Cloud Security Webinar Now Available; Just As New Report Warns Of Cloud Security
from the up-in-the-air dept
You may recall that, a couple weeks ago, we had a webinar on cloud security, with Jake Kaldenbaugh of CloudStrategies and Sam Quigley of Emerose, that was well attended and well reviewed (thank you!). The feedback on it was tremendous. If you happened to miss it, we've now made it available to watch, and also have put up the actual PowerPoint document for download as well. And... bonus time. The PDF file contains a series of extra slides, detailing some of the state of the cloud security market today -- as well as some details about Amazon's cloud security initiatives. Even if you caught the original presentation, there are probably some useful additional nuggets in there as well.And, in the meantime, don't forget to sign up for our next Webinar, coming up this Wednesday at 9am PT/noon ET on What IT Needs To Know About The Law, with Dave Navetta and Larry Downes. The signups on this one have been through the roof and we've been working hard putting it together. The conversation should be very, very interesting, so definitely come ready with questions as well.
Filed Under: cloud, legal issues, security
Is Telling People To Visit A Certain Website A Denial Of Service Attack?
from the seems-like-a-stretch dept
iamtheky sends in the story of a UC San Diego Professor, Ricardo Dominguez, whose focus of research is "electronic civil disobedience," (for which he received tenure and a fellowship from his university), but who is now potentially facing discipline or even criminal charges from the university for staging a "virtual sit-in" to protest budget cuts. It certainly raises questions about the line between telling people to visit a website and a hack attack to take down a website. It's difficult to see how just telling people to go to a website should ever qualify as any kind of attack, but the University is said to be contemplating criminal charges.Filed Under: denial of service, protest
New Webinar: What IT People Need To Know About The Law
from the putting-on-that-legal-hat dept
A few weeks ago, we had a post about why IT people need to be knowledgeable about the law, rather than just about technology. It was based on an excellent article by Dave Navetta on The Legal Defensibility Era (pdf). For years, IT folks have recognized that they often wear two hats, switching between a technology one and a business one, as they often have to explain or justify the business tradeoffs of the IT decisions they make. But these days, they also really need to add a legal hat.Given the immense interest we received in this particular topic, we've decided that it will be the topic of our next webinar in our IT Innovation series: What IT needs to know about the law to be held next Wednesday, May 26th at 9am PT/noon ET. We're thrilled that Dave Navetta, who wrote the article that sparked the original discussion, will be participating and discussing this "era of legal defensibility" that IT people need to understand. Dave has built a career around bridging that gap between IT folks and legal folks, and is obviously perfect to be part of this discussion. With him will be Larry Downes, most recently the author of The Laws of Disruption, which is all about how the legal realm is hugely important to understanding business and technology in the world today, and how anyone looking to succeed in the internet age needs to understand some of these key legal principles. Larry's a well-known writer, speaker, pundit and consultant on this important intersection of the law and the technology world, and between David and Larry, the discussion should be quite a lot of fun. Once again, I'll be moderating.
I'm really excited about this particular topic and the two speakers. We've been preparing for the webinar over the past few days, and there are a ton of interesting topics to discuss, concerning how the law is impacting security, privacy and the wider IT world. Depending on timing, we may dip into some other areas, including intellectual property law, Section 230 and the like. Given the discussions we regularly have on this site, and how important legal issues have become in the IT world over the past few years, this is going to be a can't miss discussion, so sign up now. As with previous webinars, the discussion is designed to be interactive, and we can take questions from the audience via the web interface during the event, so please come ready with questions.
Filed Under: it, legal defensibility, privacy, security
UK Court Says Software Company Can Be Liable For Buggy Software
from the opening-the-floodgates? dept
For many, many years the debate has raged on whether or not software developers should be liable for bugs in software. Plenty of companies, sick of dealing with buggy software, have felt that developers should be legally liable, just as any other defective product. But many argue back that, with software, that's not really reasonable, since pretty much all software has bugs. That's the nature of software -- and making developers potentially liable for "defective" offerings, because the software has some bugs, opens up so much liability that it could cast a chill across all sorts of software development -- especially in areas where software is especially buggy. And, of course, there's a strong argument that those unintended consequences would do significantly more harm than good, such as driving good developers out of the business, because the liability is just too high.That said, software liability has been a hot topic in Europe lately, and now Slashdot points us to the news that the UK High Court has ruled that a software company can be liable for buggy software. More specifically, the court found that a clause in the license agreement, which said it would not be liable for defects was found to be an unfair contract term.
Of course, it also sounds like there were some special conditions here:
The judge said that the exclusion of liability was unfounded because of the particular way in which the software sale had been conducted. The fact that a full set of operating documents for the software had not been provided and the fact that Kingsway made its purchasing decisions largely based on Red Sky's claims for the software eroded Red Sky's ability to limit its liability, the Court said.So, as the article notes, the issue here may be more about liability arising from the sales process, rather than just general liability, so it hopefully won't have the same sorts of chilling effects that general liability for bugs might have.
