Assessing cloud risks, legally

By Eden Estopace | Dec 1, 2011

Thumbnail: 

The march to the cloud seems unstoppable. With most analyst firms forecasting mass adoption in a few year's time, enterprises are starting their journeys to the cloud. The one big barrier that is standing in the way is the collective fear for data security, which in recent months have been fueled by high-profile breaches involving big name providers.

Yet, the cloud is here to stay, said Per Dahlberg, CEO, Asia Cloud Computing Association, Hong Kong, at the recently concluded Asia Cloud Conference held in Manila. "IT is a big cost. So, investing in IT in the way we have been investing doesn't make sense anymore. This (cloud computing) is driving the change even in governments. They are looking t it because they need to be competitive and need to stay competitive," he said.

The fears, though valid, need not cloud the many advantages of the new computing platform, according to experts.

"In cloud computing there are upsides and downsides. But that's where everything is going. The downsides are the risks you see out there. So we need to understand those risks and assess our organizations and service providers and be able manage those risks," said Thomas Shaw, Attorney at Law, CloudRisk Asia, Japan.

Shaw, who is author of two books on cloud computing and conducts cloud risk workshops across Asia, stressed that a risk-aware approach helps private and public sector companies move forward in their cloud strategies. 

Understanding the risks: Before a company decides what workloads or applications are appropriate to be put on the cloud, he said it is important to know and understand the universal risks associated with cloud computing. No one company migrates everything to the cloud in one step and even in a step-by-step approach, there are many factors to consider.

Assessing the risks: This involves assessing the company's readiness for the cloud service. By doing so, one remediates the gaps found in the organization's capabilities. However, one must also look externally and evaluate the service provider against the same criteria.

Managing the risks: Negotiating the service agreements with the provider should include terms for the corporate processes, including issues of variance, response and replication, support processes, and incident response processes, to name a few.

"Many of the challenges of this delivery model," said Dahlberg, "is less about technology but a lot about business and thrust issues. It is the change that we need to go through to build a secure environment."

Complications of the cloud

In the cloud, Shaw said the service provider could be based in New Zealand, the client is in the Philippines, the client's data is being processed in Thailand or Vietnam, but the real data is in the UK or Canada.

"Once you put your data in the cloud, by definition you have gone global," he said. "From a legal point of view, whose laws now apply? Your data is moving around the world. Either your CSP is moving the data or you are the one moving it if you are a multinational corporation. Think of the customers you have, you have an obligation to protect their information."

In Asia alone, he said there are around 9 information security statutes. In the Philippines, the House of Representatives has passed the Data Privacy Act and is now pending in the Senate. Every country has a law that allows government to investigate corporate data in one way or another. 

Beyond the issue of data sovereignty is the bigger question of data protection.

"Does your cloud service provider have a risk management program? At least 3 types of controls should stand out: encryption (for data in transit, in use and in storage), isolation (What happens when something goes wrong? How do you separate your data from someone else's?), and identity access management (Who can access the file?)," he explained.

"It is equally important to know how data is created, classified, retained backed up and deleted over its lifecycle," he added. "And in the event of an incident,  what were the roles of CSP and your organization. Do you notify the government, the police or the affected users and who does it? What are the limitations on liability and indemnity? Is everything expressly stated in the agreement? How about the subcontractors. Are they bounded by the same agreements?"

No universal standards, yet

While there is no international standard yet governing the use cloud of computing, cloud service providers do comply with regulations of international bodies such as the ISO, IEEE, ITSI, ITU-T, NIST, to name only a few.

Shaw stressed the need to ask which of these standards or regulations are being implemented by the cloud service providers. Do they allow audits or provide audit reports (from international bodies), meet compliance obligations, conduct penetration and other vulnerability tests?

Finally, there is the question of how easy is it going to be to switch providers?

"We recognize that between enterprise users and service providers there is a gap in thrusts. As an enterprise user to put your sensitive data to be accessed quickly and secured, SLAs have been discussed but there is still a mismatch because different parties have talked about different performance criteria," Dahlberg said.

He disclosed that the Asia Cloud Computing Association is releasing a framework that would  help businesses cope with the questions and uncertainties of the cloud. It will include many information that could help parties arrive at mutually beneficial SLAs, notably regulations and limitations in different parts of Asia that affects businesses as both consumers and users of the cloud.

"To lower barriers to adoption, we need to foster good practices. We need to be innovative or have some thought leadership in the industry and build thrust so we can recommend best practices. We want to engage governments to have a discussion throughout Asia about doing re-alignments and harmonization because every country will set up their own organization laws," he said.

"I am trying to encourage the government here (Philippines) to protect data and pass the data privacy law. The local industry wants it, the global industry wants it," he added.

PHOTO: Thomas Shaw, Attorney at Law, CloudRisk Asia, Japan