Join the cloud? Certainly, but do your due diligence first
Cloud computing provides easy, scalable access to IT resources and services – it’s also much cheaper than building your own IT infrastructure – but before you sign up to ‘join the cloud’, Zoe Chan, Programme Director, HKU SPACE, suggests some of the issues you need to consider to avoid a hard landing.
Cloud computing provides convenient, on-demand access to IT resources. Networks, servers, and storage and application services can be rapidly provisioned with minimal management effort or service provider interaction.
A cloud can be private or public. A private cloud is typically a proprietary network or a data centre set up by a single, large scale organisation to supply hosted services to a limited number of people. The public cloud scenario is where a service provider sells services to anyone on the internet, for example Amazon Web Services is the largest public cloud provider in terms of market share.
There are also various permutations of ‘hybrid’ clouds where the cloud infrastructure is a composition of two or more clouds (private, community or public). When a service provider uses public cloud resources to create a private cloud, the result is called a ‘virtual private cloud’.
Cloud computing can significantly reduce companies’ IT costs, but despite the cost and operational advantages of these services, compliance professionals need to seriously assess the risks outlined below before opting to ‘join the cloud’.
Computer-related crime (especially cybercrime) continues to increase around the globe. The 2011 Norton Cybercrime Report, estimates that the global cost associated with cybercrime is in excess of US$388 billion, and that 69% of all adults in the world will experience cybercrime during their lifetime. Digitisation, data sharing and the increase in the availability and access to digital technologies have all provided new opportunities for criminal activity and increasing compliance and IT risks for corporations.
Cloud computing poses additional challenges here. Corporate users should be mindful of information security when using cloud computing. Compliance professionals not only have to consider the widening scope and scale of computerrelated crime, but they must also combat the growing threat of anti-digital forensics. Many new tools and techniques have been developed to undermine or frustrate digital forensics investigations and the law enforcement process.
Once in a cloud, computer data can be stored anywhere in the world. This scenario may pose compliance problems if the data is stored in jurisdictions with a poor regulatory framework. Generally speaking, there is no single local or international law which governs cloud computing.
Corporations should consider the location of their service provider since there are complex jurisdictional issues involved in hosting cloud services. Storage of personal data in the cloud in practice means that it is on a server owned by the service provider. The cloud allows most computing activity to go on at remote servers instead of on your personal computer or on a server owned by an individual company. No one is certain of all the legal risks associated with enterprises storing personal data and confidential or proprietary information in the cloud.
A patchwork of conflicting laws and regulations threatens to undercut the full promise of the global cloud computing market. Many European countries have a legal system which is a combination of different legal principles, for example English Law and Roman Dutch law. All these laws were promulgated to apply in a society where all transactions were ‘offline’. Therefore many of these laws remain untested in terms of the novel situations which have arisen as a result of the development of information and communication technologies.
The only international treaty on cybercrime is the Convention on Cybercrime issued by the Council of Europe in 2001. The Convention on Cybercrime is applicable to European Union (EU) member countries as well as to four non-European signatory countries, namely the US, South Africa, Japan and Canada.
Electronic data physically hosted in the EU is controlled under EU regulations. These regulations can be extended beyond EU territory through ‘safe harbour’ arrangements and tailor-made service agreements. However, data can still be subject to ‘local’ regulations. Examples include the US Patriot Act, which was established to protect the US from acts of terrorism following the 911 attacks in 2001. In essence, this allows the US government to obtain any information stored on US territory (including those in ‘safe harbours’) or any other jurisdiction when managed by a US-headquartered organisation.
To capture the full economic potential of the cloud, governments need to better harmonise their policies to facilitate the flow of data across borders globally.
Compliance professionals should also consider the issue of data privacy. Hong Kong’s data privacy rights could be at risk where personal information is stored in the cloud. There is currently no comprehensive law to control the storage of personal data abroad where a service provider stores personal data in the cloud. Too little attention has been paid to this issue in Hong Kong and regulators should be monitoring the scale and implications of cloud computing in Hong Kong.
