Obligations for cloud services providers
Kim Walker addresses some common questions about cloud security that IT suppliers and customers should consider
Cloud computing is growing in popularity, for its promise of low-cost connectivity coupled with the rapid, flexible outsourcing of IT. However, security and privacy continue to be issues of concern.
Customers need to be encouraged to think of cloud computing as a utility, just like the electricity and water supply. There may be occasional outages, but customers should see that a qualified supplier that deals with service delivery can offer considerable benefits.
Cloud computing is a collaborative service, so suppliers and customers should share the responsibility. This allows a business to assess which of its processes and data might be migrated to cloud, without having to commit everything at once.
Businesses can obtain contracts and service-level agreements for cloud services quickly and easily, but there are some things customers should understand when it comes to security and privacy issues. Obviously, read the small print carefully.
I would also stick to established procurement processes with cloud contracts, rather than bypassing them, intentionally or unintentionally.
BYOD must be considered. If customer employees are using their own devices at work, this can blur the boundaries between workplaces and home as well as push data to the cloud. Check where you stand on this important issue.
Service-level agreements do not always address security concerns about data, but compliance is essential. Consider the data protection regulations relevant to the type of application being outsourced, and the extent to which security can be controlled or influenced by the business.
The customer may want various questions answered, such as who is responsible for security. What standard of security is required? Where is the data located, and who has access to unencrypted data? What auditing arrangements are in place? Security breaches may require monitoring, and users kept informed.
Customers are naturally reluctant to trust resellers with vital data assets, especially when the provider is based outside the EU or UK, or simply has servers overseas. But large IT services providers may invest in tier-one hosting centres that offer more than any do-it-yourself data security can, at every turn.
This means the cloud may well be a safer option for many small to medium-sized enterprises. There is less risk that company laptops will be left on a train if employees can access business information from a device at home.
Personal data is subject to data protection laws, whether that data is hosted in the cloud or not. The Data Protection Act 1998 obliges data controllers and processors to take certain measures in the collection, processing and transfer of personal data - data that can identify a living individual. These strictures apply also to cloud services providers, which must ensure that the appropriate security measures are applied to personal data.
For example, if data may be transferred outside the EU, the controller might have to do further due diligence. Processing agreements - and model clauses of this type are available from the EU - are essential when dealing with data transfer.
The EU recognises a number of countries, however, in which security arrangements are considered adequate. This includes the US, where providers may comply with the so-called “safe harbour” rules. It is still important to find out whether there will be any onward transfers and, in particular, who controls the critical infrastructure of datacentres and the location of this activity.
These data issues are being scrutinised at EU level by the Article 29 Working Party, and in the UK via the Information Commissioner’s Office. The European Commission wants to see model cloud service contracts introduced by the end of 2013. This will help benchmark practice.
The “new” risks that cloud introduces concern law enforcement abroad - in the location of the customer, the provider and the datacentres - and how the law might apply in a dispute. Cloud services providers should also be able to say what happens if they go bust, and explain how the customer could move the data if needed, and how to eliminate data duplication at the provider level.
Kim Walker is head of commercial and a partner at Thomas Eggar