The recent headlines that Google is being threatened with $100m lawsuit over nude celebrity photos on its Internet properties is a fascinating and timely insight into the liability challenges that cloud service providers are being forced to consider as part of their business model.
Although Google itself did not suffer a breach they are a target for lawyers who are increasingly waking up to the opportunities in suing third parties (in this case cloud service providers) who unknowingly may be liable even though they are not responsible for a third party data breach. The liability challenges will become a massive problem for all service providers as the onus is on them to prove they have acted in a timely manner and in accordance with regulations.
It is not just data breaches that are the problem. As Google well knows the latest EU regulations on data privacy and the right to be forgotten are a massive headache for service providers that are hosting customer data.
How do they prove they acted in accordance with regulation – indeed how can anyone prove anything in a digital world were assertions are based entirely on trusting the people who are making them – think of transparency reports – a noble and worthwhile effort but still based entirely on trusting the insiders who prepare them. Although those insiders are no doubt working with best intentions their work is based entirely on the veracity of the datasets they are given access to.
The same challenge exists for cloud service providers who want to work with multi-nationals who want to outsource their infrastructure – how can they prove that data and processes are as claimed, comply with legislation and that they have not been subject to breach?
There is a huge gap between what service providers can offer today and what is needed before an Enterprise CIO would seriously consider outsourcing mission critical processes to a provider with whom they have no legal recourse when things go wrong, as they inevitably will.
The bottom line is that not a single service provider can answer the question: “Can you forensically prove what happened to my data, that you are compliance with data residency requirements and identify who is liable in the event of a breach”. This lack of transparency, auditability and governance explains why only entry level (as opposed to enterprise wide) insurance coverage is available along with the massive growth in cloud forensics.
At Guardtime we believe that the answer is not more certification, more auditing and more legislation – the answer is technology, specifically native forensics with KSI integrated directly into the fabric of cloud to irrefutably prove what happened when to data. If you have any doubt that enterprise cloud is still in its infancy then consider that the state of the art today is still limited to a money back guarantee for service availability, which is hopelessly inadequate.
Subrogation is the action taken by an insurance company to salvage costs from other sources that may have been liable. In the physical world if you are involved in an accident the insurance company will register a notification of first loss and then engage a subrogation lawyer who will attempt to identify who might be liable for the accident.
In the physical world it is relatively easy to identify liability using photographs of the accident, witness statements etc. None of this is possible in a digital world as a breach can go unnoticed for months if not years and once a breach has been discovered forensic investigators lack the tools to identity what happened with a degree of reliability such that evidence would hold up in court.
Mapping Subrogation to KSI Technology
There are many analogies for KSI but for cloud computing and insurance think of it as a real-time witness to every event that happens in the cloud. Every individual event that involves the transport, storage or usage of data is recorded and stored in a sealed evidence bag in a forensics data store.
Afterwards it is possible to go back and prove what happened when, independently from those operating the cloud. The evidence is portable i.e. it can cross organizational boundaries and cannot be manipulated, either by those on the inside or those on the outside who wish to conduct mayhem.
Native forensics with KSI gives a complete picture; mathematical certainty to what happened when, making claims easier to assess, shorten the claims expenses and lead to better loss ratios with less legal reserve.
There is a clear need for a KSI technology standard in cloud similar to the NACOSS (National Approval Council for Security Systems) standard for burglar alarms in the physical world – the basic minimum required to receive insurance cover. Then policy wordings and contracts can address this as warranties and a clear process for claims settlement and closing put in place.
You have a choice
We are offering a choice. You take the blue pill— you wake up in your bed and believe whatever you want to believe. You take the red pill— we will show you how deep the rabbit hole goes. Remember: all we are offering is the truth, nothing more.