SlideShare une entreprise Scribd logo

Strong Host Security Policies are Good Business

HostingCon
HostingCon

Inevitably, the actions of some clients create legal issues that need to be addressed by hosts quickly and cost effectively. It is essential to have good hosting policies and procedures in place to deal with the legal and regulatory issues arising from operating a hosting business. Failure to implement good hosting practices can be disruptive and expensive for both hosts and their clients. Hosts must deal with a variety of law enforcement issues over time, ranging from cyber-crime to potential law suits.

TechnologieBusiness
1  sur  37
Strong Host Security Policies are Good Business San Diego, August 8th (HostingCon) Alex de Joode Security Officer / LeaseWeb Stephen E. Oakes Sup. Special Agent / F.B.I. (CIRFU) Shane McGee Partner / SNR Denton
Events on June 21st
A DigitalOne’s customer response • From the Instapaper blogpage: http://blog.instapaper.com/post/6830514157
Summary • June 21st 2011, FBI raided a hosting facility in Reston, Va., used by DigitalOne, a dedicated hosting company • F.B.I. took 3 racks • F.B.I. was actively investigating the Lulz Security group and any affiliated hackers • DigitalOne the hoster stated: “The agents took entire server racks, perhaps because they mistakenly thought that “one enclosure is equal to one server.” • src: http://bits.blogs.nytimes.com/2011/06/21/f-b-i-seizes-web-servers-knocking-sites-offline/
What can we learn ? • Downtime for innocent customers • Why ? • Trust / No Personal Relations ? • How can we solve this problem ? • F.B.I. perspective: • by Stephen E. Oakes, Supervisory Special Agent • Legal perspective: • by Shane McGee, partner SNR Denton • Host perspective: • by Alex de Joode, Security Officer LeaseWeb
Thank you mailto: a.dejoode@leaseweb.com
Good Host Security San Diego, August 8th (HostingCon 2011) Alex de Joode Security Officer, LeaseWeb
Introduction • Alex de Joode • Security Officer • LeaseWeb (Global) • Abuse handling • Public & Regulatory Affairs • Legal Internet Affairs • Security
LeaseWeb (Global) • LeaseWeb B.V. (as16265)(Netherlands) • LeaseWeb B.V. (as52146)(Belgium) • LeaseWeb GmbH (as28753)(Germany) • Leaseweb Inc. (as30366)(Unites States) (booth#645)
LeaseWeb (some figures) • ~ 1% internet traffic generated (1Tbps=1000Gbps) • ~35.000 servers online (NL | BE | DE | US) • ~235 FTE
F.B.I. & SNR Denton, summary • FBI wants to collaborate with Hosts • NCFTA – Cracking Down on Cyber Crime (http://www.ncfta.net) • SNR Denton: legal requirements to work with FBI/LEA if proper legal instrument is used • Hosts are prohibited from voluntarily disclosing any subscriber records or content to the government (unless an exception applies).
How does LeaseWeb handle these issues ? • As a global company we have to deal with: Dutch, German and US Law Enforcement Agencies. • Dedicated Security Office • with qualified and experienced personel so we can: • minimize these issues • and correctly handle serious situations when they do arise • Smart Hoster’s View • Brand Protection • Protect customers and corporate interests and resources
Conclusion With the proper protocols and operating procedures hosts can avoid DigitalOne type issues and ensure a successful hosting situation for your customers and a profitable environment for you as a host.
Questions ?
Thank you ! mailto: a.dejoode@leaseweb.com
Subpoena Compliance and the Need for Cooperation with Law Enforcement •Responding to Subpoenas, Court Orders, Warrants, National Security Letters and More Shane M. McGee, Esq., CISSP Partner T +1 202 408 9216 shane.mcgee@snrdenton.com snrdenton.com
ECPA: What Is It? • Originally enacted in 1986 as first use of email and large data-processing began • Designed generally to protect the privacy of electronic records and communications stored with third parties. • Often referred to interchangeably as “SCA” (Stored Communications Act) or “ECPA” (Electronic Communications Privacy Act), though the SCA was an amendment to ECPA. • The SCA applies only to historical records, i.e., those available as of the date of the request.
ECPA: What Does it Do? • Begins from assumption that, absent ECPA, service providers could freely disclose information about customers, and the government could compel disclosure of any record by issuing a subpoena • ECPA imposes limitations on this “default setting” • Limits the instances in which and the types of information that providers can voluntarily disclose • Defines the legal process the government must obtain to compel disclosure of certain information • Complicated statute that is difficult to apply • Archaic terminology • Strained application to newer subscriber services • Confusing distinctions between treatment of certain records • Inconsistent Court interpretations
ECPA: How is it Structured? • Provides series of rules providing escalating privacy protection based on: • The type of information at issue • Who seeks the information (government or private entity) • Who holds the information (how the provider is characterized under the law) • The guiding principles • Content generally more protected than non- content • More limitations on voluntary disclosures to government, but they have more tools to compel
ECPA: Who Does it Cover? • Covered entities defined in ECPA are “Electronic Communications Services” (ECS) and “Remote Computing Services” (RCS) • ECS defined as “any service which provides to users thereof the ability to send or receive wire or electronic communications” • Example: the web-based email service offered by many web hosts • RCS defined as “the provision to the public of computer storage or processing services by means of an electronic communications system” • “Provision to the public:” Anyone who wants to purchase hosting services can sign up (as opposed to private corporate email service) • Web hosting companies may be an ECS and/or RCS depending on the services being offered to that particular customer
Three Categories of Information • The process the government is required to use depends on the type of information sought as follows: • Basic subscriber information • Subpoena • Transactional or other records • Court Order • Content of files or messages • Search Warrant
Requests for Basic Subscriber Information • This is the most common request web hosting companies will receive. • The following information may be obtained through virtually any type of subpoena • name & address • local and long distance telephone connection records • telephone number or other account identifier • length & type of service provided • session times and duration • temporarily assigned network address (IP Address) • means and source of payment (cc# or bank acct)
Requests for Transactional Records – 2703(d) Order • Not content, not basic subscriber information -- everything in between • Email headers (if applicable) • Subscriber info not “basic subscriber information” • e.g., date of birth, social security number, etc • Articulable facts order • “specific and articulable facts showing that there are reasonable grounds to believe that [the requested records] are relevant and material to an ongoing criminal investigation” • lower standard than warrant, but higher than pen register/trap & trace • May include a directive to provider not to disclose to subscriber
Requests for Files or Contents of Communications • Generally speaking, a warrant is required. • ECPA contains a number of sub-categories of information when dealing with the contents of files or communications, each which requires a different process. • The courts disagree with how these sub-categories of information should be classified, leading to difficulties applying the law. • Some state laws treats all of these sub-categories of information the same, and apply a higher level of protection to all stored files and the contents of communications.
Voluntary Disclosure • Web hosting companies are prohibited from voluntarily disclosing any subscriber records or content to the government unless an exception applies. • Exceptions for the release of subscriber records (not content) include: • Disclosure to anyone with the consent of the originator or addressee/intended recipient • Disclosure to an addressee or intended recipient • Disclosure to law enforcement if contents inadvertently obtained & pertain to commission of a crime • Disclosure to a person employed or authorized or whose facilities are used to forward such communication (within the scope of their work) • As necessary to protect the company’s rights and property • To NCMEC in child pornography report • Disclosure to the government if provider in good faith believes an emergency exists threatening death or serious physical injury
National Security Letters - § 2709 • Permits government to compel disclosure of “subscriber information and toll billing records information, or electronic communication transactional records” • Government must certify in writing that records sought are relevant to an authorized investigation to protect against international terrorism or clandestine intelligence activities • Look carefully for a nondisclosure requirements contained in the National Security Letters often prohibit the recipient from disclosing the existence or content of the National Security Letter to anyone other than those to whom such disclosure is necessary to comply with the request or an attorney to obtain legal advice or legal assistance with respect to the request.
Lawsuits for ECPA Violations • ECPA allows for a civil action for relief from improper disclosures • “person aggrieved by any violation of this chapter in which the conduct constituting the violation is engaged in with a knowing or intentional state of mind may, in a civil action, recover from the person or entity, other than the United States, which engaged in that violation such relief as may be appropriate” 18 U.S.C. § 2707(a) • ECPA contains two defenses against this liability in sections 2703(e) and 2707(e), but they are not guaranteed to protect a web hosting company
Subpoena Compliance and the Need for Cooperation with Law Enforcement •Responding to Subpoenas, Court Orders, Warrants, National Security Letters and More Shane M. McGee, Esq., CISSP Partner T +1 202 408 9216 shane.mcgee@snrdenton.com snrdenton.com
29
FBI-CIRFU (Computer Intrusion and Research Fusion Unit) NCFTA (National Cyber Forensics and Training Alliance) 30
Partnerships 31
Collaboration Law Enforcement Academia SME’s Financial NCFTA Merchants Telcos/ISP’s Pharmaceutical 32
FBI Cyber Division: Threat Focus Process 1. Define Problem 2. Identify Subject Matter Expert (SME) Stakeholders 3. Develop Threat Matrix 4. Identify and Prioritize 5. Initiate and Support Investigations 33
Basic BPH Model COLO 1 Rogue BP Network COLO 2 COLO 3 34
Perpetual BPH Complaint Cycle LE/Industry Criminal Client Sends Continues to Complaint Break the Law To COLO COLO BPH Notifies Notifies and Protects Customer Criminal Client (BPH) 35
Basic BPH Model COLO 1 Rogue BP Network COLO 2 COLO 3 36
SSA Stephen E. Oakes Federal Bureau of Investigation (FBI) Cyber Initiative and Resource Fusion Unit Cyber Division (CIRFU) Desk: 412-802-8000 x324 BB: 202-437-6555 Email: Stephen.Oakes@ic.fbi.gov 37

