Not everyone who talks about cloud computing seems to have grasped the basics but it is tough to assess the legal risks without a decent understanding. Lillian Pang aims to improve understanding of the cloud and the issues that arise from its use.
The new buzz word 'cloud' seems to have grown in significance over the last year but what does it all really mean? The cloud is a mechanism that allows you as the customer to capitalise on computing capacity on demand over the Internet. This has various advantages for businesses, primarily cost savings in areas such as storage, power consumption, ability to retrieve data anywhere at any time and perhaps most controversially the cost of employee overheads.
Now that the world seems to have woken up to cloud computing services, the issue of 'security' keeps arising and the question in everyone's mind is 'how safe is my data in the cloud'. Before businesses jump into deciding whether the cloud is for them, they need to understand what may constitute a cloud service. Fundamentally these comprise Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS).
Ø Software as a Service (SaaS) - applications designed for end-users and delivered over the web
Ø Platform as a Service (PaaS) - the set of tools and services designed to make coding and deploying applications quick and efficient
Ø Infrastructure as a Service (IaaS) - the hardware and software that powers it all ie servers, storage, networks and operating systems.
In order to understand the legal issues that have emerged, one needs to understand the technical make-up of the cloud service. There are many forms of cloud services but, in its basic form, it comprises delivery of storage, filing, monitoring or database facilities of which the customer can take advantage. Beneath the self-service user interface that a customer has access to will lie a pool of computing resource (sometimes shared) that can be configured and scaled to meet the customers' demands. Cloud is billed on a utility basis, this 'pay as you go' model enables customers' to control costs paying only for what they actually use and its functionality allows for measuring the computing resource signed up for. The main benefit of a cloud service is that it allows for variable workloads, resiliency and redundancy, automation and security. For businesses considering whether the cloud is for them, here are a few points to consider before taking to the cloud:
Is the cloud for you?
The theme, 'the cloud is for everyone, but not necessarily for everything' is the premise on which some cloud providers base their service. (The phrase derives from 'You Want To Put My Database Where?' (Kepes, 2011).)
Some businesses will be better served by cloud services than others. There are differing types of cloud solutions, environments and services, ranging from database-related services, monitoring services to cloud files services, provided within a private, public or hybrid cloud environment. In simplistic terms, private cloud is where infrastructure is dedicated to an individual customer. Public cloud is a multi-tenanted service (ie there is more than one customer sharing a pool of computing resource) where a customer will share an infrastructure with other customers but separation of data is maintained by partitioning. Hybrid cloud, as its name suggests, is a combination of private cloud and public cloud. Private cloud is where infrastructure is operated purely for an individual customer and public cloud where infrastructure is shared among customers.
Some businesses may be cautious about compatibility of software and their ability to port existing databases to cloud providers. If this requires costly changes to deal with software compatibility issues, customers will be reluctant to move. More and more IT providers are beginning to simplify their contracts to enable customers to move with ease and more cloud providers offer a range of flexible services that often allows the customer to have full control of their cloud accounts.
For companies needing expandable storage and demands that fluctuate with peaks and troughs, cloud computing presents a cost saving service. Here are two examples of different types of companies that have taken to the cloud for differing reasons.
Example 1 - Domino's
Domino's is recognised as one of the world's leading pizza delivery companies.
Domino's signed up to cloud services, specifically hybrid hosting to enable it to take advantage of its differing needs at different points in the month. Domino's cloud hosted applications include parts of the public-facing ecommerce site.
Like most pizza delivery businesses, Domino's is clearly one in which the demands of consumers peak in specified periods such as the build-up to the weekend. It is not hard to deduce when their busy periods are and therefore where the economies of scale are realised.
Domino's receive 70% of their overall web site traffic on two days of the week and, to cope with the peak of traffic that this results in, Domino's have their public-facing menu hosted on cloud servers. This enables them to add new cloud servers to cope with demand, and to scale their solution back when no longer required. As soon as customers click on the check-out button, the hybrid solution detects that the type of traffic being transmitted to the web site has changed to secure web traffic and directs this traffic to dedicated servers that have been certified as PCI Compliant. Customers are then able to enter their credit card and personal information securely.
Example 2 – Outbound Maps
Online retailer, Outbound Maps have an e-commerce store with over 4,500 products available to their customers. Prior to moving to the cloud, their web servers were struggling to cope with the customer demand during busy periods.
