Many organizations view the cloud as a cost-effective and practical approach when it comes to data processing, access, storage and management. A common misconception among organizations migrating their data to the cloud (or already operating in the cloud) is that the cloud service provider will be responsible for their overall security. Cybersecurity in the cloud is not automatic and most cloud service providers will rely on a “shared responsibility” model, which essentially divides the security responsibilities between the service provider and the customer. Accordingly, an organization should take into account the totality of its cloud operations when conducting its overall regular cybersecurity assessments. This two-part article will provide some key considerations that organizations should take into account when considering their cloud cybersecurity.
The Essentials of Cloud Computing
In essence, cloud computing allows users to store, access and manage information through a collection of online servers which interact with one another. Perhaps the best articulation of cloud computing comes from the National Institute of Standards and Technology (“NIST”), which, after years of back and forth and over 15 iterations attempting to capture its meaning, has distilled cloud computing into five essential characteristics:
- On-Demand Self-Service. Customers can unilaterally provision computing capabilities as needed without requiring human interaction with each service provider.
- Broad Network Access. Services on the network are available through many different mechanisms and platforms (e.g. mobile, laptop).
- Resource Pooling. Providers’ resources (e.g. storage, memory, bandwidth, etc.) are pooled to serve multiple customers with dynamic assignments and re-assignments to fit customer demand.
- Rapid Elasticity. Capabilities can be provisioned, released and scaled rapidly to meet demand and customized in any quantity at any time.
- Measured Service. Cloud systems automatically measure, control and optimize resources to provide transparency for both consumers and providers.
In addition, there are three service models (software, platform and infrastructure) and four deployment models (private, community, public and hybrid) that all work together to form one comprehensive definition. One commonly used analogy is likening cloud computing to the supply of electricity: all you need is some way to plug into the grid (cloud).
By relieving the need to store information in one location, consumers and providers can readily access relevant data quickly and efficiently—but then again, so can anyone.
Managing Cybersecurity Risk in the Cloud
As has been highlighted by many experts in the area, cloud computing has unique characteristics that give rise to a plethora of diverse and complex legal issues, most notably:
1. Data Security. The area of greatest concern, this includes preventing unauthorized access to or theft of information, and managing metering and service levels. Security breaches are expensive for both providers and consumers, and often involve issues that are not easy to parse, or liabilities that cannot be delegated – such as the consumer’s responsibility for compliance with applicable privacy legislation governing personal information contained in the material uploaded to the cloud. Cloud service providers often try to balance the security needs of consumers with their own limitations by offering to implement a “reasonable” or “industry standard” level of security. However, given the dynamic and fluid nature of cloud computing services, these terms are often left open to wide interpretation. Beyond the loss of or breach to their own information, consumers must be knowledgeable about the associated risks that can flow to them from a breach involving the information of others.
Contractual provisions in cloud computing agreements can be crafted to reduce data security risks in a number of ways, such as by requiring the provider to, among other things: (a) adhere to clearly defined security standards to supplement what constitutes a “reasonable” or “industry” standard in a given situation; (b) provide representations and warranties addressing security compliance (such as strict access controls) or breach notifications; (c) provide reporting or systems security assessments or testing (with potential termination triggers for non-compliance); (d) relinquish control over notification rights concerning a consumer’s customers; and (e) segregate data or information in subsets to prevent a hack or breach from compromising all data.
2. Location of Data. Cloud service providers may have servers and data centers spread out across various jurisdictions around the world. The consumer should never assume that their data will be stored or remain at all times within their home jurisdiction, and must be cognizant of the associated risks with the transfer of data across international (or even interprovincial) boundaries. Although the geographical distribution of data allows for a greater level of security, the fact that data may be stored, processed, accessed and managed, all in different locations, is something the consumer must address. This is particularly relevant given the imminent coming into force of the European Union’s General Data Protection Regulation in May 2018.
Knowing the location of data servers and centers is key to helping dispel jurisdictional uncertainty. Consumers should require that service providers include provisions that address: (a) the location of data, data centers, customers, cloud provider, and subcontractors; (b) geographical restrictions, export controls and extraterritorial storage; (c) limiting the access of subcontractors or third party vendors who may process or access the data in foreign jurisdictions; and (d) requiring notification to consumers prior to engaging such subcontractors in specified jurisdictions. Additional legal issues may arise in connection with data access during e-discovery.