Recommandé

Cloud Computing Legal Issues
Cloud Computing Legal IssuesCloud Computing Legal Issues
Cloud Computing Legal IssuesIkuo Takahashi
 
12 02-14 information security managers - unannotated
12 02-14 information security managers - unannotated12 02-14 information security managers - unannotated
12 02-14 information security managers - unannotatedwdsnead
 
Privacy and Technology in Your Practice: Why it Matters & Where is the Risk
Privacy and Technology in Your Practice: Why it Matters & Where is the RiskPrivacy and Technology in Your Practice: Why it Matters & Where is the Risk
Privacy and Technology in Your Practice: Why it Matters & Where is the Riskduffeeandeitzen
 
Closer All The Time: Moving Toward Fiduciary Access to Digital Assets
Closer All The Time: Moving Toward Fiduciary Access to Digital AssetsCloser All The Time: Moving Toward Fiduciary Access to Digital Assets
Closer All The Time: Moving Toward Fiduciary Access to Digital Assetsgallowayandcollens
 
How to Make Sure the Kids Will Still Be Listening to The Beatles on Google Pl...
How to Make Sure the Kids Will Still Be Listening to The Beatles on Google Pl...How to Make Sure the Kids Will Still Be Listening to The Beatles on Google Pl...
How to Make Sure the Kids Will Still Be Listening to The Beatles on Google Pl...gallowayandcollens
 
Cloud primer
Cloud primerCloud primer
Cloud primerZeno Idzerda
 
Blockchain Use Case in Legal Industry - iFour Technolab Pvt. Ltd.
Blockchain Use Case in Legal Industry - iFour Technolab Pvt. Ltd.Blockchain Use Case in Legal Industry - iFour Technolab Pvt. Ltd.
Blockchain Use Case in Legal Industry - iFour Technolab Pvt. Ltd.iFour Technolab Pvt. Ltd.
 
