Editor's Note: Missed the first installment of the article? Click here for Part I. Major risks of cloud computing
So what are the risks involved in cloud computing? These risks fall under four categories: (1) vendor lock-in risks, (2) operational risks, (3) regulatory/governance issues and (4) investigative/litigation issues. Vendor Lock-in Risks: Some critics, such as Richard Stallman, have called cloud computing "a trap aimed at forcing more people to buy into locked, proprietary systems that will cost them more and more over time." The fear is that once the cloud vendors have users hooked on cloud computing, they will price gouge them, in much the same manner that some think the telephone companies do. As proof, they point at the major class action suit that was once recently won against Verizon for systematically overcharging customers for Internet access fees and other costs. The phone company could overcharge its customers because they were captive to a subscription plan that was complex in its rate structure, and so it was easy to hide or misrepresent certain cost items. Likewise, cloud critics warn that once customers are bound to a certain application, platform or operating system, they are under the control of the cloud vendor — and also at its mercy.
Operational Risks: Operational risks are a product of the fact that a cloud is located offsite and its structure is largely under the control of the vendor. Within this context, security is a big issue. What if your cloud vendor gets hacked? In the event of a security breach, what kind of investigative support will the vendor provide? What do you do if the Internet crashes? How is that risk allocated by contract? Obviously, no cloud vendor can offer a 100% guarantee; the most trusted and reliable vendor can still fail. Thus, for security, it is a good idea to replicate data and application availability at multiple sites.
Along these lines, an airtight backup and data restoration plan is mandatory for disaster recovery. At present, however, there are no benchmark standards for service levels. Accordingly, it is always wise to contract with the cloud vendor to escrow data or application code in order to help cover potential damages in the event of a disaster. For that matter, it never hurts to be in a position to exert leverage over a cloud vendor. For instance, with respect to data retention issues, there are any number of legal and tax reasons that may require an organization to retain data longer than a cloud vendor is prepared to.
Regulatory/Governance Issues: As it is with much new technology, our legal system has not yet caught up with cloud computing to the point where the law can effectively govern it. There are some regions, such as the European Union, that have stringent rules about moving certain types of data across borders, but cloud computing is not yet specifically regulated. Nonetheless, there is an abundance of regulatory rule sets that mandate compliance that cloud computing could fall short of achieving. The following list of legislative acts and regulations is not exhaustive:
Other problematic areas include video rental records, cable company customer records and National Security Letters. Regarding the latter, a cloud may be subjected to warranted (or in some case, warrantless) searches by police. The customer may not know of the investigation because the vendor is the party that holds the key to cloud access by third parties. Investigative/Litigation Issues — Third-Party Access: Clearly, it is critical for a cloud computing customer to understand (and in some instances, negotiate) the legal issues surrounding third-party access to a cloud. Take subpoenas, for example. As implied above, the user may not even know about them if the vendor gets the subpoena. The same would go for government administrative searches and national security investigations. Events involving search warrants can lead to possible seizures of data.
In the area of e-discovery, cloud user data must be well organized so as to minimize cost while facilitating efficient data search and retrieval. If a user either refuses to comply with the e-discovery process or for some reason simply cannot find the requested data, substantial fines can be levied by the courts. The federal government actually fined one noted mutual funds company $300 million for failing to comply with a request for several hundred thousand email messages during the course of an SEC investigation! So, in order to avoid committing regulatory infractions, the customer must have a clear understanding of what its cloud provider will do in response to legal requests for information. They must know how document holds are enforced, how metadata is protected and how information can be optimally searched for and retrieved.
The Nixon Peabody cloud checklist
Since the legal issues are perhaps the most important of all for customers to consider when making the decision to buy into a cloud computing system, this article concludes with a checklist of the major issues to consider when acquiring a cloud for organizational use. Such a list is found in a publication by the law firm of Nixon Peabody, entitled "Legal Issues Associated with Cloud Computing," by Laura Mills, ©2009 by Nixon Peabody LLP, and is reprinted below: - Evaluate the financial viability of the cloud
provider. - Thoroughly understand the cloud provider's
information security management systems. - Plan for bankruptcy or unexpected termination of
the relationship and orderly return of/disposal of data/applications. - Vendor will want the right to dispose of your
data if you don't pay. - Contract should include agreement as to desired
service level and ability to monitor it. - Negotiate restrictions on secondary uses of data
and who at the vendor has access to sensitive data. - Negotiate roles for response to e-discovery
requests. - Ensure that you have ability to audit on demand what
regulatory and business needs require. - Companies subject to information security
standards, such as ISO 27001, must pass to subcontractors the same obligation. - Make sure that cloud provider policies and
processes for data retention and destruction are acceptable. - Provide for regular backup and recovery tests.
- Consider data portability application lock-in
concerns. - Understand roles and notification
responsibilities in event of a security breach. - Data encryption is very good for security but
potentially risky; make sure you understand it. Will you still be able to de-crypt data years later? - Understand and negotiate where your data will be
stored and what law controls jurisdiction and possible restrictions on cross-border transfers. - Be prepared for third-party access issues.
- Consider legal and practical liability for force
majeure events. (Must be part of disaster recovery and business continuity plan.) - There is no substitute for careful due
diligence.
So, is cloud computing the new paradigm for document management? The answer is a definitive "Yes," but be careful what you wish for. ARTHUR GINGRANDE [ arthur@imergeconsult.com], ICP, is co-founder and partner of IMERGE Consulting, a document-centric management consulting firm. Mr. Gingrande holds a Juris Doctor degree from the Massachusetts School of Law.
|