Author: Renzo Marchini
ISBN No: 978 0 580 82246 9
Review date: 23/04/2024
No of pages: 242
Publisher: British Standards (BSI)
Publisher URL:
http://shop.bsigroup.com/ProductDetail/?pid=000000000030279765
Year of publication: 30/11/2015
Brief:
Cloud Computing. A practical introduction to the legal issues. Second edition.
price
£45
Cloud Computing. A practical introduction to the legal issues, by Renzo Marchini. Second edition.
After the basics – such as, what cloud computing actually is (such services we take for granted as Dropbox, iCloud and Hotmail, to name only three) – and some law, the book details information security and then data protection – which takes up about half the book, a sign of how important that is, compared with other, also important things you want from the cloud, such as service levels and access to your data. “Survey after survey indicates that security of data or information is the biggest worry of customers contemplating moving to a cloud environment. They have an understandable fear of putting their data into the hands of a third party.”
The clouyd providers say this fear is often misplaced … although ‘no IT infrastructure is perfectly secure’, because if you’re connected to the internet, you are at risk of hacking. Nor are any employees completely trustworthy; and even if you do have processes and protocols, employees may breach them. While you are losing that direct control of your data – maybe the very lifeblood of your business – the book argues that cloud providers have ‘a massive commercial incentive to keep abreast of the latest security developments’. However as Marchini (a solicitor who’s specialised in infosec and e-commerce) goes on to say, loud security is still in flux. He asks whether smaller cloud providers can achieve and maintain ‘respectable levels of security’, whatever that may mean. “What is certain is that security will become a factor in the competition in the market,” he writes, in terms of actual IT security and how open the cloud provider is about that security.
Marchini details some breaches of cloud services, such as a failure of servers; Microsoft and Gmail (Google’s free webmail) having ‘outages’; and some documents shared with other users without the owners’ knowing; hackers compromising log-ins; hackers exposing user names; hackers taking users’ IDs and bank card numbers. Small wonder that Marchini writes that when outsourcing control of your data to a cloud or indeed any third party, you are ‘always well advised to undertake some level of due diligence prior to signing the contract, to ensure that security standards are as high as it is reasonable to expect given the commercial worth (or personal sensitivity) of the data’.
That may mean just going over the cloud provider’s security policy, which typically might cover the physical security of the servers; the network stuff, such as firewalls; and in case of ‘outage’, back-up. The author suggests that the customer asks questions, whether you’re going to tender or having a meeting, or just read the provider’s website. And keep records, if only for regulatory reasons if you should have to show you are working according to data protection principles.
What ought you to ask about? “It is impossible to be absolutely prescriptive as to what a customer should look into,” Marchini writes, but typically your due diligence might ask who owns the cloud; how it’s delivered; what are the security controls, whether on the network or at the data centre (wherever that is); and the provider’s own reports, not only of security but availability. Beware of general answers such as ‘we use encryption’. To what standard? At all times? In transit? And note that if a cloud provider says that it complies with the information security management standard 27001 is only self-assessing: “This is very different from being certified against the standard.” And ‘being compliant with’ need not be the same as having the accreditation. In short, don’t ‘simply rely on a statement that a cloud provider adheres to a standard on security’.
Readers may query how practical some of this is. Do you want to insist on the right to audit; are you going to do physical due diligence on a data centre in Lapland?! And even if you are, in a true, virtualised cloud, isn’t the data changing location frequently, even all the time?! If a cloud service is in business because it’s easy to use and quite cheap, how willing is it to go through a customer’s security questionnaire, and risk giving away what it sees as its trade secrets?
On the law, the book points out that when you put data into the cloud, you risk that data being accessed by law enforcement not only in its country, but the cloud provider’s country (wherever that is). And look ‘very carefully’ at liability language, as the provider may hide away an ‘absolute exclusion of liability’ for loss of data. As Marchini sums up on info-security, security breaches will continue to occur. The cloud may be hype, as Marchini raises at the very beginning, but it’s happening in the 2010s because people, businesses, want to have flexible IT and minimise costs: like it, understand it, or not, ‘the cloud is here to stay’.
In this second edition, the book has been updated in the light of increased experience of contracting in the cloud, and with an eye to proposed regulation that is likely to have an impact on cloud take-up. For example there is a new chapter on tax issues in the cloud, while sections on data protection have been substantially revised to reflect recent guidance from the UK regulator on data protection, the Information Commissioner’s Office (ICO).