Privacy and Data Security: Risk Management and Avoidance
Privacy and Data Security: Risk Management and AvoidancePrivacy and Data Security: Risk Management and Avoidance
Privacy and Data Security: Risk Management and AvoidanceAmy Purcell
 

Recommandé

Cloud Computing Legal Issues
Cloud Computing Legal IssuesCloud Computing Legal Issues
Cloud Computing Legal IssuesIkuo Takahashi
 
12 02-14 information security managers - unannotated
12 02-14 information security managers - unannotated12 02-14 information security managers - unannotated
12 02-14 information security managers - unannotatedwdsnead
 
Privacy and Technology in Your Practice: Why it Matters & Where is the Risk
Privacy and Technology in Your Practice: Why it Matters & Where is the RiskPrivacy and Technology in Your Practice: Why it Matters & Where is the Risk
Privacy and Technology in Your Practice: Why it Matters & Where is the Riskduffeeandeitzen
 
Closer All The Time: Moving Toward Fiduciary Access to Digital Assets
Closer All The Time: Moving Toward Fiduciary Access to Digital AssetsCloser All The Time: Moving Toward Fiduciary Access to Digital Assets
Closer All The Time: Moving Toward Fiduciary Access to Digital Assetsgallowayandcollens
 
How to Make Sure the Kids Will Still Be Listening to The Beatles on Google Pl...
How to Make Sure the Kids Will Still Be Listening to The Beatles on Google Pl...How to Make Sure the Kids Will Still Be Listening to The Beatles on Google Pl...
How to Make Sure the Kids Will Still Be Listening to The Beatles on Google Pl...gallowayandcollens
 
Cloud primer
Cloud primerCloud primer
Cloud primerZeno Idzerda
 
Blockchain Use Case in Legal Industry - iFour Technolab Pvt. Ltd.
Blockchain Use Case in Legal Industry - iFour Technolab Pvt. Ltd.Blockchain Use Case in Legal Industry - iFour Technolab Pvt. Ltd.
Blockchain Use Case in Legal Industry - iFour Technolab Pvt. Ltd.iFour Technolab Pvt. Ltd.
 
Privacy and Data Security: Risk Management and Avoidance
Privacy and Data Security: Risk Management and AvoidancePrivacy and Data Security: Risk Management and Avoidance
Privacy and Data Security: Risk Management and AvoidanceAmy Purcell
 
GDPR and evolving international privacy regulations
GDPR and evolving international privacy regulationsGDPR and evolving international privacy regulations
GDPR and evolving international privacy regulationsUlf Mattsson
 
The Fiduciary Access to Digital Assets Act in Michigan: Now That We Have it, ...
The Fiduciary Access to Digital Assets Act in Michigan: Now That We Have it, ...The Fiduciary Access to Digital Assets Act in Michigan: Now That We Have it, ...
The Fiduciary Access to Digital Assets Act in Michigan: Now That We Have it, ...gallowayandcollens
 
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Financial Poise
 
Privacy and Data Security
Privacy and Data SecurityPrivacy and Data Security
Privacy and Data SecurityWilmerHale
 
Alternatives for copyright protection online
Alternatives for copyright protection onlineAlternatives for copyright protection online
Alternatives for copyright protection onlineBozhidar Bozhanov
 
Websites: do you tick all the boxes?
Websites: do you tick all the boxes?Websites: do you tick all the boxes?
Websites: do you tick all the boxes?walescva
 
Unit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrUnit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrTushar Rajput
 
GDPR for developers
GDPR for developersGDPR for developers
GDPR for developersBozhidar Bozhanov
 
Information Privacy
Information PrivacyInformation Privacy
Information Privacyprimeteacher32
 
Introduction to EU General Data Protection Regulation: Planning, Implementati...
Introduction to EU General Data Protection Regulation: Planning, Implementati...Introduction to EU General Data Protection Regulation: Planning, Implementati...
Introduction to EU General Data Protection Regulation: Planning, Implementati...Financial Poise
 
Personal privacy and computer technologies
Personal privacy and computer technologiesPersonal privacy and computer technologies
Personal privacy and computer technologiessidra batool
 
Data Protection Act
Data Protection ActData Protection Act
Data Protection Actmrmwood
 
Personal Data Privacy and Information Security
Personal Data Privacy and Information SecurityPersonal Data Privacy and Information Security
Personal Data Privacy and Information SecurityCharles Mok
 
GDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business AdvisorsGDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business AdvisorsHarrison Clark Rickerbys
 
Privacy in simple
Privacy in simplePrivacy in simple
Privacy in simpleAurora Computer Studies
 
What All Organisations Need to Know About Data Protection and Cloud Computing...
What All Organisations Need to Know About Data Protection and Cloud Computing...What All Organisations Need to Know About Data Protection and Cloud Computing...
What All Organisations Need to Know About Data Protection and Cloud Computing...Brian Miller, Solicitor
 
Preparing for GDPR: What Every B2B Marketer Must Know
Preparing for GDPR: What Every B2B Marketer Must KnowPreparing for GDPR: What Every B2B Marketer Must Know
Preparing for GDPR: What Every B2B Marketer Must KnowIntegrate
 
