By: Ken van Sweeden, MD, Liability Matters
Cloud computing is a recent development in the IT world and is regarded by many as the best option for offering an organisation exceptional flexibility and financial benefits. This includes lowering the entry point to accessing high performance computing for organisations that historically never had the budget or operational expertise to acquire such computing power.
It gives many organisations a more efficient and cost effective IT service delivery which changes the way they use technology to service their customers, partners and suppliers.
As a result, there are many good reasons why organisations might want to migrate to cloud computing. However, cloud computing services are not without risk. Consideration must be given to governance, audit, legal, service delivery and business continuity.
Traditional computing models enable a high degree of control over computing resources. Cloud computing by its nature does not allow the consumer the same level of influence over their computing resources. The lack of control over computing resources means that the following issues must be considered before deciding to make use of a cloud-based platform.
One of the benefits to cloud computing is the financial saving resulting from sharing a significant amount of infrastructure between consumers which allows for a lower barrier to entry. Economies of scale advantages are derived from a service management and computing resources perspective. However, this can also lead to challenges regarding system availability. Due to the sharing of the resource, one user within the cloud can adversely affect the performance or availability of other consumers.
Requirements regarding the protection of personally identifiable information are increasing all the time and place the onus on the holder of the data to ensure it stored in a secure environment where no unauthorised access can be gained. If the actual cloud server is in a country other than the consumer’s own country and suffers a breach, what are the rights of recourse open to the consumer? Which country’s legislation will take precedence? South African consumers must consider the multi-jurisdictional challenges of a cloud-based platform against the requirements of POPIA.
Although multitenancy offers cloud consumers extremely low prices, security and compliance needs must still be taken into account. Multitenancy can cause challenges in obtaining audit logs due to the audit logs possibly containing other tenant information which may or may not have been cleansed before release. In circumstances where specific audit logging requirements need to be met, the consumer should establish what the provider is capable of providing.
Many cloud providers guarantee a specific level of performance based on the service purchased, but the main challenge for customers is their recourse available to them in the event of degraded performance. Enforcing service level agreements from a service provider based in another country could be problematic.
Probably the main challenge of a cloud-based platform is that the highest level of access to the system, supervisory access, is maintained by the cloud provider. This can be a critical consideration for cloud consumers particularly if it involves the storage of highly regulated, confidential, proprietary or other information which is appropriate for a limit audience.
The risks to cloud environments are similar to traditionally hosted and outsourced IT systems. Legal agreements are a critical component in managing cloud risk.
Agreements common to cloud computing scenarios often address the following issues:
- The necessity to understand where data is going to reside and what legal protections must be addressed at this residence is all part of data protection, especially the privacy and retention conditions. Examine what data protections are being promised and what the risks will be to availability and integrity of data.
- Confidentiality is a significant issue when moving data and applications to the cloud. Agreements should address confidentiality, what protections or controls are made against inadvertent release of confidential information and how classification of data will be supported managed accordingly.
- Intellectual property becomes an issue when customer code, data, files and other forms of business data are stored or processed by a cloud provider. Protections should be stated and risks assumed.
- Professional negligence protections must be addressed. Customers must assess risks and possible mitigations that range from insurance to code protection. It would advantageous to engage the services of a broker or insurer who specialise in cyber insurance products for guidance in this regard.
- Outsourcing services and changes in control of the cloud provider infrastructure can occur without the client being aware. Agreements must make certain that any change of control is brought to the attention of the client.
The fact of the matter is that business relies on IT. When an IT process incorporates capabilities derived from the cloud, not only are systemic IT risks introduced, but business risks are also introduced. Be aware that the cloud computing environment is a change to the business service model and not all risks can be mitigated. If a risk leads to the failure of the business, reputational damage and litigation will be the result.
The cost benefit of paying for computing utility must always be considered in conjunction with the need to balance IT risk and business risk.