There were two parts to this discussion. The first: How does cloud computing influence information security and how should we embrace it regionally? Part two addressed the role of law enforcement in fighting cybercrime. Among the panellists were Edwin Moindi from PriceWaterhouseCoopers, Paul Roy from Microsoft, Lucy Munga from Barclays Africa and Collins Ojiambo from Kenya Airways.
The session began with a presentation from Edwin Moindi. This addressed the important steps to be considered before adopting cloud computing. Cloud computing is driven by consumerism (the availability of devices, mobile phones, PCs has led to a great demand for information), collaboraton and being able to access computing resources everywhere. Applications have evolved from LAN-based to cloud based services. With the advent of the cloud, computing promises to become a utility service. This is already the case with SaaS (Software as a Service), PaaS (Platform as a Service) and IaaS (Infrastructure as a Service).
To choose a suitable cloud service, the organization needs to assess its requirements. Reviewing the certifications and regulations that address data integrity is key to developing a cloud migration strategy. The organization’s data also needs to be classified in order to identify which data is to be pushed to the cloud. Before presenting the cloud as a solution, you should ensure that it is going to be a cheaper and more efficient service than what the organization already uses. How much effciency does the cloud bring? What risks does it bring? How do you reduce those risks? Once the organization has assessed its needs then it has a choice between different services: PaaS, IaaS and SaaS. At the deployment stage there are also different choices: public, private and hybrid.
The organization however needs to develop a security model before moving to the cloud. This includes assessing the physical components (location, computer), compliance and audit directives. It is essential that you assume a no-trust policy before you entrust your data to the cloud services provider. The provider should be able to prove to you that they can protect your information. This should include the matrices, compliance and certifications that indicate the level of data protection. When adopting the cloud services, first deploy less critical information. As the market matures, you can re-examine the level of adoption and decide on better options for the organization.
In moving data to the cloud, most people resort to complacency since there is the belief that responsibility shifts from you to the provider. But according to the objectives concerning external practice in the ISO 27002 certification, your controls shouldn’t reduce as a result of moving data to an external service. The organization should be aware of differences in legal frameworks between countries. Cloud services tend to be in a different jurisdiction from that of the organization. The limitations faced by the organization as a result of this fact should be assessed. This way the organization can serve their customers without making impractical promises. In the AWS service for example, Amazon only takes care of the environmental and physical security, everything else becomes the consumer’s responsibility including the operating system and application security.
Part of the organization’s risk management should include risks dealing with fibre cuts as this forms the backbone of cloud services. Don’t assume that the cloud will be available 24/7, there should be some form of backup such that critical business services are not affected by outages. Every requirement should be provided for in the SLA (Service Level Agreement), including the right to audit clause and data protection. The contract should also take into account the differences in legal framework between countries. The SLA should therefore be the basis of dispute resolution between vendor and customer. This is because most courts refer cases that involve technical evidence (like IT operations data) to alternative arbitration which can prove to be rather expensive.
Role of Law Enforcement in fighting Cybercrime
The advantage of cybercrime is anonimity. In most cases, the victim will never know who is to be prosecuted. The Communications Commission of Kenya (CCK) has taken some steps in reducing this risk by ensuring that mobile phone users are registered. It is therefore easier to trace the origin of criminal activities perpetuated using mobile phones. Over the years, the capacity of the Kenya Police to handle cybercrime has been gradually increased. A cybercrime unit trained by the FBI has been instituted into the force. According to Collins Ojiambo, there needs to be an independent team that handles cyber-security issues. Currently, this is handled by the CCK which is also responsible for postal services and the availability of telecommunication services. Mr. Ojiambo says that for the government to develop an effective cyber-security strategy, there must be collaboration from industry players.
Cyber attacks are conceived and master-minded by ordinary criminals who recruit people skilled in IT operations. There are few cases where they are not actually driven by the technical guys. These criminals have the ability to commit resources needed for sophisticated cyber threats such as APT’s (Advanced Persistent Threats). APT’s are well organized attacks carried out by specialized teams. These attacks have very specific targets ranging from individuals to huge corporations. Other types of cyber-attacks include cyber bullying and impersonation. But the question arises, can you prosecute cybercrimes committed in a different jurisdiction.
Information security mainly involves privacy and confidentiality of data. Some ways of reducing risks posed to confidentiality are creating personal trust and operating under ethical business practices. When hiring, the organization should make an effort to know their employees values and ensure that their members will maintain the confidentiality of the organization’s information.
Although the data protection bill in Kenya is making headway, it may not be passed into law until the election period is over. However, there’s a chapter in the Kenyan law that criminilazes disclosing passwords, says Mr. Ojiambo. The penalty can be upto 200,000 shillings. Hacking is also criminalized in the penal code. For anything to be labelled a crime, it has to be defined in the penal code. “The most common form of electronic record is a document,” says Mr. Ojiambo “Anywhere on the penal code where there is a document, the words “or electronic” can be added making most of bringing in half the population with you.”