Lisa Abe-Oldenburg presented on securing apps and data in the cloud at the Toronto Board of Trade. She discussed an overview of cloud computing including essential characteristics and delivery models. She then covered issues and risks with cloud computing such as regulatory compliance, operational risks, and legal contract risks. She provided strategies for mitigating risks such as legal reviews of contracts and compliance with privacy and security policies. Finally, she discussed responding to data breaches and organizational practices around data and app security.

1. Securing Your Enterprise; Protecting Your Brand
Securing Apps & Data in the Cloud
Executive Breakfast | Toronto Board of Trade
.

3. Securing Apps and Data in the Cloud
Presented By: Lisa Abe-Oldenburg
Toronto Board of Trade
July 23, 2014

4. Introduction
• Overview of Cloud Computing
• Issues and Risks
• Risk Mitigation Strategies
• Responding to Data Breaches
• Organizational Data and App Practices
• Summary of Best Practices and Tips

5. Overview of Cloud Computing
• "Cloud computing is a model for enabling convenient, on-demand network
access to a shared pool of configurable computing resources (e.g., networks,
servers, storage, applications, and services) that can be rapidly provisioned
and released with minimal management effort or service provider interaction.
This cloud model promotes availability and is composed of five essential
characteristics, three service models, and four deployment models." - National
Institute of Standards and Technology (NIST) v. 15
• Rearden LLC v. Rearden Commerce, Inc., 597 F.Supp. 2d 1006 (N.D. Cal.
Jan. 27, 2009) – “Cloud Computing” defined as a software as a service
platform for the online delivery of products and services
• “Surge computing” analogous to electricity providers, where players intra
cloud (or in cloud stacks) or inter-cloud, are essentially trading processing and
storage capacity. Data, software and servers are able to be moved
instantaneously to available computation resources

6. Cloud Computing Essential Characteristics
• On-demand self-service. A consumer can unilaterally provision
computing capabilities, such as applications, server time and
network storage, as needed automatically without requiring human
interaction with each service’s provider.
• Rapid elasticity. Capabilities can be rapidly and elastically
provisioned, in some cases automatically, to quickly scale out and
rapidly released to quickly scale in. To the consumer, the
capabilities available for provisioning often appear to be unlimited
and can be purchased in any quantity at any time.
• Broad network access. Capabilities are available over the
network and accessed through standard mechanisms that promote
use by heterogeneous thin or thick client platforms (e.g., mobile
phones, laptops, and PDAs).

7. Cloud Computing Essential Characteristics
• Resource pooling. The provider’s computing resources are
pooled to serve multiple consumers using a multi-tenant model,
with different physical and virtual resources dynamically assigned
and reassigned according to consumer demand. There is a sense of
location independence in that the customer generally has no
control or knowledge over the exact location of the provided
resources but may be able to specify location at a higher level of
abstraction (e.g., country, state, or datacenter). Examples of
resources include storage, processing, memory, network
bandwidth, and virtual machines.

8. Cloud Computing Essential Characteristics
• Measured Service. Cloud systems automatically control and
optimize resource use by leveraging a metering capability at some
level of abstraction appropriate to the type of service (e.g., storage,
processing, bandwidth, and active user accounts). Resource usage
can be monitored, controlled, and reported providing transparency
for both the provider and consumer of the utilized service.

9. Cloud Computing Benefits
• Opportunity to purchase a broad range of IT services in a utility- based
model
• Refocus efforts on IT operational expenditures and only pay for IT
services consumed instead of buying IT with a focus on capacity
• Storage, provisioning and management of apps, data and other
personal information in a cloud computing model or SaaS model, can
help companies increase operational efficiencies, resource utilization,
and innovation, delivering a higher return on our investments to
stakeholders
• Simpler issuance of cloud based apps
• Consumer device capabilities: Ubiquitous – Only requires data
connection