Privacy in India: Legal issues
Privacy in India: Legal issuesPrivacy in India: Legal issues
Privacy in India: Legal issuesSagar Rahurkar
 
Legal Considerations of Digital Document Storage and E-Signature, Authority f...
Legal Considerations of Digital Document Storage and E-Signature, Authority f...Legal Considerations of Digital Document Storage and E-Signature, Authority f...
Legal Considerations of Digital Document Storage and E-Signature, Authority f...ImageSoft
 
Data Privacy for Information Security Professionals Part 1
Data Privacy for Information Security Professionals Part 1Data Privacy for Information Security Professionals Part 1
Data Privacy for Information Security Professionals Part 1Dione McBride, CISSP, CIPP/E
 
Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...
Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...
Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...Diana Maier
 
Small and solo in the cloud
Small and solo in the cloudSmall and solo in the cloud
Small and solo in the cloudOmar Ha-Redeye
 

Contenu connexe

Tendances

GDPR and evolving international privacy regulations
GDPR and evolving international privacy regulationsGDPR and evolving international privacy regulations
GDPR and evolving international privacy regulationsUlf Mattsson
 
The Fiduciary Access to Digital Assets Act in Michigan: Now That We Have it, ...
The Fiduciary Access to Digital Assets Act in Michigan: Now That We Have it, ...The Fiduciary Access to Digital Assets Act in Michigan: Now That We Have it, ...
The Fiduciary Access to Digital Assets Act in Michigan: Now That We Have it, ...gallowayandcollens
 
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Financial Poise
 
Privacy and Data Security
Privacy and Data SecurityPrivacy and Data Security
Privacy and Data SecurityWilmerHale
 
Alternatives for copyright protection online
Alternatives for copyright protection onlineAlternatives for copyright protection online
Alternatives for copyright protection onlineBozhidar Bozhanov
 
Websites: do you tick all the boxes?
Websites: do you tick all the boxes?Websites: do you tick all the boxes?
Websites: do you tick all the boxes?walescva
 
Unit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrUnit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrTushar Rajput
 
Introduction to EU General Data Protection Regulation: Planning, Implementati...
Introduction to EU General Data Protection Regulation: Planning, Implementati...Introduction to EU General Data Protection Regulation: Planning, Implementati...
Introduction to EU General Data Protection Regulation: Planning, Implementati...Financial Poise
 
Personal privacy and computer technologies
Personal privacy and computer technologiesPersonal privacy and computer technologies
Personal privacy and computer technologiessidra batool
 
Data Protection Act
Data Protection ActData Protection Act
Data Protection Actmrmwood
 
Personal Data Privacy and Information Security
Personal Data Privacy and Information SecurityPersonal Data Privacy and Information Security
Personal Data Privacy and Information SecurityCharles Mok
 
GDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business AdvisorsGDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business AdvisorsHarrison Clark Rickerbys
 
What All Organisations Need to Know About Data Protection and Cloud Computing...
What All Organisations Need to Know About Data Protection and Cloud Computing...What All Organisations Need to Know About Data Protection and Cloud Computing...
What All Organisations Need to Know About Data Protection and Cloud Computing...Brian Miller, Solicitor
 
Preparing for GDPR: What Every B2B Marketer Must Know
Preparing for GDPR: What Every B2B Marketer Must KnowPreparing for GDPR: What Every B2B Marketer Must Know
Preparing for GDPR: What Every B2B Marketer Must KnowIntegrate
 
Privacy in India: Legal issues
Privacy in India: Legal issuesPrivacy in India: Legal issues
Privacy in India: Legal issuesSagar Rahurkar
 
Legal Considerations of Digital Document Storage and E-Signature, Authority f...
Legal Considerations of Digital Document Storage and E-Signature, Authority f...Legal Considerations of Digital Document Storage and E-Signature, Authority f...
Legal Considerations of Digital Document Storage and E-Signature, Authority f...ImageSoft
 
Data Privacy for Information Security Professionals Part 1
Data Privacy for Information Security Professionals Part 1Data Privacy for Information Security Professionals Part 1
Data Privacy for Information Security Professionals Part 1Dione McBride, CISSP, CIPP/E
 

Tendances (20)

GDPR and evolving international privacy regulations
GDPR and evolving international privacy regulationsGDPR and evolving international privacy regulations
GDPR and evolving international privacy regulations
 
The Fiduciary Access to Digital Assets Act in Michigan: Now That We Have it, ...
The Fiduciary Access to Digital Assets Act in Michigan: Now That We Have it, ...The Fiduciary Access to Digital Assets Act in Michigan: Now That We Have it, ...
The Fiduciary Access to Digital Assets Act in Michigan: Now That We Have it, ...
 
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
 
Privacy and Data Security
Privacy and Data SecurityPrivacy and Data Security
Privacy and Data Security
 
Alternatives for copyright protection online
Alternatives for copyright protection onlineAlternatives for copyright protection online
Alternatives for copyright protection online
 
Websites: do you tick all the boxes?
Websites: do you tick all the boxes?Websites: do you tick all the boxes?
Websites: do you tick all the boxes?
 
Unit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrUnit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hr
 
GDPR for developers
GDPR for developersGDPR for developers
GDPR for developers
 
Information Privacy
Information PrivacyInformation Privacy
Information Privacy
 
Introduction to EU General Data Protection Regulation: Planning, Implementati...
Introduction to EU General Data Protection Regulation: Planning, Implementati...Introduction to EU General Data Protection Regulation: Planning, Implementati...
Introduction to EU General Data Protection Regulation: Planning, Implementati...
 
