unrecognisable comes up on the encyclopaedia this is alerted straight away.

 

Approaching IP security

 

A small percentage of organisations understand what is needed to combat IP theft and protect valuable assets. Rowney said, “Many enterprises first do not have clear knowledge of where their most essential data is, where it is going and how it is being used. Without knowledge of this, it is hard to claim that you are doing an adequate job of managing the risk of a possible breach. Second, many organisations have not taken the basic steps to enumerate chief IP assets.”

 

The most common mistakes made by enterprises regarding IP security are:

• Budget issues – many companies are in denial about the level of risks that are currently at play eg, significant IP theft can compromise an entire product line, so they under value security issues. On the other hand, some businesses do not have the money for IP security. This is especially true for smaller firms that have no policies and procedures in place and regard safety as low priority. The majority of data leaks and breaches could be avoided by system administrators and employees’ adoption of best safe practices through tools, technology and greater awareness via training;

• Becoming overwhelmed – protecting IP is a massive task. There is so much data and if a company attempts to embrace the entire range of protection available, it becomes impossible to do. Therefore, enterprises should be realistic that only the narrow range of essential IP should be defended. This way they can focus their attention and be on top of the situation;

• Point solution’ confusion (solving one particular problem without regard to related issues)- when addressing IP security, companies point their resources towards the next point solution technology eg DLP or web filtering. This can become unmanageable because a company will have to maintain, operate and keep the technology up to date. Although all these point solutions are targeted towards a piece of the problem, they do not offer protection and this causes a management nightmare for the security teams. Lantuh said, “Add this to the fact that security has to some extent used compliance as a proxy for sound operational security practices and has gone to a ‘check-box mentality’ which provides a false sense of security, meaning cyber criminals will not get caught by your signature based solutions.” Firms therefore need a real-time ‘catch-everything’ network- monitoring solution that can be mined for intelligence on what is happening. Thus, businesses can detect risk, qualified threat and do this on an ongoing basis; and

• Time factor– many organisations often underestimate the amount of resources, money, people and time it takes to really protect and implement a sound security protection strategy. LaMagna noted that companies that rely heavily on IP such as pharma, technology and publishing groups, “are surprisingly reluctant to allocate substantial budgets to IP protection programmes ... This is because assessing IP is a difficult and time-consuming exercise. Often, law enforcement referrals take time to come to a successful conclusion and even then the penalties are not severe enough to act as a deterrent.”

 

Your mission, should you choose to accept it...

 

Rowney highlighted the steps on how enterprises should protect themselves from security breaches:

1) Protect infrastructure with modern systems to defend against infection. Virus infection is usually the primary mode of intrusion, which hacker teams are using to access IP. So companies should use new advanced techniques that can specifically confront the threat of targeted attacks.

2) Appropriate authorisation and authentication infrastructure. Make sure that only the intended parties and appropriate consumers of IP inside the enterprise are able to see it. Such means could be passwords but sometimes these are insufficient and insecure. Therefore, some companies are looking into ‘two factor authentication’ which is a form of advanced authentication such as ID cards, personal identification numbers and fingerprints.

3) Adequate management on the underline system. Many computers that are hacked into have out- of-date configurations or lack appropriate patches against the most up to date solutions vendors offer. In addition, if a company has security problems this makes hacker access easier. They also may not have the appropriate updates to accompany applications, like PDFS or Java, which can open up a gap in security framework allowing hackers to break in. Appropriate management systems should have patch-updates and appropriate revisions of commercial software.

4) Know where information is and where it is going. Data loss prevention solutions allow to identify IP at its source and track its transmission in email, its exposure on servers and possible copy or theft. There are modern detection algorithms, which are quite good at identifying specific forms of IP breach, like words stored, where it is going to and how it is used.

5) Appropriate network monitoring. This allows an enterprise to watch for traces of infection. These break-in events create patterns of network activity, which could alert a team to the urgent need for a remediation of the affected systems.

6) Education. Employees should be educated and trained to not rely on point solutions or ‘fix-of-the-day’ technologies. There needs to be a deep continual monitoring of what is going on, Lantuh added.

 

Steps for post attack

 

Lantuh highlighted what companies should do after a security breach has taken place:

1) a) Engage their incident response plan if they have one. b) Perform a forensics investigation to find the root cause of the attack. c) Remediate the situation. d) Do a post-mortem analysis on the incident and determine any lessons learned which can be incorporated into the incident response plan for process improvement. e) Check the entire enterprise for like compromise

2) Use what was learned from the attack. After an attack, companies should incorporate what they have learnt into the internet response process for the next incident, continually improving the process.

3) Spread knowledge. After a company realises what needs to be done, they should spread this knowledge out to see if there was compromise anywhere else in the corporation. Employees should be educated in understanding the importance of clicking on links or helping workers/well meaning insiders understand the potential risks of posting links on the web or sharing them inappropriately.

 

Mission impossible?

 

Ending the war on cyber crime will be a long battle, as long as data accessible technology, like iPhones and iPads, keep evolving. The only real way companies can defend themselves is if they implement the correct security steps, but Rowney noted enterprises are their own worst enemies. “Malicious insiders stealing data can easily be prevented by using modern security technology. Despite this, businesses are not using such software, so hacking happens all over again”.

A message many companies wish would “self destruct in 5,4,3,2,1”.

 

Footnotes

1. Predictions for 2011. An Osterman Research Survey Report

2. Verizon 2010 Data Breach Investigations Report

3. Further reading: Online Trust Alliance 2011 Data Breach & Loss Incident Readiness Guide to Help Businesses Protect Online Trust & Confidence https://otalliance.org/news/releases/DataBreach1_25_11.html

Tags: