Cloud computing offers huge benefits in flexibility, storage capacity and processing power.
A 2018 cloud computing survey from IDG found that 73 per cent of enterprises already have at least one cloud-based application, with a further 17 per cent planning to have one within the next 12 months. But using the cloud may not be the right solution for every business.
How to manage risk
If your business uses an external server network (owned by yourself or third parties) rather than local servers to store and access data and applications, then you’re operating in the cloud.
Highly sensitive or business-critical data may not be suitable for public cloud services, while private cloud services can be costly. Many businesses – particularly those in regulated sectors – opt for hybrid solutions, running some systems in the cloud and others locally.
If you want to move business-critical data into the cloud, contractual protection and (factual) diligence are equally important. The different terms and deployment models offered by cloud providers should cautiously be reviewed, compared and negotiated.
Key considerations for cloud users
Territorial laws can be incompatible with cloud, where data often doesn’t respect borders.
There’s no cloud-specific regulation in the UK for example, but that doesn’t mean the cloud isn’t regulated: basically all laws may apply, even those of several jurisdictions.
Of particular relevance are contract, consumer, (data) privacy and intellectual property law, as well as cyber security and sector-specific regulations.
Issues to consider
Locating your data
Some public cloud providers operate hundreds of data centres around the world so you need to decide what level of transparency regarding location, administration and data protection you require and whether you need to keep your data in specified jurisdictions.
European data protection law, for example, imposes strict requirements on data transfers outside the EU and some countries are considering measures that would require their citizens’ data to remain inside their borders. In response, cloud providers are increasingly offering EU-only data centre options.
It’s worth remembering that governments may seek to access your data – and your users’ data – on servers in their jurisdictions (and indeed sometimes beyond those borders). Cloud users are also responsible for compliance with export control restrictions in some jurisdictions.
Controlling your data
If you entrust your data to third-party providers, you’ll continue to bear much of the legal and regulatory risk associated with it – and may be liable if the provider suffers a data breach or cyber attack.
In these circumstances you’ll need a provider that lets you stay in control of your data. If you can’t get the guarantees or contractual protection that you need, you might opt to develop your own cloud infrastructure.
Some US federal courts have taken the view that data in an organisation’s cloud is in its possession, custody or control regardless of where the data centres are located – and must be produced under a US subpoena.
These rulings are under appeal but they highlight the risk that data in the cloud could be exposed to foreign search warrants, subpoenas and discovery requests in connection with criminal investigations and civil litigation.
Conflict between a foreign data request and local data protection law can put you in an impossible compliance position and undermine your customers’ trust if their data is targeted.
Securing your data
Your provider could be an attractive target for cyber criminals, particularly if it handles valuable data for multiple customers.
Cases have also shown that the troves of data held by public cloud providers have been tempting targets for intelligence agencies’ snooping. Private clouds are not immune either: the telecommunications networks connecting your users to the cloud – particularly if they’re unencrypted – could also be vulnerable.
Despite this, cloud-based systems may be more resilient than internal IT environments and often have the scale to weather distributed denial-of-service attacks and spikes in traffic volumes.
Consolidating your infrastructure in a private cloud can also make it easier to keep your systems patched and security measures up-to-date.
Accessing your data
Most cloud contracts do not include the technical connection between client and cloud but leave it to a third party carriers – who are mainly internet service providers. Such contracts need to be synchronised. You should also ensure you’re able to move from one cloud provider to another to prevent any kind of vendor lock-in. The more complex the cloud services, the more subcontractors are likely to be involved. You need to ensure that those subcontractors are chosen carefully and meet at least the same standards as the cloud provider.
Key issues in cloud contracts
|Consider the following when you’re comparing cloud contracts (or if your provider is willing to negotiate):|
|Contractual obligations – Make sure that the contract contains explicit regulations on the cloud services you ordered, including clearly defined measuring points, reference values and inspection windows to secure performance and availability.|
|Liability – It’s market practice for cloud contracts to exclude indirect losses. It’s also standard to cap direct liability; the size of the cap will usually depend on how much you’re paying. It is essential to identify worst-case scenarios beforehand and ensure that they are sufficiently moderated by the cloud contract. Furthermore, the consequences of breaching the different contractual obligations should be clearly determined.|
|Security – Consider how the provider will protect your data. For more sensitive information the provider should at least comply with best industry standards, eg those from the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Is there a plan in place to recover data after a security breach or system failure? Remember, security is not just about external threats: make sure you understand the provider’s security policies for its own employees, including access controls.|
|Disaster recovery, backups and archiving – Your contract should cover these issues, but remember that a contract is never a substitute for adequate insurance and putting appropriate independent backup processes in place.|
|Intellectual property rights (IPRs) – You’ll want to retain any IPRs or other rights you have in your data. If your systems use any third-party features or services like social networks, you’ll also need to consider their terms. And don’t forget aggregate data: cloud providers often use and claim ownership of aggregated data collected from customers. If you’re happy for the provider to do this, make sure your data is fully anonymised.|
|Term – Most cloud contracts are more like subscription agreements than traditional IT outsourcing deals, so expect a shorter term. This might be to your advantage if the price of cloud services falls as expected, but makes it even more important that you remain capable of changing your cloud provider.|
|Termination – If you can agree a clause that allows you to terminate your agreement for the sake of convenience, make sure the contract explains what happens to your data. Cloud providers, particularly those that provide Software as a Service, will simply return it. They’re unlikely to help you move to a new provider if this is not explicitly agreed in the cloud contract.|
|Applicable law and jurisdiction – One major benefit of clouds is that they can connect servers from all over the world to offer high-capacity services. This means many national laws and jurisdictions might apply. This should be modified contractually; it might even be sensible to agree upon alternative dispute resolution methods from the outset.|