Editor's Note: Missed the first installment of the article? Click here for Part I.
Major risks of cloud computing
So what are the risks involved in
cloud computing? These risks fall under four categories: (1) vendor lock-in
risks, (2) operational risks, (3) regulatory/governance issues and
(4) investigative/litigation issues.
Vendor Lock-in
Risks: Some critics, such as Richard Stallman, have called cloud
computing "a trap aimed at forcing more people to buy into locked, proprietary
systems that will cost them more and more over time." The fear is that once the
cloud vendors have users hooked on cloud computing, they will price gouge them,
in much the same manner that some think the telephone companies do. As proof,
they point at the major class action suit that was once recently won against
Verizon for systematically overcharging customers for Internet access fees and
other costs. The phone company
could overcharge its customers because they were captive to a subscription plan
that was complex in its rate structure, and so it was easy to hide or
misrepresent certain cost items. Likewise, cloud critics warn that once
customers are bound to a certain application, platform or operating system, they
are under the control of the cloud
vendor — and also at its mercy.
Operational
Risks: Operational risks are a product of
the fact that a cloud is located offsite and its structure is largely under the
control of the vendor. Within this context, security is a big issue. What if
your cloud vendor gets hacked? In the event of a security breach, what kind of
investigative support will the vendor provide? What do you do if the Internet
crashes? How is that risk allocated by contract? Obviously, no cloud vendor can
offer a 100% guarantee; the most trusted and reliable vendor can still fail.
Thus, for security, it is a good idea to replicate data and application
availability at multiple sites.
Along these lines, an airtight backup and data restoration
plan is mandatory for disaster recovery. At present, however, there are no
benchmark standards for service levels. Accordingly, it is always wise to contract
with the cloud vendor to escrow data or application code in order to help cover
potential damages in the event of a disaster. For that matter, it never hurts
to be in a position to exert leverage over a cloud vendor. For instance, with
respect to data retention issues, there are any number of legal and tax reasons
that may require an organization to retain data longer than a cloud vendor is
prepared to.
Regulatory/Governance
Issues: As it is with much new technology, our legal
system has not yet caught up with cloud computing to the point where the law
can effectively govern it. There are some regions, such as the European Union, that
have stringent rules about moving certain types of data across borders, but cloud
computing is not yet specifically regulated. Nonetheless, there is an abundance
of regulatory rule sets that mandate compliance that cloud computing could fall
short of achieving. The following list of legislative acts and regulations is
not exhaustive:
- Patriot Act/UK Regulation of Investigatory
Powers Act - Stored Communications Act (part of ECPA)
- ITARS, EARS, other export or trade can be stored
and who can store it - Sarbanes-Oxley puts CEOs in jail
- HIPPA (health-related information)
- GLB (financial services industry)
- FTC and state privacy laws
- Fair Credit Reporting Act
- Violence Against Women Act
Privacy Act (for federal agencies)
Other problematic areas include video rental
records, cable company customer records and National Security Letters.
Regarding the latter, a cloud may be subjected to warranted (or in some case,
warrantless) searches by police. The customer may not know of the investigation
because the vendor is the party that holds the key to cloud access by third
parties.
- Patriot Act/UK Regulation of Investigatory
Investigative/Litigation
Issues — Third-Party Access: Clearly, it is critical for a cloud computing customer to
understand (and in some instances, negotiate) the legal issues surrounding
third-party access to a cloud. Take
subpoenas, for example. As implied above, the user may not even know about them
if the vendor gets the subpoena. The same would go for government
administrative searches and national security investigations. Events involving search warrants can
lead to possible seizures of data.
In the area of e-discovery, cloud user data must be
well organized so as to minimize cost while facilitating efficient data search
and retrieval. If a user either refuses to comply with the e-discovery process
or for some reason simply cannot find the requested data, substantial fines can
be levied by the courts. The federal government actually fined one noted mutual
funds company $300 million for failing to comply with a request for several
hundred thousand email messages during the course of an SEC investigation! So, in order to avoid committing regulatory
infractions, the customer must have a clear understanding of what its cloud
provider will do in response to legal requests for information. They must know
how document holds are enforced, how metadata is protected and how information
can be optimally searched for and retrieved.
The Nixon Peabody cloud
checklist
Since the legal issues are perhaps the most important of all
for customers to consider when making the decision to buy into a cloud
computing system, this article concludes with a checklist of the major issues
to consider when acquiring a cloud for organizational use. Such a list is found
in a publication by the law firm of Nixon Peabody, entitled
"Legal Issues Associated with Cloud Computing," by Laura
Mills, ©2009 by Nixon Peabody LLP, and is reprinted below:
- Evaluate the financial viability of the cloud
provider. - Thoroughly understand the cloud provider's
information security management systems. - Plan for bankruptcy or unexpected termination of
the relationship and orderly return of/disposal of data/applications. - Vendor will want the right to dispose of your
data if you don't pay. - Contract should include agreement as to desired
service level and ability to monitor it. - Negotiate restrictions on secondary uses of data
and who at the vendor has access to sensitive data. - Negotiate roles for response to e-discovery
requests. - Ensure that you have ability to audit on demand what
regulatory and business needs require. - Companies subject to information security
standards, such as ISO 27001, must pass to subcontractors the same obligation. - Make sure that cloud provider policies and
processes for data retention and destruction are acceptable. - Provide for regular backup and recovery tests.
- Consider data portability application lock-in
concerns. - Understand roles and notification
responsibilities in event of a security breach. - Data encryption is very good for security but
potentially risky; make sure you understand it. Will you still be able to
de-crypt data years later? - Understand and negotiate where your data will be
stored and what law controls jurisdiction and possible restrictions on
cross-border transfers. - Be prepared for third-party access issues.
- Consider legal and practical liability for force
majeure events. (Must be part of disaster recovery
and business continuity plan.) - There is no substitute for careful due
diligence.
So, is cloud computing the new paradigm for document
management? The answer is a definitive "Yes," but be careful what you wish for.
ARTHUR GINGRANDE [ arthur@imergeconsult.com], ICP, is co-founder and partner of IMERGE Consulting, a document-centric management consulting firm. Mr. Gingrande holds a Juris Doctor degree from the Massachusetts School of Law.