"Red Sky's' standard terms were predicated on the fact that a prospective customer would investigate Entirety [the software] and make up its own mind whether or not to purchase based on demonstrations and the Operating Documents which Red Sky had previously supplied," said the ruling. "It did not apply to circumstances in which the customer relied on Red Sky's' advice in deciding to purchase Entirety."
"The exclusions in clause 10.2 [of the terms and conditions] only applied where the Operating Documents as defined in Clause 1.1.6 were supplied to the customer before the contract was signed," it said. "In this case such documents were not supplied by Red Sky to Kingsway. Therefore, Clause 10.2 and the exclusions derived there from did not apply."
Filed Under: buggy software, liability, software, uk
Reminder: Cloud Security Webinar Tomorrow
from the don't-miss-it dept
Just a reminder that our webinar on "Cloud Security" is tomorrow at 9am PT/noon ET for those of you interested. Please register if you're interested in participating. This is a hot topic and an awful lot of you have already registered, so it should lead to a good discussion. You can read a bit more about what the webinar is going to cover, and who's involved, in our original post announcing it, but we've been working hard the past few days finalizing the presentation part, and it should lead to quite an engaging discussion. It is designed to be interactive, and the webinar system has a way for you to ask questions, so please come with question ready.Filed Under: cloud computing, cloud security, webinar
Why IT Security Guys Now Also Need To Be Legal Experts
from the welcome-to-the-modern-world dept
Every so often we get complaints from people who point out that this site is called "Techdirt," and yet quite frequently talks about the legal issues. There are a few different responses to this, but one of the key points is that, if you're in the tech field these days, you actually really do need to be pretty familiar with the law in a lot of ways. This is a point that I've been thinking about a lot lately, so it seemed like great timing when Michael Scott directed our attention to an article about how IT and security folks now need to recognize that legal risks are a big part of the security realm:The era of legal defensibility is upon us. The legal risk associated with information security is significant and will only increase over time. Security professionals will have to defend their security decisions in a foreign realm: the legal world. This article discusses implementing security that is both secure and legally defensible, which is key for managing information security legal risk.It certainly takes things pretty far outside the world where information security folks are used to living. And while there may be a sense of being able to defend the technological decisions should there be a security breach, reaching the level of "legal defensibility" involves a whole different set of issues.
The blog post linked above notes that we're still early in realizing this overlapping arena of security and law, and it's important to have folks from all of these disciplines work together:
Now is the time for legal, privacy and security professionals to break down arbitrary and antiquated walls that separate their professions. The distinctions between security, privacy and compliance are becoming so blurred as to ultimately be meaningless. Like it or not, it all must be dealt with holistically, at the same time, and with expertise from multiple fronts. In this regard we must all develop thick skins and be not afraid to stop zealously guarding turf. The reality is, the legal and security worlds have collided, and most lawyers don't know enough about security, and most security professionals don't know enough about the law. Let's change that.Indeed. In fact, this is part of the reason that I made sure there was at least some legal discussion in our upcoming webinar on security in the cloud -- because it's an important aspect of security these days, and the cloud raises some serious legal questions (if you haven't registered yet, please do!). But making sure that legal and security/IT people are talking about this regularly is important. Otherwise, you can bet that the legal folks are going to make decisions that are going to come back to haunt those in the IT and security worlds...
Filed Under: it, legal defensibility, security
Will Cloud Computing Lead To Patent Liability For End Users?
from the promoting-progress-left-and-right dept
With so much focus on "cloud computing" these days, companies looking to leap into the cloud and to embrace the agility and flexibility it provides are being warned that there may be a looming problem on the horizon: patent litigation. Seriously. As with pretty much any hot area of technology these days, there's a pretty big patent thicket around cloud computing -- even if the basic technology really isn't all that different than what's been around for ages. But, of course, that won't stop opportunistic companies from claiming their patents cover new cloud services (or of having some players in the field attack competitors with patents). But where this becomes a bigger issue is that such patent lawsuits could bleed down to customers as well, meaning that they may take on more liability than they realize just in adopting a rather useful service:"One model of enforcing patents says I can go after the manufacturer, but once I do I'm done because then all his sales are licensed," Goldberg said. "But if I keep going after all his customers, I can keep going forever and the customer is really not in the best position to fight back. So it creates increased risk."Yes, this sounds ridiculous, but welcome to modern patent law. This is, clearly, a problem with patent law today. There are lots of really useful and valuable cloud services that provide much greater functionality than local offerings, but beyond questions concerning "outsourcing" certain important aspects of IT, the fact that it could also make companies liable for patent infringement is a big open question. Considering the threat, we'll actually be discussing this topic a bit in our upcoming Security in the Cloud Webinar, which is taking place Tuesday May 11th at 9am PT/noon ET.
