Tuesday, April 17, 2012

The legal side of the cloud


Cloud computing is one of the things that is to be stated as a game changing revolution in the IT. Depending on your definition of cloud computing this can indeed be true. And without any doubt and with any form of cloud computing people (and companies) are more empowered to start something new at a very low cost. If you had to start an IT project a couple of years ago you where in most cases in need of hardware to develop and run your solution on. If you where trying to start a new business you needed at least some investment in hardware to start your startup. In both cases it would mean a huge upfront investment. With cloud computing and namely with cloud hosting you can now order a number of servers for a relative low cost with only your credit card. You do not need to buy your own hardware, install it, maintain it and host it. It will simply be done by one of the cloud hosting vendors.

Meaning that, for example, if you are developing some reporting solutions on a departmental level you no longer have to go to your IT department you can simply order one or more servers at a cloud vendor and start developing what you need and start using it. This sounds like a promising move and like a way which will start a lot of innovative new projects.

I personally do love the idea that you can start a project that easy and that you can order servers that easy without the need for large upfront investment. I do also believe it will help startup companies to really start and it will help businesses to move away from the sometimes difficult IT domain and help them on focusing to their day to day business. So in general I am a big fan of cloud computing however there is also another side to the story.

When dealing with data you always have to keep in mind the security of your data. In case you like to create an analysis tool for your stock levels you can put this in a server in the cloud and do your computations on it. A couple of things to keep in mind are, how valuable is your data, can you drive business if it is down, how secure is the connection to the cloud and how secure is the solution you will deploy on this cloud server? These are things that are often overlooked. Big cloud vendors like Amazon are not very keen on providing you with a SLA which means that if they are down they are down. So you have to think about, what will happen if it is not available. Also what you have to consider is how valuable is this data and could it leak to the outside world? And one point very often overlooked is how secure is the connection I am using to upload the data to the cloud and to retrieve the computational results?

In case of stock levels this is not even that hard however as soon as you start talking about customer data you have to consider this is even more confidential. In some countries there are laws that state that you have to protect this data and that you are obliged to certain rules and regulations for security. And to take a next step, in some cases the law will state that you cannot put it in the cloud just that easy.

Most cloud vendors are currently located within the US and due to this are under US law. This means that the US government can demand access to your data without you even knowing it by making use of the patriot act. The patriot act is on a collision course with some other laws which might apply to the country where your company is located. If you, for example, are located in Europe you will have to take into consideration the data protection act. If you have data that has to comply with the data protection act you cannot make use of systems, and cloud solutions, that fall under US law. Most companies do think they do not have to comply with the data protection act in Europe however you have to comply quite quickly if you have some private data of customers and citizens in your system. When dealing with data of governments you almost always have to comply with this.

More and more countries are realizing that data placed in the cloud and physically within the US or hosted by a company outside the US however where the highest legal entity of the organization is a US based company is subject to the patriot act. In the patriot act it is clearly stated that the US government can gain access to this data without informing the owner of the data. To protect vital parts of the infrastructure and to ensure the security and privacy of their citizens countries are now deploying laws to prevent data from moving outside the EU or even outside the country. Some Scandinavian countries have already stated that government data cannot be placed on servers based in the united states and recently a political flame war has erupted between the United states and Australia.

"The United States' global trade representative has strongly criticized a perceived preference on the part of large Australian organizations for hosting their data on-shore in Australia, claiming it created a significant trade barrier for U.S. technology firms. A number of U.S. companies had expressed concerns that various departments in the Australian Government, namely the Department of Defence had been sending negative messages about cloud providers based outside the country, implying that 'hosting data overseas, including in the United States, by definition entails greater risk and unduly exposes consumers to their data being scrutinized by foreign governments.' Recently, Acting Victorian Privacy Commissioner Anthony Bendall highlighted some of the privacy concerns with cloud computing, particularly in its use by the local government. He said the main problems were the lack of control over stored data and privacy, in overseas cloud service providers."
You can read more on the current way of thinking in Australia at delimiter.com.au

In my opinion it is good that companies and politicians are thinking about what the cloud can mean for the security of citizens, the privacy of citizens and even the security of countries itself. Cloud can be a good thing, it is a good thing, it will help innovation however when using a cloud vendor it is good to take into consideration some security and privacy points and not simply deploy your application wherever you like for the lowest price.


For a first impression on how the situation in the world currently is and where your data is the most secure you can check the forrester website. Forrester launched an interactive website where you can obtain more information. 
Post a Comment