Cloud legal issues: part 1

Carol Ko
10 Aug 2011
In your new book you mentioned about the "data mobility principle," how can one apply it in the process of cloud contract negotiation?
Shaw: In my new book, the "data mobility" principle examines how it effects cloud service contractual provisions and legal compliance.
With data mobility, and given the elasticity and pooling of cloud resources, the organization's cloud-based data may move as needed to any location within the cloud that can provide the necessary resources -- including other CSPs and other countries.
It is essential to be able to control the location and processing of organization data, either through contractual provisions or through various location-monitoring tools the CSP may make available.
What are the 'must know' and 'must do' items in any cloud service contract negotiation process?
Shaw: Organizations must know the state of their own readiness to outsource to the cloud by performing a self-assessment. Without the ability to know what threats, controls, parameters, and metrics to look for, and the oversight capabilities to monitor contract performance, cloud outsourcing will not succeed.
Organizations should also determine a list of items that they must obtain in any cloud services agreement. They must then perform a risk assessment of each CSP that they are considering, across a wide area of legal, technical, business, service, security, governance, audit and response criteria.
For example, audit risks include whether the proper evidence is accessible and to whom (for example, does the CSP allow for extracts of common system log information from a multi-tenant environment?), what types of audit reports are available, and who is allowed to perform the audit.
Governance risks include how the CSP manages its subcontractors, and the mechanisms used to ensure that all duties are carried out (e.g., contractual provisions and/or audits) -- in no less a manner than if the CSP performed the task directly.
Legal risks include understanding how liabilities are allocated between the CSP and the organization in the case of a loss or disclosure of organizational data, significant unplanned downtime, or infringement of third-party intellectual property rights. It is essential that organizations turn to external parties with the expertise in all of these areas to be able to address risks globally under a comprehensive methodology.