Filed Under: cloud computing, liability, patents
Does Storing Your Documents In 'The Cloud' Mean The Gov't Has Easier Access To It?
from the privacy-concerns dept
One of the more annoying things concerning the ever changing technology world is the trouble that the law has in keeping up. We're seeing that a lot lately. For example, a few months ago, we talked about 4th Amendment issues when it comes to cloud data. There are a few different camps on this, with a few different thoughts -- and so far, no one's exactly sure who's right. We predicted the issue was going to come up more frequently... and we're already seeing that. A few months after that post, we had a court ruling that (on a questionable basis) found no 4th Amendment privacy protections for emails once delivered, using similar logic to the debate over the cloud. And such cases are becoming more common.The Citizen Media Law Project has a good discussion about the FBI getting access to documents stored in Google Docs as part of a spam investigation. In that case, the FBI did go through the process of getting a full search warrant (which should have satisfied some of the 4th Amendment concerns), but it's the first case on record of the FBI getting access to Google Docs.
Part of the problem here is that this sort of stuff is covered under a law that's nearly a quarter of a century old, and is not even remotely designed for a modern technology world:
The current federal statute on the issue, the Electronic Communications Privacy Act (ECPA), 18 U.S.C. § 2510, et seq., basically extended the rules regarding government access to older technologies like the telephone (e.g., wiretapping) to electronic communications. The USA Patriot Act, passed after the Sept. 11, 2001 attacks, modified these old rules a bit. But the basic, underlying statute was passed in 1986, before the advent and widespread use of email, text messaging, social networking websites, and the myriad other means of modern communications.What's interesting is how little attention these issues seem to be getting -- even though they can have a pretty large impact. And, even though this may seem like legal details, it applies well outside the legal field as well. While it won't be the key focus, we're even going to include a short section on these kinds of legal issues in the cloud in our upcoming webinar on cloud security (register here). While this might not seem directly like a security issue, if you're in charge of keeping data secure, it's pretty important to know what it means when the feds knock on your door... or the door of the third party "cloud" provider to whom you outsourced your company's data.
As others have explained at length, ECPA creates an exceedingly dense and confusing statutory framework, and relies on a series of archaic distinctions, such as whether a communication is "stored" or "in transit." This complexity creates uncertainty about what showing law enforcement has to make in order to access user materials stored in the cloud. Is a search warrant, a subpoena, or an informal request required? Under what circumstances can service providers voluntarily cooperate with law enforcement?
Filed Under: 4th amendment, cloud, ecpa, privacy, security
Companies: google
As More Services Move To The 'Cloud' What Does It Mean For IT Security?
from the an-upcoming-webinar dept
While the term "the cloud" is still pretty loosely defined, there's no doubt that more and more services are being offered over the internet, and many of those are enterprise-type offerings. For example, lots of well known companies are using Google docs, and Salesforce.com has really become quite the standard in many, many places for any type of CRM/Salesforce automation. But what does that mean for IT folks, who are used to having full control over the technology being used by employees? How can they make sure that the services that employees are using are secure and protected? And, for companies building their own online services that they hope will be used in enterprises around the globe, how should they best prepare to build a system that meets the security requirements of in-house IT staff? On top of that, beyond traditional "technology" security, there are serious legal security questions as well. How protected, legally speaking, is the data stored in the cloud? Is it covered under different laws? And do the answers to these questions depend on if you're "webifying" legacy systems as compared to building entirely new systems?Well, we're hoping to answer a bunch of these questions with a new webinar that we're putting on next Tuesday, May 11th at 9am PT/noon ET (register here), as a part of our ongoing IT Innovation series -- sponsored by Oracle and Intel. I'll be moderating the discussion, and the discussion will be led by two of the most knowledgeable folks I know on this topic: Jake Kaldenbaugh of CloudStrategies, and formerly an exec at NEC, where he drove early strategic efforts focusing on virtualization and cloud computing, and Sam Quigley of Emerose, a leading expert on cloud security, who previously was a founding member of EDS's security and privacy services group, an open source developer at security appliance vendor Astaro, the sole security person at Xign (which became JP Morgan Treasury Services) and Vice President of security and operations at Wesabe, the online financial startup.
The webinar will consist of a brief presentation, followed by discussion -- and we're hoping to make it as interactive as possible, so come ready with questions. If you'd like to attend, please register now!
Separately, it's worth noting that we recently refreshed the IT Innovation website, to reflect that it's sponsored by Oracle and Intel (Oracle taking over from Sun following the acquisition), and we've also refreshed the resource center with a series of new whitepapers, including (but not limited to):
- Best Practices for Managing Datacenter Costs via Application and Server Consolidation
- Why Solid-State Drives Usage Scenarios Are Expanding for the Datacenter
- New Blades and Networking Solutions Ensure Solid Return on Investment
- Reassessing Server Costs for Midsize Companies
Filed Under: cloud computing, cloud security, security