Personal privacy and computer technologies
Personal privacy and computer technologiesPersonal privacy and computer technologies
Personal privacy and computer technologies
 
Data Protection Act
Data Protection ActData Protection Act
Data Protection Act
 
Personal Data Privacy and Information Security
Personal Data Privacy and Information SecurityPersonal Data Privacy and Information Security
Personal Data Privacy and Information Security
 
GDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business AdvisorsGDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business Advisors
 
Privacy in simple
Privacy in simplePrivacy in simple
Privacy in simple
 
What All Organisations Need to Know About Data Protection and Cloud Computing...
What All Organisations Need to Know About Data Protection and Cloud Computing...What All Organisations Need to Know About Data Protection and Cloud Computing...
What All Organisations Need to Know About Data Protection and Cloud Computing...
 
Preparing for GDPR: What Every B2B Marketer Must Know
Preparing for GDPR: What Every B2B Marketer Must KnowPreparing for GDPR: What Every B2B Marketer Must Know
Preparing for GDPR: What Every B2B Marketer Must Know
 
Privacy in India: Legal issues
Privacy in India: Legal issuesPrivacy in India: Legal issues
Privacy in India: Legal issues
 
Legal Considerations of Digital Document Storage and E-Signature, Authority f...
Legal Considerations of Digital Document Storage and E-Signature, Authority f...Legal Considerations of Digital Document Storage and E-Signature, Authority f...
Legal Considerations of Digital Document Storage and E-Signature, Authority f...
 
Data Privacy for Information Security Professionals Part 1
Data Privacy for Information Security Professionals Part 1Data Privacy for Information Security Professionals Part 1
Data Privacy for Information Security Professionals Part 1
 

Similaire à Strong Host Security Policies are Good Business

Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...
Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...
Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...Diana Maier
 
Small and solo in the cloud
Small and solo in the cloudSmall and solo in the cloud
Small and solo in the cloudOmar Ha-Redeye
 
Trade Secret Theft in the Digital Age
Trade Secret Theft in the Digital AgeTrade Secret Theft in the Digital Age
Trade Secret Theft in the Digital AgeBoyarMiller
 
BoyarMiller - You Lost Me At Gigabyte: Working with Computer Forensic Examiners
BoyarMiller - You Lost Me At Gigabyte: Working with Computer Forensic ExaminersBoyarMiller - You Lost Me At Gigabyte: Working with Computer Forensic Examiners
BoyarMiller - You Lost Me At Gigabyte: Working with Computer Forensic ExaminersBoyarMiller
 
CNIT 125: Ch 2. Security and Risk Management (Part 2)
CNIT 125: Ch 2. Security and Risk Management (Part 2)CNIT 125: Ch 2. Security and Risk Management (Part 2)
CNIT 125: Ch 2. Security and Risk Management (Part 2)Sam Bowne
 
Countdown to CCPA: 48 Days Until Your IBM i Data Needs to Be Secured
Countdown to CCPA: 48 Days Until Your IBM i Data Needs to Be SecuredCountdown to CCPA: 48 Days Until Your IBM i Data Needs to Be Secured
Countdown to CCPA: 48 Days Until Your IBM i Data Needs to Be SecuredPrecisely
 
CYBOK: Law and Regulation webinar slides.pdf
CYBOK: Law and Regulation webinar slides.pdfCYBOK: Law and Regulation webinar slides.pdf
CYBOK: Law and Regulation webinar slides.pdfHari319621
 
Cyber forensic-Evedidence collection tools
Cyber forensic-Evedidence collection toolsCyber forensic-Evedidence collection tools
Cyber forensic-Evedidence collection toolsN.Jagadish Kumar
 
What Every Attorney Needs to Know
What Every Attorney Needs to KnowWhat Every Attorney Needs to Know
What Every Attorney Needs to KnowBoyarMiller
 
E Contracts E Transactions.pptx
E Contracts E Transactions.pptxE Contracts E Transactions.pptx
E Contracts E Transactions.pptxshrutiganpule74
 
CNIT 125: Ch 2. Security and Risk Management (Part 2)
CNIT 125: Ch 2. Security and Risk Management (Part 2)CNIT 125: Ch 2. Security and Risk Management (Part 2)
CNIT 125: Ch 2. Security and Risk Management (Part 2)Sam Bowne
 
Legal Framework for Cloud Computing Cebit May 31 2011 Sydney
Legal Framework for Cloud Computing Cebit May 31 2011 SydneyLegal Framework for Cloud Computing Cebit May 31 2011 Sydney
Legal Framework for Cloud Computing Cebit May 31 2011 Sydneyanthonywong
 
Privacy law-update-whitmeyer-tuffin
Privacy law-update-whitmeyer-tuffinPrivacy law-update-whitmeyer-tuffin
Privacy law-update-whitmeyer-tuffinWhitmeyerTuffin
 
BoyarMiller – What Every Attorney Needs to Know Regarding Document Retention,...
BoyarMiller – What Every Attorney Needs to Know Regarding Document Retention,...BoyarMiller – What Every Attorney Needs to Know Regarding Document Retention,...
BoyarMiller – What Every Attorney Needs to Know Regarding Document Retention,...BoyarMiller
 
Ethics and Security of Cloud Computing for Lawyers
Ethics and Security of Cloud Computing for LawyersEthics and Security of Cloud Computing for Lawyers
Ethics and Security of Cloud Computing for LawyersRobert Ambrogi
 

Similaire à Strong Host Security Policies are Good Business (20)

Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...
Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...
Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...
 