10. Deployment Models
• Private cloud. The cloud infrastructure is operated solely for an
organization. It may be managed by the organization or a third party and may
exist on premise or off premise.
• Community cloud. The cloud infrastructure is shared by several
organizations and supports a specific community that has shared concerns
(e.g., mission, security requirements, policy, and compliance considerations).
It may be managed by the organizations or a third party and may exist on
premise or off premise.
• Public cloud. The cloud infrastructure is made available to the general
public or a large industry group and is owned by an organization selling cloud
services.
• Hybrid cloud. The cloud infrastructure is a composition of two or more
clouds (private, community, or public) that remain unique entities but are
bound together by standardized or proprietary technology that enables data
and application portability (e.g., cloud bursting for load-balancing between
clouds).

11. Cloud Delivery/Service Models
• Software as a Service (SaaS)
• cloud provider supplies the software
• user can set limited configuration of the software
• Platform as a Service (PaaS)
• cloud provider supplies the programming language and tools
• user selects and controls applications and hosting environments
• Infrastructure as a Service (IaaS)
• cloud provider manages and controls underlying cloud infrastructure
• user selects and configures operating systems, storage, applications,
networking components (e.g. firewalls, load balancers)
• Cloud service integrators bundle multiple services into a single offering, to
appear as a seamless consolidated application
• E.g. customer relationship and reservations system, e-signature/e-
commerce app, payment processing, billing platform, etc.

12. Cloud Delivery/Service Models
Data /
Content
Software
Application
Platform
Computing Infrastructure
(processing, storage, networks)
Cloud Infrastructure
user
user
user
CLOUD
Cloud Stack

13. Issues and Risks in Cloud Computing
• Regulatory and Document/Data Retention Risk
• How will the cloud provider meet your
organization's regulatory compliance
requirements?
• Access and retrieval of software and data for the
purposes of audit, compliance,
litigation/eDiscovery, correction, deletion, end of
service/termination, breach/failure, disaster or
insolvency of cloud provider
• Risk of insufficient backups, disaster recovery and
business continuity plans – often obligations and
costs are pushed onto customer (i.e. your company)
• Watch out for freezing of accounts and no access to
data upon termination or breach – data could be
deleted (hijacked until fees paid or dispute
resolved)

14. Issues and Risks (cont.)
• Operational, compliance and legal risk
• IT dept loses control
• Where is the Cloud and which laws apply?
• Where is the data and apps? Cloud is flexible
and data (and software) can move easily
across borders if network is big enough -
moved around to where storage or processing
is more cost effective, efficient or available
• Your organization could be unwillingly
subjecting itself to the laws of a foreign
jurisdiction
• Contracts or services in foreign jurisdictions
could have conflicts with local laws, storage,
handling of disputes, export controls, etc.

15. Issues and Risks (cont.)
• Operational, compliance and legal risk
(cont.)
• CASL applies to not just electronic
communications, but also transmission data
and software
• CASL currently prohibits the alteration of
transmission data in an electronic message in
the course of a commercial activity, without
express consent, so that the message is
delivered to a destination other than, or in
addition to, that specified by the sender

16. Issues and Risks (cont.)
• Operational, compliance and legal risk
(cont.)
• CASL will also prohibit the installation of a
computer program on any other person’s
computer system, in the course of
commercial activity without express consent.
To aid, induce, procure or cause to be
procured any of the foregoing activities is also
prohibited.
• These software prohibitions will apply
effective January 15, 2015 to any computer
system or person (whether contravening or
directing) located in Canada at the relevant
time.

