It seems to be an almost biannual occurrence, people arc up and talk about cloud security, specifically data security/protection. It even got attention at this year’s Cisco Live in Melbourne. The last time I had a rant about this in “Cloud computing protection – Is this the place for Law?” I looked at malpractice laws for misuse or mishandling of data but not the bigger picture:
- Data sovereignty;
- Government mandate on export of data (EU as an example);
- Compliance and regulatory;
- housing in politically unstable regions;
- Data Destruction; and
- Damage and/or destruction.
The above are by no means exhaustive, these are just the ones that I’ve got kicking about in my head at present. 12-18 month ago I had a great chat with a lawyer who was taking a keen interest in this area and at the time was as confused as I on some of the ramifications (he put out a paper as well, when I can find it I’ll link to it here). For getting it out of my head sake I thought I’d put it here for good measure; as it has been sitting in my drafts for about that long.
Data Sovereignty – In a nutshell, this is the issue where what laws come into play based on the location of the data. This is a nebulous area and one that I think most in the law profession are still coming to grips with. Even here in Australia we have a crazy scary amount of laws, depending upon the information type (personal, financial, health, etc) not to mention international laws. This need to be taken into account when looking at what it is you place in the cloud.
Government mandate on export of data – I was thinking of the EU’s law specifically here, where the personal information (combined & interpreted data) cannot be exchanged with non-EU countries unless they have equivalent or better security standards (adequate level of data protection). What does this mean for a providers infrastructure residing in the EU destruction, or for someone in the EU trying to use a cloud service. There is a good blog article it including some examples and explanations. here. Another issue could be that the local/federal government may dictate that data is not to be off-shored. Are you sure that the provider is going to provide you with the ability to ensure that? Including backups?
Compliance and regulatory – This is the same old piece that every monkey trots out. Most of the control requirements are subjective, as in it is up to the auditor’s discretion on whether or not the control is adequate or not (unless it is extremely specific). Most of these are box ticking exercises. If there is a smart control mechanism that will meet your businesses security requirements, and you have clearly documented your rationale so you can call it a compensating measure.
Housing in politically unstable regions – Comes back to knowing what country your data resides in. If by chance it happens in a country where the local government has no qualms in walking in and taking ownership of the entire facility (or a subset there of), including your data, what happens then? What happens if that can be used to replicate your business model, take your customers, etc? Similarly, what about when government or law enforcement requests that data be disclosed, does the provider comply with the request or resist?
Data Destruction – When you decide to move platforms, services, providers, etc, will the provider destroy your data sufficiently so that it isn’t recoverable?
Damage and/or Destruction – What happens to you/your business when data is accidentally or maliciously damaged or destroyed. What happens to your reputation? What are your liabilities? This I covered off briefly in the above mentioned post, “Cloud computing protection – Is this the place for Law?“.
Depending on he size of your business and the service you are going for your ability to negotiate the SLAs will vary greatly. At the end of it, you will still have to look at all of these generic risks as well as the specific risks associated with your business and decide accordingly (through risk assessment). As with most of these, there are compensating measures that can be put in place to mitigate or reduce the affects.
At the end of the day, like any traditional outsourced relationship you don’t want to rely on a service credit against a breached SLA when your business is impacted. I’m not trying to take an alarmist approach, I prefer to see this as a more pragmatic one.
Just my $0.02 worth.