Small and solo in the cloud
Small and solo in the cloudSmall and solo in the cloud
Small and solo in the cloud
 
Carrie Peter
Carrie Peter Carrie Peter
Carrie Peter
 
Trade Secret Theft in the Digital Age
Trade Secret Theft in the Digital AgeTrade Secret Theft in the Digital Age
Trade Secret Theft in the Digital Age
 
BoyarMiller - You Lost Me At Gigabyte: Working with Computer Forensic Examiners
BoyarMiller - You Lost Me At Gigabyte: Working with Computer Forensic ExaminersBoyarMiller - You Lost Me At Gigabyte: Working with Computer Forensic Examiners
BoyarMiller - You Lost Me At Gigabyte: Working with Computer Forensic Examiners
 
CNIT 125: Ch 2. Security and Risk Management (Part 2)
CNIT 125: Ch 2. Security and Risk Management (Part 2)CNIT 125: Ch 2. Security and Risk Management (Part 2)
CNIT 125: Ch 2. Security and Risk Management (Part 2)
 
Skillsclass2a
Skillsclass2aSkillsclass2a
Skillsclass2a
 
Countdown to CCPA: 48 Days Until Your IBM i Data Needs to Be Secured
Countdown to CCPA: 48 Days Until Your IBM i Data Needs to Be SecuredCountdown to CCPA: 48 Days Until Your IBM i Data Needs to Be Secured
Countdown to CCPA: 48 Days Until Your IBM i Data Needs to Be Secured
 
CYBOK: Law and Regulation webinar slides.pdf
CYBOK: Law and Regulation webinar slides.pdfCYBOK: Law and Regulation webinar slides.pdf
CYBOK: Law and Regulation webinar slides.pdf
 
Cyber forensic-Evedidence collection tools
Cyber forensic-Evedidence collection toolsCyber forensic-Evedidence collection tools
Cyber forensic-Evedidence collection tools
 
E commerce(report)
E commerce(report)E commerce(report)
E commerce(report)
 
What Every Attorney Needs to Know
What Every Attorney Needs to KnowWhat Every Attorney Needs to Know
What Every Attorney Needs to Know
 
E Contracts E Transactions.pptx
E Contracts E Transactions.pptxE Contracts E Transactions.pptx
E Contracts E Transactions.pptx
 
CNIT 125: Ch 2. Security and Risk Management (Part 2)
CNIT 125: Ch 2. Security and Risk Management (Part 2)CNIT 125: Ch 2. Security and Risk Management (Part 2)
CNIT 125: Ch 2. Security and Risk Management (Part 2)
 
Legal Framework for Cloud Computing Cebit May 31 2011 Sydney
Legal Framework for Cloud Computing Cebit May 31 2011 SydneyLegal Framework for Cloud Computing Cebit May 31 2011 Sydney
Legal Framework for Cloud Computing Cebit May 31 2011 Sydney
 
Privacy law-update-whitmeyer-tuffin
Privacy law-update-whitmeyer-tuffinPrivacy law-update-whitmeyer-tuffin
Privacy law-update-whitmeyer-tuffin
 
Carrie Peter
Carrie PeterCarrie Peter
Carrie Peter
 
BoyarMiller – What Every Attorney Needs to Know Regarding Document Retention,...
BoyarMiller – What Every Attorney Needs to Know Regarding Document Retention,...BoyarMiller – What Every Attorney Needs to Know Regarding Document Retention,...
BoyarMiller – What Every Attorney Needs to Know Regarding Document Retention,...
 
Ethics and Security of Cloud Computing for Lawyers
Ethics and Security of Cloud Computing for LawyersEthics and Security of Cloud Computing for Lawyers
Ethics and Security of Cloud Computing for Lawyers
 
Digital Signatures
Digital SignaturesDigital Signatures
Digital Signatures
 

Plus de HostingCon

Unlocking the Cloud -- The Case for Open Standards
Unlocking the Cloud -- The Case for Open StandardsUnlocking the Cloud -- The Case for Open Standards
Unlocking the Cloud -- The Case for Open StandardsHostingCon
 
Mobilizing the Hosting Industry
Mobilizing the Hosting IndustryMobilizing the Hosting Industry
Mobilizing the Hosting IndustryHostingCon
 
Situation Normal, Everything Must Change
Situation Normal, Everything Must ChangeSituation Normal, Everything Must Change
Situation Normal, Everything Must ChangeHostingCon
 
Are you ready for Hosting 3.0?
Are you ready for Hosting 3.0?Are you ready for Hosting 3.0?
Are you ready for Hosting 3.0?HostingCon
 
Fraud, Infringement, HIPAA and Treble Damages: Creating Compliance Strategies...
Fraud, Infringement, HIPAA and Treble Damages: Creating Compliance Strategies...Fraud, Infringement, HIPAA and Treble Damages: Creating Compliance Strategies...
Fraud, Infringement, HIPAA and Treble Damages: Creating Compliance Strategies...HostingCon
 
What Do New TLDs Mean for your Hosting Business?
What Do New TLDs Mean for your Hosting Business?What Do New TLDs Mean for your Hosting Business?
What Do New TLDs Mean for your Hosting Business?HostingCon
 
Keeping the Trolls at Bay: Effective Legal Strategies for your Business
Keeping the Trolls at Bay: Effective Legal Strategies for your BusinessKeeping the Trolls at Bay: Effective Legal Strategies for your Business
Keeping the Trolls at Bay: Effective Legal Strategies for your BusinessHostingCon
 

Plus de HostingCon (7)

Unlocking the Cloud -- The Case for Open Standards
Unlocking the Cloud -- The Case for Open StandardsUnlocking the Cloud -- The Case for Open Standards
Unlocking the Cloud -- The Case for Open Standards
 
Mobilizing the Hosting Industry
Mobilizing the Hosting IndustryMobilizing the Hosting Industry
Mobilizing the Hosting Industry
 
Situation Normal, Everything Must Change
Situation Normal, Everything Must ChangeSituation Normal, Everything Must Change
Situation Normal, Everything Must Change
 
Are you ready for Hosting 3.0?
Are you ready for Hosting 3.0?Are you ready for Hosting 3.0?
Are you ready for Hosting 3.0?
 