17. Issues and Risks (cont.)
• Business Operations, Liability and
Reputational Risks
• Risk of asset/data loss, security and privacy
breaches, inability to retrieve or use data,
failure to properly retain records
• No common cloud standards; PCI DSS,
EMV and ISO standards may provide some
security, reliability and interoperability
• Aggregation of vast amounts of personal
information is possible especially when
using mobile technologies
• Clouds are a target for criminals – lots of
information

18. Issues and Risks (cont.)
• IP ownership and infringement risk
• Loss of ownership and control over software
and data - how being used and by whom?
• Ownership complications if cloud used for
any development – need to examine
applicable jurisdiction's copyright law and
cloud service agreement
• Software or systems being migrated to the
cloud could also give rise to copyright
infringement or breach of 3rd
party licenses -
creation of virtual servers or applications
could be making a “copy” and require
additional license rights and payment of
fees to licensors/owners

19. Issues and Risks (cont.)
• Legal Contract and Liability risk
• Limits on provider's liability may be too low -
disclaimers, exclusions, short limitation
periods; risk of liability shifts to your
organization
• What is your recourse if provider is in breach?
If there is a service interruption/outage,
errors, damages, loss, data disclosure ?
• Cloud providers often will not give
indemnities and will ask for broad indemnities
from the customer – must renegotiate!
• Watch out for terms that could be unilaterally
amended by service provider, deemed
accepted by use, or cross-referenced in other
documents or hyperlinks – you need to know
in advance what your organization is agreeing
to

20. Risk Mitigation Strategies
• Compliance vs. Security
• Assess compliance requirements under applicable laws and regulations
• Preparation is key to prevention of data loss or breach
• Establish baselines for security, confidentiality, data integrity, access and
retention
• Keep core business and data in-house or encrypted – establish policies
• Incorporate e-discovery tools and information management processes
• Consult with all stakeholders and legal counsel
• Analysis of data collection, storage, use, disclosure, transfer
• Transparency of equipment, premises, personnel, processes
• Internal governance, employee policies for BYOC and training
• Plan for transitioning (e.g. end of term, sale of business,
subcontracting, affiliates) & knowledge transfer by employees

21. Risk Mitigation Strategies (cont.)
• Legal review of Contracts – existing and new
• Negotiate limitations on liability and disclaimers, warranties and indemnities,
parental/prime contractor guarantees, hold-backs, alternative dispute resolution,
performance bonds, insurance and other contract terms
• Must deal with changes to laws and regulations, technology and risk over time
• Need reporting, breach notification and assistance, monitoring, management
oversight, audit rights, control, record keeping and data return, change
process, confidentiality and privacy terms, security and encryption schemes,
testing, data segregation, export controls, maintenance, disaster and
continuity/recovery planning, data backup, early termination , etc.
• Have clear service & security level requirements that align with your
organizational requirements – scope and remedies?
• Thresholds of risk tolerance will affect negotiations
• What is the harm that could occur as a result of breach and which party is best able
to mitigate risk? Cost? Should indirect damages be allowed? Are caps on liability
enough?
• Don’t sign a standard form contract!

22. Responding to Data Breaches
• What are your legal obligations if there is a data breach?
• Note, this presentation only covers data breaches in the private sector
and not breaches with respect to public sector, health or employee
information.
• Under federal private sector privacy law, PIPEDA, breach
notification is currently voluntary - to notify individuals of
breaches involving their personal information, or to notify the
OPC

23. Responding to Data Breaches (cont.)
• The Canadian Data Breach Guidelines drafted in 2007 in
consultation with commissioners' offices, advocacy groups and
representatives from industry, encourage organizations to:
• Contain the breach and conduct a preliminary assessment of what
occurred;
• Evaluate the risks associated with the breach;
• Notify the parties affected by the breach;
• Take adequate steps to ensure that such an incident does not recur in
the future.

24. Responding to Data Breaches (cont.)
• The OPC encourages organizations to notify the office or
appropriate provincial privacy commissioners of “material”
breaches of security safeguards that involve personal
information—determining whether a breach is “material”
involves, among other considerations, assessing the sensitivity
of personal information and the number of individuals affected.
• PIPEDA does include requirements around adequately
safeguarding personal information through the use of
physical, technological and organizational measures.
• Absence of “appropriate” controls resulting in breaches
currently does not trigger any regulatory consequences, such as
fines or penalties.

