Continued from: Cloud leagl issues part 1
In this second part of the interview with Asia Cloud Forum, Asia-based Attorney at Law and CloudRisk Asia's CEO Thomas Shaw moves on to the role of in-house legal counsels in the process of cloud service contract negotiations. While it is nonetheless IT's or the business unit's decision in any cloud service subscription, lawyers should bear in mind the potential legal liabilities for certain situations.
Asia Cloud Forum: Should in-house legal counsels step in during a cloud contract negotiation process?
Thomas Shaw: Absolutely and the earlier the better. Depending on the size of the organization and the experience of the procurement, IT, or business division leading the outsourcing, the lawyer's role in evaluating legal, compliance, and information security and privacy risk is essential to ensuring that the organization adequately addresses the risks of obtaining cloud computing services.
There are too many risk factors that require expertise to address that would be outside the experiences of most organizational units. For example, if an organization is involved in litigation, or in a governmental investigation and the plaintiff or government makes a request or demand upon the cloud service provider (CSP) for the organization's data, what should the CSP do? And when and how should the organization be notified?
For applications under a SaaS model, can compliance with records retention requirements still be maintained? Do the tools in a PaaS offering require proprietary APIs (application programming interfaces) to access data files? Do virtual machines spun up under an IaaS offering not contain any security information? This means that encryption keys or any authentication data, for example, is never retained inside a VM image.
On technology architecture, systems outsourced to the cloud may still need to interface with legacy systems but have the data passing APIs changed during the migration. Organizationally, what happens to the expertise in the IT team when a function is outsourced to the cloud? These are just a few of the many, many risks to evaluate in assessing a CSP.