Fraud, Infringement, HIPAA and Treble Damages: Creating Compliance Strategies...
Fraud, Infringement, HIPAA and Treble Damages: Creating Compliance Strategies...Fraud, Infringement, HIPAA and Treble Damages: Creating Compliance Strategies...
Fraud, Infringement, HIPAA and Treble Damages: Creating Compliance Strategies...
 
What Do New TLDs Mean for your Hosting Business?
What Do New TLDs Mean for your Hosting Business?What Do New TLDs Mean for your Hosting Business?
What Do New TLDs Mean for your Hosting Business?
 
Keeping the Trolls at Bay: Effective Legal Strategies for your Business
Keeping the Trolls at Bay: Effective Legal Strategies for your BusinessKeeping the Trolls at Bay: Effective Legal Strategies for your Business
Keeping the Trolls at Bay: Effective Legal Strategies for your Business
 

Dernier

Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Principled Technologies
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 

Dernier (20)

Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 

Strong Host Security Policies are Good Business

  • 1. Strong Host Security Policies are Good Business San Diego, August 8th (HostingCon) Alex de Joode Security Officer / LeaseWeb Stephen E. Oakes Sup. Special Agent / F.B.I. (CIRFU) Shane McGee Partner / SNR Denton
  • 3. A DigitalOne’s customer response • From the Instapaper blogpage: http://blog.instapaper.com/post/6830514157
  • 4. Summary • June 21st 2011, FBI raided a hosting facility in Reston, Va., used by DigitalOne, a dedicated hosting company • F.B.I. took 3 racks • F.B.I. was actively investigating the Lulz Security group and any affiliated hackers • DigitalOne the hoster stated: “The agents took entire server racks, perhaps because they mistakenly thought that “one enclosure is equal to one server.” • src: http://bits.blogs.nytimes.com/2011/06/21/f-b-i-seizes-web-servers-knocking-sites-offline/
  • 5. What can we learn ? • Downtime for innocent customers • Why ? • Trust / No Personal Relations ? • How can we solve this problem ? • F.B.I. perspective: • by Stephen E. Oakes, Supervisory Special Agent • Legal perspective: • by Shane McGee, partner SNR Denton • Host perspective: • by Alex de Joode, Security Officer LeaseWeb
  • 7. Good Host Security San Diego, August 8th (HostingCon 2011) Alex de Joode Security Officer, LeaseWeb
  • 8. Introduction • Alex de Joode • Security Officer • LeaseWeb (Global) • Abuse handling • Public & Regulatory Affairs • Legal Internet Affairs • Security
  • 9. LeaseWeb (Global) • LeaseWeb B.V. (as16265)(Netherlands) • LeaseWeb B.V. (as52146)(Belgium) • LeaseWeb GmbH (as28753)(Germany) • Leaseweb Inc. (as30366)(Unites States) (booth#645)
  • 10. LeaseWeb (some figures) • ~ 1% internet traffic generated (1Tbps=1000Gbps) • ~35.000 servers online (NL | BE | DE | US) • ~235 FTE
  • 11. F.B.I. & SNR Denton, summary • FBI wants to collaborate with Hosts • NCFTA – Cracking Down on Cyber Crime (http://www.ncfta.net) • SNR Denton: legal requirements to work with FBI/LEA if proper legal instrument is used • Hosts are prohibited from voluntarily disclosing any subscriber records or content to the government (unless an exception applies).
  • 12. How does LeaseWeb handle these issues ? • As a global company we have to deal with: Dutch, German and US Law Enforcement Agencies. • Dedicated Security Office • with qualified and experienced personel so we can: • minimize these issues • and correctly handle serious situations when they do arise • Smart Hoster’s View • Brand Protection • Protect customers and corporate interests and resources
  • 13. Conclusion With the proper protocols and operating procedures hosts can avoid DigitalOne type issues and ensure a successful hosting situation for your customers and a profitable environment for you as a host.
  • 15. Thank you ! mailto: a.dejoode@leaseweb.com
  • 16. Subpoena Compliance and the Need for Cooperation with Law Enforcement •Responding to Subpoenas, Court Orders, Warrants, National Security Letters and More Shane M. McGee, Esq., CISSP Partner T +1 202 408 9216 shane.mcgee@snrdenton.com snrdenton.com
  • 17. ECPA: What Is It? • Originally enacted in 1986 as first use of email and large data-processing began • Designed generally to protect the privacy of electronic records and communications stored with third parties. • Often referred to interchangeably as “SCA” (Stored Communications Act) or “ECPA” (Electronic Communications Privacy Act), though the SCA was an amendment to ECPA. • The SCA applies only to historical records, i.e., those available as of the date of the request.
  • 18. ECPA: What Does it Do? • Begins from assumption that, absent ECPA, service providers could freely disclose information about customers, and the government could compel disclosure of any record by issuing a subpoena • ECPA imposes limitations on this “default setting” • Limits the instances in which and the types of information that providers can voluntarily disclose • Defines the legal process the government must obtain to compel disclosure of certain information • Complicated statute that is difficult to apply • Archaic terminology • Strained application to newer subscriber services • Confusing distinctions between treatment of certain records • Inconsistent Court interpretations
  • 19. ECPA: How is it Structured? • Provides series of rules providing escalating privacy protection based on: • The type of information at issue • Who seeks the information (government or private entity) • Who holds the information (how the provider is characterized under the law) • The guiding principles • Content generally more protected than non- content • More limitations on voluntary disclosures to government, but they have more tools to compel