Working with a third-party payment provider, Outbound Maps did not need to worry about storing personal data, so were able to take advantage of a full public cloud environment. Outbound Maps were able to scale the services up and down without incurring any contractual penalties due to the public cloud environment. This enables Outbound Maps to enjoy the economies of scale that a shared, public cloud environment offers.
What sort of data will be stored?
The type of data one would store using cloud services could range from databases containing customer personal data, marketing data to financial or other confidential or non-confidential data. The question ultimately is whether the cloud is the right forum for hosting such data. The cloud enables data to be stored on different servers and/or in different locations, thereby maximising the use of otherwise redundant space on a server. For some businesses, eg those in healthcare, the sensitivity of the data held by the business could mean that it does not want data stored outside of a particular territory (eg the UK), let alone in multiple jurisdictions outside of the EEA. Public cloud providers do not give customers the option of which location their services will be provided from. This choice only exists in private cloud environments. In such instances, public cloud services may not necessarily be the best option for a healthcare business. The issue of compliance with various types of international legislation and regulatory requirements, including the FSA, PCI, HIPAA, GAAP, SOX and IFRS, may prove quite complex for certain businesses. Each business must review its compliance requirements and determine whether the cloud provider meets such requirements. This may ultimately mean that in some instances only part of an application may be moved to the cloud.
Service providers will generally offer a range of security services to enable the customer to protect their data. It is important to note that the security of customers' data is a joint effort on both the supplier side and the customer side. This is discussed in further detail in the sections below as security is pertinent to several aspects of the service.
Data protection and security are two different things
Which party is responsible for the customer's data in the cloud?
As with all types of data, the contract with the service provider will identify which party is the data controller (normally the customer) and the data processor (normally the service provider). The responsibilities of the data processor should be set out clearly in the agreement and should spell out any additional obligations for the processing of data required from the service provider. The customer should also seek to perform at least annual audits on the service provider's facilities to ensure that it has in place the necessary technical and organisational measures required to facilitate the provision of the services in a responsible manner. The elements of risk for loss of data from the data processor's perspective are different to those of the data controller.
The risks for the data processor include employee negligence in deletion of data, performing failed backups or not performing backups. This is where the data processor should have in place operational risk mitigations to minimise risks and (as a minimum) ensure that its staff have been provided with data protection and security training.
The risks for the data controller include uploading data and not purchasing the regularity of backup service required, relying on the service provider to back up data when this may not necessarily be the service provider's responsibility, not knowing what the actual service comprises, or not enabling software security and therefore exposing themselves to unnecessary risks from hackers.
Who is responsible for the security of your cloud service?
Cloud services can be provisioned at different levels including Infrastructure as a service (IaaS), Software as a Service (SaaS) and Platform as a Service (PaaS) and, depending on the type of service selected, the responsibilities of the parties differ.
Cloud providers tend to provide a higher level of security than organisations would be able to provide for themselves and this makes it attractive for some organisations to consider a move to the cloud.
The physical security of the data centre is clearly the responsibility of the cloud provider or the organisation it partners with that owns the physical data centre. The security of the servers residing in the data centre is split between the customer and the cloud provider. The cloud provider will be responsible for the host machine operating system and the customer will be responsible for the virtual machines run on the host machines. The host machines will have administrator controls in place with the minimum number of user controls, in addition to intrusion detection systems plus passwords etc. Network security is the responsibility of the cloud provider.
The cloud provider will normally be responsible for the infrastructure layer of the platform and the customer would be responsible for the application layer. The application layer is where the majority of security breaches occur. In view of this, customers are often advised to take up various forms of security to protect their data. Security measures for customers to consider include software firewall, anti-virus software, encryption software and strong passwords - to name but a few.
Overall the responsibility for customer data is a joint effort between the service provider and the customer, though it should be noted that the customer generally tends to have full control of its account to effect such security as it desires. In essence the service provider is often seen merely as an extension of the customer's IT functions. It is clear that, although the responsibilities may differ, both parties bear some weight in protecting the customer's data.
The cross border data concern
If a service provider is a multi-national business then invariably 'data' may be transferred processed, stored, transmitted or even accessed overseas, be it in the form of providing 24/7 support services, or in the provision of network traffic monitoring services or the like. This is where it helps to be mindful of where the data has the potential to 'travel'.