25. Responding to Data Breaches (cont.)
• Proposed amendments to Canada's federal privacy legislation
(PIPEDA) under Bill S-4 (introduced in the Senate April 8,
2014) will require businesses and organizations to track data
breaches and report them to individuals and the OPC if it is
reasonable in the circumstances to believe that the breach
creates a real risk of significant harm, e.g. identity theft
• The Bill sets out factors to assess risk, requirements for the
content and timing of the notification and record keeping
requirements of all breaches
• May also be obligation to report to other organizations or
government if risk could be reduced
• Non-compliance would be punishable by fines of up to
$100,000

26. Responding to Data Breaches (cont.)
• The Bill also gives new powers to the privacy commissioner to:
• negotiate voluntary but binding compliance agreements with
organizations that commit to taking action on privacy violations;
• right to ask the Federal Court of Canada to order compliance or award
damages to someone harmed by a privacy violation up to a year after
an investigation; and
• release information about non-compliant organizations if it is in the
public interest.

27. Responding to Data Breaches (cont.)
• Alberta is only province which has enacted amendments to its
private sector Personal Information Protection Act (PIPA) to
address incidents involving the “loss of or unauthorized access to
or disclosure of the personal information.”
• Note that recent SCC decision (Alberta (Information and Privacy
Commissioner ) v. United Food and Commercial Workers, Local
401, 2013 SCC 62) struck down Alberta's PIPA in its entirety as
unconstitutional. This declaration of invalidity has been stayed for
12 months in order to provide enough time to legislators to decide
how to make this act constitutional – amendments planned for
this fall
• Other provinces, e.g. Ontario, New Brunswick and Newfoundland
and Labrador, only require breach notification with respect to
personal health information.

28. Responding to Data Breaches (cont.)
• Alberta PIPA requires notice to the province’s Privacy
Commissioner of loss of, or unauthorized access to, personal
information under the organizations' control - only if a
reasonable person would consider that there exists a real risk of
significant harm to an individual. Commissioner decides
whether individuals should be notified.

29. Responding to Data Breaches (cont.)
• “real risk of harm” must be more than merely speculative and
not simply hypothetical or theoretical. A breach relating to
highly sensitive personal information, such as financial
information, is more likely to meet this standard and require
reporting.
• The commissioner has interpreted “significant harm” to mean
“a material harm...[having] non-trivial consequences or effects.
Examples may include possible financial loss, identity theft,
physical harm, humiliation or damage to one’s professional or
personal reputation.”

30. Responding to Data Breaches (cont.)
• Manitoba's Personal Information Protection and Identity Theft
Prevention Act (PIPITPA) – private sector law not yet in force
• PIPITPA will generally require breach notification to an
individual directly if personal information is lost, accessed or
disclosed without authorization – no harm threshold
• In Québec, the Commission d'accès à l'information du Québec
("CAI") in its 2011 Quinquennial Report entitled "Technology
and Privacy, in a Time of Societal Choices" recommends to
include, in both its public sector and private sector data
protection laws, mandatory security breach reporting.

31. Responding to Data Breaches (cont.)
• PIPITPA will also create a private right of action for an
individual to sue an organization for damages arising from its
failure to:
• protect personal information that is in its custody or control; or
• provide reasonable notice if the organization was not satisfied that the
lost, stolen or accessed information would be used lawfully.
• Jurisdictions outside Canada may have extraterritorial
implications, e.g. California has its own breach notification law

32. Organizational Data and App Practices
• Designate privacy and technology officers to ensure
compliance under Canadian and foreign laws
• Consult with the regulators when in doubt about systems
and privacy policies
• Have a data breach protocol plan in place - how to notify,
who, and when? E.g. the regulators, individuals, ASAP
• Limit access to electronic records to a need-to-know basis
and password protect; control dissemination of apps
• Draft and keep records of proper consents prior to
collecting, using or disclosing any personal information or
providing apps