There is also the issue of compliance with overseas privacy and information security laws. There has been increased legislation and regulation in this newly developing area, the UK for example has brought in the Data Protection Act; the Privacy and Electronic Communications Regulations; the Official Secrets Act; and the ACPO & Computer Misuse Act.
Companies should also consider the need to preserve evidence stored ‘in the cloud’ and weigh e-discovery issues and costs in their due diligence, contract negotiations, back-up and archival routines, and performance monitoring in case of possible litigation.
The legal process to gain access to data held in a public cloud computing system (especially in a different jurisdiction) can be complex. What legal jurisdictional power and justification does local law enforcement have where the data physically exists on a foreign server outside Hong Kong? Different jurisdictions have different policies on data access in overseas investigations.
Moreover, there may be technical difficulties in accessing this data. Unless your cloud computing applications provide an audit trail, it may be difficult to extract digital evidence in an admissible form. Digital evidence is more ethereal and dynamic in a cloud environment. If an application is accessed via a cloud computing system, for example, data traditionally written to the operating system (for example registry entries or temporary internet files) will reside or be stored within the virtual environment and so be lost when the user exits.
It may also be difficult to establish a chain of custody for the data and identify the sources of potential digital evidence particularly if the data is stored and managed outside your local jurisdiction. This can cause delays in retrieving data as evidence in investigations. Certain data may be encrypted and, where the cloud hosts many tenants, there may be ‘synchronisation’ problems since it is hard to segregate the relevant data in the logs. A forensic investigation should not impact upon other cloud service users who are not the target of the investigation.
Get it in writing
Many of the compliance risks outlined above can be mitigated via contractual agreements with your service provider. There is a growing consensus about what companies should ask cloud vendors to maintain a secure IT environment and avoid the potential legal risks associated with it. Service agreements should be explicit, for example, in terms of access to data and metadata that may be required to prove chain of custody and ownership of data. For US corporations, the Federal Rules of Civil Procedure are a good starting point for compliance guidance. Although the contracts may not protect you from legal repercussions in the event of a policy breach (for example moving European customer data through an unapproved cloud), but you should at least be protected contractually from certain types of economic loss.
For IT risk mitigation and compliance purposes, the cloud computing service provider should provide assurances through a ‘terms of service’ or ‘privacy’ policy that all data stored with the provider will be kept confidential, and not used for any purposes other than serving the end user. The service provider should guarantee that:
- no personally identifiable information will be released to third parties unless required by law
- cloud-based servers will be physically secure under lock and key with controlled access
- account data will only be accessed with the specific authorisation of the account-holder to resolve a customer issue
- all data stored with the service provider is sole property of the customer with access to e-data, and
- technology standards for cloud computing service providers are in place.
Finally, companies would be well advised to phase in their reliance on cloud computing services, for example migrating non-core data and documents to the cloud first. This will allow them to assess the service and determine if it is cost effective and, most importantly, whether the service risks core business functions. For example, companies may decide to place back-office information – such as payroll and employee training data – in the cloud, before sending privileged and confidential client information.
Zoe Chan So Yuen, Programme Director
The author can be contacted by email: Zoechan123@yahoo.com
SIDEBAR: Weighing the benefits and risks of cloud computing
- cost effective – reduces IT capital expenditure and maintenance costs, you pay only for what you use
- scalable – you can expand and contract your IT resources as and when needed
- cybercrime – it is important to monitor the data security measures of your service provider
- service provider risks – what happens, for example, if your service provider goes into bankruptcy?
- jurisdictional risks – conflicts of laws – data ownership and retention problems (data is stored on a server owned by the service provider) – data privacy, for example, risk of breaches of local data privacy laws where data confidentiality is breached and there are restrictions on international transfers of personal data
- e-discovery – e-discovery can become very time consuming and expensive, particularly where data is held outside your home jurisdiction