While info-security and data privacy issues still top the concerns list of most cloud-adopting organizations, they should look beyond the mere maintenance of appropriate controls. This is especially true for organizations with operations worldwide, when it is more about complying with the info-security and privacy laws in each country. According to Asia-based Attorney at Law Thomas Shaw, the use of cloud may also implicate statutes and regulations, where an organization's data is transparently moved ("data mobility") by cloud service providers.
In an interview with Asia Cloud Forum, Attorney at Law Thomas Shaw (pictured) addresses a wide range of legal issues surrounding cloud computing. Shaw is the author of the recently published book Cloud Computing for Lawyers and Executives: A Global Approach. He is also CEO of CloudRisk Asia, an organization that specializes in helping cloud adopters assess the risks associated with cloud computing, including legal, information security and privacy and compliance. More recently, Shaw presented at the Cloud Technologies Forum co-organized by Computerworld Hong Kong and Asia Cloud Forum, and discussed the risks associated with cloud computing.
Asia Cloud Forum: IT/business units often negotiate cloud contracts directly with cloud service providers (CSPs) without involving the legal team. What are their common oversights from the legal perspective?
Thomas Shaw: A business unit or IT team is going to understand the needs from their perspective, be it a time or cost savings. But the enjoyment of these benefits is highly dependent on understanding and managing the risks.
A business unit in an organization is not going to understand in depth the legal, compliance, or audit requirements, while an IT team is not going to understand in depth the information security and privacy requirements coming from laws and contractual commitments.
One common oversight is thinking of the cloud outsourcing process as simply throwing this service over the wall. In addition to the technical integration that may be required between cloud systems and systems still run by the organizations, including appropriate APIs, many of the incident response, business continuity, and data breach processes must be tightly integrated to be effective.
Another oversight is not demanding a non-proprietary, standards-based approach. While the cloud standards are still emerging, the areas for those standards most needed in the cloud have been laid down.
In your new book you mentioned about the "data mobility principle," how can one apply it in the process of cloud contract negotiation?
Shaw: In my new book, the "data mobility" principle examines how it effects cloud service contractual provisions and legal compliance.
With data mobility, and given the elasticity and pooling of cloud resources, the organization's cloud-based data may move as needed to any location within the cloud that can provide the necessary resources -- including other CSPs and other countries.
It is essential to be able to control the location and processing of organization data, either through contractual provisions or through various location-monitoring tools the CSP may make available.
What are the 'must know' and 'must do' items in any cloud service contract negotiation process?
Shaw: Organizations must know the state of their own readiness to outsource to the cloud by performing a self-assessment. Without the ability to know what threats, controls, parameters, and metrics to look for, and the oversight capabilities to monitor contract performance, cloud outsourcing will not succeed.
Organizations should also determine a list of items that they must obtain in any cloud services agreement. They must then perform a risk assessment of each CSP that they are considering, across a wide area of legal, technical, business, service, security, governance, audit and response criteria.
For example, audit risks include whether the proper evidence is accessible and to whom (for example, does the CSP allow for extracts of common system log information from a multi-tenant environment?), what types of audit reports are available, and who is allowed to perform the audit.
Governance risks include how the CSP manages its subcontractors, and the mechanisms used to ensure that all duties are carried out (e.g., contractual provisions and/or audits) -- in no less a manner than if the CSP performed the task directly.
Legal risks include understanding how liabilities are allocated between the CSP and the organization in the case of a loss or disclosure of organizational data, significant unplanned downtime, or infringement of third-party intellectual property rights. It is essential that organizations turn to external parties with the expertise in all of these areas to be able to address risks globally under a comprehensive methodology.
More coverage of 2011 Cloud Technologies Forum:
Cloud legal issues part 1: Key considerations in contract negotiations
Cloud legal issues part 2: Beware of potential legal liability pitfalls
Cloud legal issues part 3: Dealing with jurisdictions, regional variations
China takes to the cloud
MORE COVERAGE OF CLOUD COMPUTING