“In the beginning computers were human. Then they took the shape of metal boxes, filling entire rooms before becoming ever smaller and more widespread. Now they are evaporating altogether and becoming accessible from anywhere.” (Report on corporate IT, The Economist, 25 October 2008.)
We can safely say that ‘cloud computing’ is very much in vogue. So what is it, why is it important and what are the risks? Can you get burnt by a cloud?
So what is cloud computing?
In simple terms, cloud computing is just a way of providing services over and using the internet. Another term often used in this area is software as a service, or ‘SaaS’. Facebook and Hotmail are perhaps two of the best known media which use cloud computing. For Facebook, users log on to the Facebook site, check messages, interact with friends and upload photographs and applications. The material uploaded by the user is stored on the servers used by Facebook, rather than on the user’s home PC.
As servers become more powerful, they can hold much larger databases. It is getting easier to access databases remotely as bandwidths increase and as techniques improve to allow single servers to be used concurrently by a number of users.
The server solution
It is in this area that the huge attraction of cloud computing becomes obvious. Large-scale cloud providers such as Sun Microsystems, IBM and Cisco have huge buying-power and can achieve significant cost savings for server facilities. At present, most of us sitting in our offices will have a server situated somewhere in the building. We will have paid a hefty sum for that server and may well be frustrated to find (on a fairly regular basis) that the server’s capacity lets us down. Historically, the answer has been to go out and buy more capacity.
Another disadvantage of the traditional server system is that occasionally the server breaks down. If you are a small business, you may not have your own techie department and so will summon the aid of your friendly computer engineer, who may arrive that afternoon. He or she will fiddle with some buttons, shine a flashlight underneath the server to check for mouse droppings and may (or may not) be able to get hold of the parts he needs to get things up and running again soon. Imagine a future where the server is the solution rather than the problem! That’s where the visionaries see cloud computing taking off. Someone else has the capital outlay of buying and siting the server, maintains it with a team of experts and generally does all the needful. All you do is log on and away you go.
Is this all just pie in the sky thinking? The oft-experienced fate of technological inventions which are launched to floods of hype but which then turn out to be damp squibs (the so-called ‘Gartner’s Hype Cycle’) does not seem likely for cloud computing. Some of the components of cloud computing are out there already and the combination of technological innovations suggests that cloud computing hasn’t just arrived but is here to stay.
Those clouds look ominous
There is very little regulation of cloud computing at present and yet there are obvious business risks which need to be considered, before you launch yourself into the clouds.
The Open Cloud Manifesto was published in the spring of 2009 and sets out certain key, high level principles which cloud providers should comply with. The Manifesto was set up by a number of leading providers such as IBM, Cisco and EMC.
Although the document doesn’t have the status of formal guidance, it is a starting point in measuring your cloud provider’s commitment to good cloud control. You can find the Manifesto at www.opencloudmanifesto.org.
The first risk businesses should think about is where they are having a cloud set up for them. As an example, many financial services firms are buying SaaS products which involve the business using a particular software product from a provider, who provides the cloud or server facility. What happens if the SaaS provider goes bust or stops supporting the service?
The traditional way of protecting businesses in the good old days of straightforward software development was the escrow service. This involved the software’s source code being deposited with a trusted third party, to be released in certain circumstances such as insolvency or the product no longer being supported, in exchange for a small fee. What is the source code? In simple terms it is the key which allows you to change, amend and upgrade your business software. Having access to the source code can be critical if your software developer does go belly up.
Escrow arrangements are equally vital in the clouds. If your SaaS supplier goes under, having the source code in escrow can help minimise the impact on critical business functions. Companies which provide escrow services include the NCC Group in the UK.
Data protection and cloud control
Perhaps the biggest risk presented by the clouds is in the area of data protection. Cloud providers in Guernsey will be subject to the Guernsey Data Protection Law and will need to ensure compliance with the Law when handling relevant data.
Cloud configurations can be quite complex, and we’re not talking about cirrus and nimbus! Most configurations involve data transfers across the world, through several jurisdictions. This is potentially a significant risk for businesses, which will be classified as the data controller in terms of the Law. There are obligations on data controllers to ensure that data is being handled and controlled properly.
Certain jurisdictions are recognised as having established solid data protection regimes and, in broad terms, transfers of data to those jurisdictions will be in order. The UK and other European Union countries will fall into this category, for example. Outside the ‘safe’ list, businesses should ensure that data is only transferred under a carefully constructed agreement which regulates the transfer of data.
Even for ‘safe’ jurisdictions, businesses should ensure that they have proper agreements in place dealing with the specific risks associated with their business. Businesses should also ensure that critical data control points are identified, analysed and assessed and that appropriate control measures are put in place to minimise the risk of data loss, destruction or misuse.
Further guidance for Guernsey businesses can be found at the Data Protection Commissioner’s website here http://www.gov.gg/ccm/navigation/home-department/dataprotection- commissioner/
Prevention is better than cure
When negotiating for cloud computing services, businesses should:
- carry out a hazard or risk analysis of critical control points and take measures to address risks identified
- gain as much information as possible about the cloud computing provider and be satisfied that proper procedures are in place to safeguard the data which will be transferred
- pay particular attention to the server facility – is adequate security and maintenance available?
- identify with the supplier which jurisdictions the data will cross
- identify which third parties could (potentially) access the data
- get guarantees from the providers and third parties about the way data will be processed by them
- make a satisfactory security audit a condition of entering into a contract and ensure there is a right to carry out further audits on a regular basis
- consider any sector-specific legislation which the provider must comply with e.g. in relation to banking confidentiality or AML issues and make sure that the contract specifically requires the provider to adhere to amended legislative requirements
- consider implementing ‘onion cloud computing’, whereby layers of security coding are wrapped round the data to protect it as it is transferred across jurisdictions.
Internally, businesses can also help themselves by getting their customers to give specific consent to data transfers outside the recognised ‘safe’ jurisdictions. We are now used to seeing ‘click through’ contracts to access and use cloud services and it may be that this is an obvious and straightforward way for you to obtain and record your customers’ consent.
Despite Gartner’s Hype Cycle, it seems clear that cloud computing is here to stay. Even lawyers – traditionally very conservative creatures - are embracing the clouds, as ‘work on the move’ gadgets such as the iPhone and the Blackberry make it possible to work anytime, anyplace, anywhere. Now why did they have to make that possible…?