The cross border transfer of data outside the EEA has been the cause for many an article for lawyers, and now even more so with the renewed vigour of the EU Commission and the proposed draft Data Protection Regulation. Despite the excitement about what is to come, the landscape has changed somewhat as legal principles continue to be pushed by the ever-developing cloud technology and the fact that your data can be hosted from any jurisdiction whether inside the EEA or elsewhere.
Natural questions are whether a customer can retrieve data at will, and whether law enforcement agencies have any right to access the data. This in itself is the subject for another article, but it is worth noting that, regardless of the location in which data is hosted, the cloud provider is obliged to comply with the applicable laws of the countries in which it operates and provides services. Some service providers in the public cloud environment are beginning to allow customers the choice of where their data should be hosted. Although at early stages, this is another evolution that is inevitable with cloud services. When hosting in the public cloud environment, customers will, in a not too distant future, be able to choose if they want their data to remain within the EU, even if at additional cost.
Regardless of location, the main consideration for customers is to know what kind of technical and organisational measures a cloud provider has in place to protect and safeguard data; whether such measures are actually implemented by the cloud provider; and whether the cloud provider's employees are trained in ensuring confidentiality and safeguarding customer data. All this is nothing new except that, when your data could be anywhere in the cloud, you want to know that your cloud provider has all their t's crossed and the i's dotted.
What happens to my data when I want to leave?
One of the main concerns for businesses is the issue of being locked into a contract with a particular cloud service provider. This is a concern that is relevant to private cloud only as public cloud is more of a utility-based service where the customer is free to leave whenever it wants. Another concern for businesses is whether changing suppliers requires a change of solution to match a new supplier's platform. Suppliers are more and more conscious of the need for integration and are enabling customer choice by standardising the products used in the provision of cloud services or using compatible software.
In the event that the customer wants to terminate its relationship with its cloud provider, the cloud provider generally offers a few options to allow customers to either take their data or have their data deleted. Some cloud providers will provide customers with a copy of their data on termination or expiration of a contract on a digital media at cost.
The cloud provider will assist the customer with the deletion of the data stored on the system, but it is more important to ensure that the cloud provider has the capability to completely purge the data from its systems so that it is unrecoverable. There are various forms of data destruction including drive wiping, DOD-3 standard and destruction of the drive but note that these are rarely possible in a public cloud environment because data is stored on shared hardware. In a private cloud environment, data may be purged in the following ways by your provider:
Drive wiping - allows the private cloud provider to efficiently delete data from large numbers of hard drives.
DOD-3 - this US Department of Defense standard ensures a more thorough erasure of data but may be charged as an additional service to the customer. This type of erasure ensures that the hard drive is completely wiped and then re-written over with random data.
Destruction of the hard drive - this is normally performed by a third party who will destroy the hard drives in a secure manner, usually at the customer's expense. A machine will bore a hole in the hard drive, breaking the disk plate. The third party will normally produce a certificate and sometimes a photo of the destroyed drive and a serial number as proof of destruction. This process ensures that the hard drive can never be re-used.
Regardless of the data wiping technique employed, the customer should incorporate an audit process to validate that the drive has been wiped in accordance with the standard requested.
Exit and migration – how does this affect my data?
There are various types of exit/migration services offered by cloud providers. A customer can simply request its data on digital media or could opt for a complete transition of services to a new service provider where its data is transferred across to the new service provider's platform on a 'full bells and whistles' basis. Despite these options, customers may find that cloud providers offer quite simplistic exit terms. This is due largely to the fact that customers have user control of their cloud accounts and can therefore choose what they want to do with their data and whether they wish to make a copy of such data or require the cloud provider to make such copies.
Control of and access to the customer account on exit is a significant point. Customers should ensure that they retain access to their hosted data (including any backed-up data) for the period and to the extent required to enable them to migrate their data back inhouse or to a replacement provider.
A final word
As technology continues to evolve and legislation fights a losing battle in trying to keep up, a pragmatic approach and a fundamental understanding of cloud services are key to negotiating a sound contract.
Lillian Pang is Senior Legal Counsel at Rackspace Ltd, the open cloud company: http://www.rackspace.co.uk/enterprise/