Key Legal Challenges of an Enterprise Cloud Model
For those businesses interested in cloud computing, this note attempts to provide a high level definition of it, outlines some of its benefits, and then presents the most significant risks and legal issues that should be considered.
Although cloud computing has become one of the hottest topics within the IT world over the past few years, a consensus on how it should be defined still eludes the industry. A key reason for this is because so many interested parties use the term to encompass different IT functions. Despite this, many businesses - service providers and customers alike - are investing in or at least investigating cloud computing, even at this early stage in its development. For those businesses interested in cloud computing, this note attempts to provide a high level definition of it, outlines some of its benefits, and then presents the most significant risks and legal issues that should be considered.
What is cloud computing?
Most experts agree that cloud computing is not a new technology, but a new way of supplying IT resources via the internet. As a computing model, it can be seen as an evolutionary step on from the Application Service Provider (ASP) model, having come about through the confluence of a number of trends in the market. These include the increasing reliance of businesses on IT systems; the associated movement towards outsourcing IT functions to harness greater computing power while reducing costs; advances in storage and networking technology; the move to distributed data storage models for potential business continuity benefits; and the increased availability of high speed broadband for businesses.
Analysts at Gartner define cloud computing as a style of computing in which massively scalable IT-related capabilities are provided 'as a service' using internet technologies to multiple external customers. The 'cloud' can refer to public, community or private networks, or a hybrid of two or more types of cloud. The term cloud computing is often used to refer to different service models; e.g. infrastructure as a service (IaaS), where the supplier provides virtualised networks, storage and systems software; platform as a service (PaaS), i.e. virtualised servers; software as a service (SaaS), where software applications are run through a web browser; and database as a service (DaaS).
Benefits of cloud computing
Common characteristics of cloud computing services are often highlighted as important benefits in themselves. For example, their agility, flexibility and scalability can allow businesses to access them readily and increase or decrease requirements on demand, improving efficiency of resource utilisation (with associated environmental benefits).
The potential cost savings from using cloud computing services can be compelling, especially for SMEs. Resource pooling allows smaller businesses to benefit from economies of scale by enabling access to enterprise-level IT resources at a fraction of the cost that would otherwise be incurred in acquiring such resource. Additionally, services are often paid for on a subscription basis, reducing and sometimes eliminating the need for upfront capital expenditure, long-term software licensing costs and ongoing maintenance and upgrade costs that can be involved in traditional IT solutions. Importantly, this can reduce business start up costs.
Risks and legal issues
Along with the benefits, however, there are a number of risks and legal issues associated with cloud computing. While these will vary depending on the type of cloud service and the deployment model, those discussed below will need to be considered for most, if not all, cloud computing models. Surveys show that many businesses are already aware of at least some of these risks, which include security breaches and service outages, and are wary about utilising cloud computing because of them. This is understandable: when things go wrong in the cloud, there may be major adverse effects for the customers of the cloud service including the potential for litigation and damage to reputation. Yet these risks need not be insurmountable hurdles for some businesses, nor outweigh the potential benefits of using cloud computing.
Key to a successful cloud computing project is the careful consideration of the relevant risks in the early stages of planning - rather than as an afterthought - and the development of sound risk management strategies. As the cloud computing standards in the industry are currently immature, businesses should also undertake due diligence of cloud computing providers to evaluate the practical and legal risks of moving to a particular cloud or clouds. Input from lawyers from the outset can help businesses with their selection process, as well as help them to identify legal risks and address them – where possible – in negotiations with the provider and implement appropriate risk mitigation strategies.
Security is often cited by businesses as a chief impediment to moving to cloud computing. Data in the cloud can be exposed to risks of unauthorised disclosure as a result of security breaches, particularly where the data is unencrypted. Breaches could have major negative repercussions on a cloud customer’s business, especially where data in the cloud contains confidential information, intellectual property or personal data, or where the cloud computing service is business critical or customer facing. Such consequences include negative publicity and costly third party claims such as breach of contract or breach of confidence.
These security concerns have led to the Common Assurance Metric (CAM) initiative, backed by the European Network and Information Security Agency and cloud providers such as eBay and Microsoft. Its aim is to create a set of standards that measure the security of cloud computing services objectively, and it is expected to have the outline of the CAM ready by the end of 2010. Until any such standards are in place though, cloud customers will need to seek assurance from providers that they have implemented and maintain adequate security practices to mitigate risks to customers. Meanwhile, market forces may help: given that customers can choose between a number of different cloud providers, there may be some incentive for providers to guarantee, as a market differentiator, the integrity and resilience of their cloud solutions.
In any case, cloud computing customers will need to ensure that security is a top priority from the start and due diligence is conducted before selecting and contracting with a cloud provider. Questions to consider during this process include:
- how data is stored by the cloud provider (e.g. whether it is co-mingled with other customer data);
- whether the provider can offer assurances that any personal data will only be processed in accordance with the customer’s instructions (e.g. that it will be deleted on request);
- whether encryption is used / permitted;
- whether the provider has any relevant industry accreditations, such as ISO27001-2005;
- what the provider’s current security measures are and whether it maintains a security plan;
- how the provider monitors and reports security breaches;
- how the provider responds to breaches and aims to prevent future breaches; and
- whether the customer has access to any security audit reports or other evidence of the provider’s security track record.
If a cloud provider does not offer a customer the security assurances it seeks, the customer will need to (a) accept some risk and implement appropriate risk mitigation strategies; (b) look for another provider; or (c) consider whether the particular cloud computing service is appropriate for its intended use. Ultimately, for some types of data and in certain sectors (such as the financial or health sectors), customers may decide that – at the moment - the risks of cloud computing outweigh its potential benefits.
As consumers increasingly expect content any time and any place, and as businesses continue to look for flexibility and cost reduction, cloud based solutions will become part of the new normal.
Until the law keeps pace with emerging technologies, the challenge will be to use the existing legal framework to support their adoption.
"Key to a successful cloud computing project is the careful consideration of the relevant risks in the early stages of planning - rather than as an afterthought - and the development of sound risk management strategies"