  • 20. ECPA: Who Does it Cover? • Covered entities defined in ECPA are “Electronic Communications Services” (ECS) and “Remote Computing Services” (RCS) • ECS defined as “any service which provides to users thereof the ability to send or receive wire or electronic communications” • Example: the web-based email service offered by many web hosts • RCS defined as “the provision to the public of computer storage or processing services by means of an electronic communications system” • “Provision to the public:” Anyone who wants to purchase hosting services can sign up (as opposed to private corporate email service) • Web hosting companies may be an ECS and/or RCS depending on the services being offered to that particular customer
  • 21. Three Categories of Information • The process the government is required to use depends on the type of information sought as follows: • Basic subscriber information • Subpoena • Transactional or other records • Court Order • Content of files or messages • Search Warrant
  • 22. Requests for Basic Subscriber Information • This is the most common request web hosting companies will receive. • The following information may be obtained through virtually any type of subpoena • name & address • local and long distance telephone connection records • telephone number or other account identifier • length & type of service provided • session times and duration • temporarily assigned network address (IP Address) • means and source of payment (cc# or bank acct)
  • 23. Requests for Transactional Records – 2703(d) Order • Not content, not basic subscriber information -- everything in between • Email headers (if applicable) • Subscriber info not “basic subscriber information” • e.g., date of birth, social security number, etc • Articulable facts order • “specific and articulable facts showing that there are reasonable grounds to believe that [the requested records] are relevant and material to an ongoing criminal investigation” • lower standard than warrant, but higher than pen register/trap & trace • May include a directive to provider not to disclose to subscriber
  • 24. Requests for Files or Contents of Communications • Generally speaking, a warrant is required. • ECPA contains a number of sub-categories of information when dealing with the contents of files or communications, each which requires a different process. • The courts disagree with how these sub-categories of information should be classified, leading to difficulties applying the law. • Some state laws treats all of these sub-categories of information the same, and apply a higher level of protection to all stored files and the contents of communications.
  • 25. Voluntary Disclosure • Web hosting companies are prohibited from voluntarily disclosing any subscriber records or content to the government unless an exception applies. • Exceptions for the release of subscriber records (not content) include: • Disclosure to anyone with the consent of the originator or addressee/intended recipient • Disclosure to an addressee or intended recipient • Disclosure to law enforcement if contents inadvertently obtained & pertain to commission of a crime • Disclosure to a person employed or authorized or whose facilities are used to forward such communication (within the scope of their work) • As necessary to protect the company’s rights and property • To NCMEC in child pornography report • Disclosure to the government if provider in good faith believes an emergency exists threatening death or serious physical injury
  • 26. National Security Letters - § 2709 • Permits government to compel disclosure of “subscriber information and toll billing records information, or electronic communication transactional records” • Government must certify in writing that records sought are relevant to an authorized investigation to protect against international terrorism or clandestine intelligence activities • Look carefully for a nondisclosure requirements contained in the National Security Letters often prohibit the recipient from disclosing the existence or content of the National Security Letter to anyone other than those to whom such disclosure is necessary to comply with the request or an attorney to obtain legal advice or legal assistance with respect to the request.
  • 27. Lawsuits for ECPA Violations • ECPA allows for a civil action for relief from improper disclosures • “person aggrieved by any violation of this chapter in which the conduct constituting the violation is engaged in with a knowing or intentional state of mind may, in a civil action, recover from the person or entity, other than the United States, which engaged in that violation such relief as may be appropriate” 18 U.S.C. § 2707(a) • ECPA contains two defenses against this liability in sections 2703(e) and 2707(e), but they are not guaranteed to protect a web hosting company
  • 28. Subpoena Compliance and the Need for Cooperation with Law Enforcement •Responding to Subpoenas, Court Orders, Warrants, National Security Letters and More Shane M. McGee, Esq., CISSP Partner T +1 202 408 9216 shane.mcgee@snrdenton.com snrdenton.com
  • 29. 29
  • 30. FBI-CIRFU (Computer Intrusion and Research Fusion Unit) NCFTA (National Cyber Forensics and Training Alliance) 30
  • 32. Collaboration Law Enforcement Academia SME’s Financial NCFTA Merchants Telcos/ISP’s Pharmaceutical 32
  • 33. FBI Cyber Division: Threat Focus Process 1. Define Problem 2. Identify Subject Matter Expert (SME) Stakeholders 3. Develop Threat Matrix 4. Identify and Prioritize 5. Initiate and Support Investigations 33
  • 34. Basic BPH Model COLO 1 Rogue BP Network COLO 2 COLO 3 34
  • 35. Perpetual BPH Complaint Cycle LE/Industry Criminal Client Sends Continues to Complaint Break the Law To COLO COLO BPH Notifies Notifies and Protects Customer Criminal Client (BPH) 35
  • 36. Basic BPH Model COLO 1 Rogue BP Network COLO 2 COLO 3 36
  • 37. SSA Stephen E. Oakes Federal Bureau of Investigation (FBI) Cyber Initiative and Resource Fusion Unit Cyber Division (CIRFU) Desk: 412-802-8000 x324 BB: 202-437-6555 Email: Stephen.Oakes@ic.fbi.gov 37