While info-security and data privacy issues still top the concerns list of most cloud-adopting organizations, they should look beyond the mere maintenance of appropriate controls. This is especially true for organizations with operations worldwide, when it is more about complying with the info-security and privacy laws in each country. According to Asia-based Attorney at Law Thomas Shaw, the use of cloud may also implicate statutes and regulations, where an organization's data is transparently moved ("data mobility") by cloud service providers.
In an interview with Asia Cloud Forum, Attorney at Law Thomas Shaw (pictured) addresses a wide range of legal issues surrounding cloud computing. Shaw is the author of the recently published book Cloud Computing for Lawyers and Executives: A Global Approach. He is also CEO of CloudRisk Asia, an organization that specializes in helping cloud adopters assess the risks associated with cloud computing, including legal, information security and privacy and compliance. More recently, Shaw presented at the Cloud Technologies Forum co-organized by Computerworld Hong Kong and Asia Cloud Forum, and discussed the risks associated with cloud computing.
Asia Cloud Forum: IT/business units often negotiate cloud contracts directly with cloud service providers (CSPs) without involving the legal team. What are their common oversights from the legal perspective?
Thomas Shaw: A business unit or IT team is going to understand the needs from their perspective, be it a time or cost savings. But the enjoyment of these benefits is highly dependent on understanding and managing the risks.
A business unit in an organization is not going to understand in depth the legal, compliance, or audit requirements, while an IT team is not going to understand in depth the information security and privacy requirements coming from laws and contractual commitments.
One common oversight is thinking of the cloud outsourcing process as simply throwing this service over the wall. In addition to the technical integration that may be required between cloud systems and systems still run by the organizations, including appropriate APIs, many of the incident response, business continuity, and data breach processes must be tightly integrated to be effective.
Another oversight is not demanding a non-proprietary, standards-based approach. While the cloud standards are still emerging, the areas for those standards most needed in the cloud have been laid down.