There is much hype surrounding the increased use of various cloud computing solutions. This article considers some of these issues that may be of interest to underwriters from a risk perspective.
What is cloud computing?
There is no magic in the term “cloud computing”. Essentially it refers to the practice of outsourcing the provision of IT hardware, infrastructure and/or software to a third party. The main benefits of utilising a cloud solution are that, because the cloud provider can utilise economies of scale, they can provide customers with a cost-effective method of purchasing and maintaining its own hardware and/or software and/or support capacity. The customer also achieves flexibility and scalability because resource can be expanded or reduced rapidly.
A wide variety of cloud solutions are available and there are some important distinctions in the services on offer:
- Public and private cloud: In public clouds customers share the same computing space, although their data is partitioned. In a private cloud the customer has its own dedicated infrastructure.
- Outsourced services: The main categories of service are as follows:
Click here to view table.
Cloud services may be provided between a customer and supplier alone but may also be “layered” – this means that cloud services are provided by a number of suppliers. For example customer A’s infrastructure may be provided by W, its general application software may be sourced from X, specialist software from Y and development work and analytics provided by Z. These services could in turn all be provided directly by W, X, Y and Z under separate contracts or procured via one of the suppliers (ie A contracts with W which in turn contracts with X and Z. X may, in turn contract with Y to provide speciality application software which it cannot provide itself).
Risk in cloud computing
There are significant customer risks associated with cloud computing. In particular, the customer generally retains legal responsibility for:
- Application level network security, ie firewalls, antivirus and network intrusion software, and password integrity.
- Providing for regular and appropriate data backup.
- Compliance with data protection regulation (see below).
- Properly understanding the outsourced systems.
- Enabling and updating software.
- Managing migration between systems.
Significant areas of supplier exposure include:
- Accidental deletion of data.
- Failure to perform scheduled backups/failure of backup.
- Failure to ensure proper data protection/employee data theft.
- Physical security of the data centre.
Although suppliers often seek to mitigate their exposures contractually, the extent to which this can be done, legally or commercially, will differ on a case by case basis. In certain sections of the market there is now significant overcapacity, which may lead to a softening of provider terms. In addition, the position may be complicated in the case of layered solutions in which there may be no direct contractual relationship between the customer and a supplier at fault.
For regulatory purposes the customer generally retains control over data, even if it is stored on the cloud provider’s hardware. However, the cloud provider can assume regulatory obligations in a number of circumstances. In particular:
- Generally in a private cloud the customer will be the data controller and the provider will be a data processor for Data Protection Act purposes. Accordingly the regulatory liability will rest with the customer.
- However, in limited circumstances that might not be the case. For example, exceptions might occur where the provider has been asked to carry out detailed analytical work on data hosted on behalf of the customer and/or involve a third party to assist in that process.
- Where one or more users are sharing a private cloud it may be difficult to establish who the data controller really is unless there are clear protocols in place identifying the controller. If that is not the case then the position can vary on a case by case basis.
- The position regarding large public clouds is more difficult still. It appears that, although the customer retains limited control of their data in such clouds, services often use user data for purposes of their own, such as analysing it to target marketing material or disclosing it to third parties. This may be enough to mean that they are deemed to be data controllers (notwithstanding standard terms to the contrary). Topically, this point may apply to cloud providers which disclose customer information to government agencies.
As data controller, the onus will remain on the customer to actively assess whether data is suitable for storage in the cloud (ie routine data may be suitable but highly sensitive material may not), to demonstrate that they have carried out an independent risk assessment and show that they have continued to actively audit and monitor the conduct of their cloud provider. Establishing the physical whereabouts of data may be difficult especially where the solution is virtualised and data is moved to equalise load because, in principle, data residing on a virtual server could be held in more than one physical storage location.
It is also worth remembering that the nature of cloud computing means that, unless there are contractual checks in place, data may be held in jurisdictions where other regulatory regimes and additional regulatory obligations apply. Conversely, data may be transferred to servers in a location where there is less or no regulation which may give rise to its own contractual or regulatory issues in the jurisdiction where customer is domiciled.
Ultimately, like any outsourcing relationship, the issues to consider when evaluating the risk in cloud computing arrangements are: what is outsourced, the dependency of the outsourcer on those services, the risks presented by failure of those services, and the way in which the parties have contractually allocated that risk.