33. Organizational Data and App Practices (cont.)
• Identify purposes for the collection, use and disclosure, and
limit collection, use and disclosure to those purposes, which
must be reasonable
• Develop, implement and review privacy and security
policies, CASL policy (see new CRTC Bulletin 2014-326),
technology policy, including procurement, software, BYOD
and services policies
• Train employees and get acknowledgments
• Protect personal information and data from theft,
modification, and unauthorized access

34. Organizational Data and App Practices (cont.)
• Keep personal information only for as long as reasonable to
carry out the business or legal purpose or as required by law
and destroy or anonymize records once no longer needed
• Develop a procedure for information requests/access,
correction and deletion
• Review and revise all contracts with third parties to ensure
obligations flow through
• “Stress test” data and app operations - privacy and data
policies can be a marketing opportunity
• After a data breach occurs, comply with data breach
guidelines and notification requirements
• Offer credit monitoring to clients

35. Summary of Best Practices and Tips
• The legal implications of cloud computing, privacy, security,
confidentiality and data breaches involve many complex
issues
• Insist on provider transparency: participants/subcontractors,
jurisdictions, data flow and processing, type of cloud and who
has access
• Engage all organizational teams that may have input to the
cloud relationship, e.g. operational, procurement, contracts
negotiation, privacy, employment (HR), compliance, audit,
insurance, IT, security, risk, Board of Directors
• Directors' liability for breach of their duties in risk
management and oversight
• Have proper testing, plans and policies in place
• Get early involvement of experienced legal counsel

36. Lisa K. Abe- Oldenburg, B.Comm., J.D.
Abe-oldenburgL@bennettjones.com
Tel.: 416-777-7475
www.bennettjones.com
• This presentation
contains statements of
general
principles and not legal
opinions and should not
be acted upon without
first consulting a lawyer
who will provide
analysis and advice on a
specific
matter.

38. Newsflash: Shift to Cloud Beats the Street
IT spending forecast revised lower, amid shift to cloud and commodity
products. Global IT spending will grow 2.1% to $3.7 trillion this year, a weaker
performance than originally expected, although one that is still far stronger than
the marginal gain of 2013, according to research firm Gartner Inc. The
downward revision of more than one percentage point was attributed to product
commoditization, heightened competition, and the shift to the cloud. “Things are
starting to become commoditized faster than we expected,” Gartner analyst
John Lovelock tells CIO Journal. And as individual lines of business command
their own ever-growing technology budgets, spending on cloud-based
applications is drawing funds away from traditional IT departments, whose
spending power is “in trouble,”

39. Cloud App Explosion
39
Driven by individual and
line of business adoption
of cloud and mobile.
It’s how we do business.
2011 2016
$21.2B
$92.8B
4.4xgrowth
SaaSRevenue
Forrester

40. 40
There are 5,000 enterprise apps
today (and growing).

41. 41
Security & Risk
Compliance
Control
Business Benefits
Agility
Cost Savings
“To SaaS or not To SaaS….That is the Question!”

42. Perspectives
42
• Legal
– Bennett Jones, LLP
• Corporate IT (CIO/CSO)
– Sony
• IT Sector: Cloud Access Security Broker
– Netskope

43. Highlights
43
• Business users are adopting consumer behaviors
• Everything about data is changing
• Consumerization is shifting IT architectures
• Security risks arise with new architectures
• A prescription for better security!

44. Business users are adopting consumer
behaviors
44
• Today’s Business Users
– Do not ask if they can use new applications. They just install them.
– Choose where they store data
– Bring consumer attitudes to work…and expect IT to adapt!
– Want to comply with security and compliance rules ..but want freedom
to make decision on apps, data, and devices
• Implication for IT: IT has no choice but to adapt, manage and control

45. Everything about DATA is changing
45
Big Data Cloud Mobile

46. 46
Why would you
invest in
Data
Security ?

47. Major SHIFT in enterprise architecture
47
Change your Security Strategy!
Discover - Monitor - Control

48. 48
Source: Netskope Data

49. Security risks associated with a new
architecture
49
• Network perimeter has blurred…or doesn’t exist
• Multiple copies of data…only contractual based
control with 3rd party
• Access control…..no tools
• If they get hacked, your data security is
compromised
– How do you disconnect from your responsibility?
• IT will not have view into mobile apps transactions
• Low standards to evaluate security of mobile apps
• Security skills shortage

50. A prescription for better security
50
• Create a security policy for Cloud
– Include Apps, Data, Access Control
• Do a skill set inventory
– what you have and what you will need?
• Build a future security architecture… it will not be perfect
– How are you going to measure and manage?
• Redefine your risk management process
– Identify your assets…… you do not know.
• Assess data security
– Prepare to manage the security of data that is not in your control

51. 51

52. 52
Actual:
461
IT estimate:
40-50 76% cloud apps aren’t
enterprise-ready
Cloud procurement
happens outside of IT
Challenge:
Get visibility and empower
safe cloud usage
App redundancy:
•41 HR
•27 storage
•27 finance
Source: Netskope Data

53. 53
#1 Technology for Information Security in 2014
Analysts Examine Industry Trends at Gartner Security & Risk Management
Summit, June 23-26, National Harbor, MD
Cloud Access Security Brokers
Cloud access security brokers are on-premises or cloud-based security policy enforcement
points placed between cloud services consumers and cloud services providers to interject
enterprise security policies as the cloud-based resources are accessed. In many cases,
initial adoption of cloud-based services has occurred outside the control of IT, and cloud
access security brokers offer enterprises to gain visibility and control as its users access
cloud resources.

54. 54
“Cool Vendors offer innovative,
forward-thinking solution sets designed
to address emerging and newly
identified security challenges.”

55. Mitigate Business Risk
55
Take Control of
Cloud Apps
Take Control of
Cloud Apps
Take Control of
User Activities
Take Control of
User Activities
Take Control of
Data
Take Control of
Data
Take Control of
Compliance
Take Control of
Compliance
1. Understand the Cloud Apps usage,
category, business function and Risk
Assessment
2. Baseline sanctioned, departmental
and individual cloud apps
3. Understand the high-level of data
movement to/from the clouds
4. Coach & Establish Acceptable Use
Policies (AUP) for cloud apps across
business, departments and users
5. Understand the risky activity usage
such as share, upload, download &
administration across cloud apps
6. Understand the activities related
to data movement across geo-
locations between users and cloud
apps
7. Monitor for Cloud App Usage
Anomalies and Irregularities
8. Coach and establish Acceptable
Use Policies (AUP) for Cloud App
activities, users, devices, geo-
locations and time
9. Audit and alert on sensitive data
existing in & moving across cloud apps
•PII, PCI, PHI, Intellectual Property
10. Coach, Alert and Block Sensitive
Data uploads and shares
11. Encrypt data in the cloud for data-
at-rest and use protection
12. Establish Acceptable Use Policy &
Protection (AUP) for your corporate
data based on app, content
classification, app, department, user
and geo-location
15% 40% 75% 90+%
13. Employ data audit & forensics
14. Records retention and retrieval
15. E-discovery compliance
16. PCI, PHIPA industry specific
compliance
17. Business Compliance
CASL, SOX, GLBA, ..
18. FINRA advanced regulation with
ethical walls

56. Provision-by-Purpose
• Best User Experience, Security & Performance
• Easy to deploy and Quick to value
56
Netskope: Comprehensive Cloud Security Platform
Any App Any Device
Anywhere
DISCOVERY ANALYTICS ENFORCEMENT
AppID
Cloud App, Category, CCI
AppID
Cloud App, Category, CCI
ActivityID
Share, Upload, Download, Admin
ActivityID
Share, Upload, Download, Admin
DataID
PII, PCI, PHI, IP, …
DataID
PII, PCI, PHI, IP, …
ActorID
User, Device, Geo, Time, …
ActorID
User, Device, Geo, Time, …
Deep
Context
Rich Enablement Services
Sanctioned Business Apps
Unsanctioned Apps
Consumer Apps
DLP, ENCRYPTION