Cloud computing - key risks and issues
Cloud computing, the ability to deliver computing resources as a utility service, is becoming increasingly mainstream with one estimate indicating that more than half US businesses already use cloud services. There are a number of risks to using and supplying cloud services and this note seeks to highlight a number of these, and in certain cases to suggest a pragmatic approach to dealing with them.
While primarily written from the perspective of users, this note highlights a number of issues which suppliers will need to be able to address when confronted with professionally advised customers.
Key risks and issues
Nature of a layered service
This has two aspects to it: (a) software and hardware components – a cloud service may involve third party software or systems hosted or leased by a third party; (b) a cloud service may itself be dependent on or incorporate other cloud services. As a result a user may be dependent upon several different providers or sub-providers, though it contracts with only one supplier. Cloud services are consequently more layered and opaque than other IT services. Users need to be aware of the nature of the “stack” their services rely on, while providers need to have appropriate contracts in place and ensure they can “back off” any liability arising under their customer contracts where appropriate to do so.
Deletion of data
This may be required as a result of data protection legislation or else contractually on termination of provision of services. In either case deletion of data in the cloud can be problematic. A user may place data in a “bin”, but emptying of the bin does not mean data is not recoverable. Only the metadata pointing to the location of the data is deleted, but the data will remain on hard disks until overwritten several times or else until the disk itself is physically destroyed. Furthermore, there could be data replicated over several servers which will require deletion on several hard disks. Ensuring deletion of data is therefore a financial as much as a technical issue and, in certain sectors, a regulatory imperative.
While cloud services provide flexibility in terms of the ability to expand or contract services, this comes with the possible risk that sensitive data may be located (whether for back-up or as part of “follow the sun” maintenance provision) in several jurisdictions, including locations outside the European Economic Area, a key issue in terms of data protection. Under EU data protection legislation a transfer of personal data outside the European Economic Area is only permitted subject to certain conditions being met.
Amazon is one of the few providers to provide an option to store data in a particular zone (eg Europe) and ensure it is not transferable outside that zone. If suppliers are coy about naming the location of specific data centres, we would normally expect a warranty that all processing should take place in EU data centres (including any maintenance requiring access to data.
In the case of IaaS and PaaS, applications hosted in the cloud may be dependent on an API which works with the supplier’s systems. It may be impossible to migrate applications to run in-house or on a different supplier’s service without substantial re-writing.
Data in the cloud
The nature of cloud services means that users will be wholly reliant on that cloud supplier for the maintenance of that data during the currency of their relationship. If the supplier becomes insolvent, in addition to loss of service, a user could also lose all its data. In this respect we note a service offered by NCC, known as “SAAS Assured” which seeks to ensure users have continued access for an agreed period of time.
If data is un-encrypted anywhere in the cloud, it remains vulnerable to access by third parties. From a user’s perspective, this could be unauthorised access by the supplier or other users of the supplier’s services. Take the example of the supplier who runs several virtual machines off one hard disk; customers are separated only by virtualisation software rather than physical separation. One approach to this risk is to ensure that data is kept encrypted at all times – but this is not really practicable on a day to day basis because of the length of time encrypting and decrypting would take. A possible compromise is to only encrypt sensitive data or limit what data is transferred to the cloud service.
Where data is not encrypted, the supplier’s approach to intrusion prevention and detection will be key. Customers will normally want this documented and will also want control over the supplier’s backdoors to data. In such cases, we would recommend access control restrictions on classes of employees with technical access to data and restricting their use (eg by reference to express confidentiality obligations) and obliging the supplier to undertake, and share the results, of regular penetration testing.
The risk users wish to avoid here is of lock-in to a particular service provider. On termination a user will want to recover its data and metadata in easily accessible formats (eg a standard format such as comma-separated value (CSV)) which are readable and transportable to other applications, but this may not be possible with some suppliers. In the case of others, they may charge for provision of data on a disk. A number of suppliers do not offer additional assistance, even if the user offers to pay.
A further issue here is the length of time a user has in which to take his data away before it is deleted. Some delete data immediately or after a short period (say 30 days). Larger customers may be able to negotiate longer periods up to 18 months but this often comes at an additional cost.
Security may be key for some users, but many cloud providers are opaque as to the details of their security measures. This is partly because they fear that providing details of their security will itself weaken that security. Most providers will however provide an overview of their security arrangements and many customers take comfort from ISO 27001 and 27002 certification. At the time of writing specific cloud appropriate security standards are available via the Cloud Security Alliance (the Star Certification) and ISO (27017) and being developed by the Open Data Centre Alliance.
Compliance with regulatory requirements
This includes regulatory issues relating to data protection and (in the financial services context particularly) audit, divestment and security rights. Many cloud providers fail to take account of users’ concern in any of these regards. For example, in respect of data protection, many are reluctant to agree to standard data processor/controller provisions (this on the basis that cloud services are “self service” – the real processor is the user/controller). Likewise many suppliers’ terms enable them to use subcontractors (sub-processors); under EU data protection laws, the controller must be aware of sub-processors and have audit rights in respect of their compliance.
Businesses operating in certain sectors such as defence or security, or even less obvious ones where the items produced by the business can have dual or multiple uses, must also ensure that data or other information transferred to a cloud storage facility complies with any applicable export control restrictions. This includes both the first transfer to the facility, access by any of their personnel and access by any service providers in the 'stack'.
Insolvency of supplier
If a cloud provider suffers some sort of insolvency event, users must not think that they can rely on the terms of their contract alone to enable them to retrieve data from the cloud. Consideration should be given in advance, even if it seems counterintuitive to migrating to a cloud facility, to consider whether alternative back-up arrangements for data should be put in place eg replication of data with another cloud provider or with a physical data centre. Some traditional escrow agents such as NCC now also offer escrow arrangements for SaaS applications, which allow continuing access to the application for a period of time in order to allow data to be access and migrated to an alternative provider.
Cloud Suppliers' Ts and Cs
Some cloud suppliers will only contract on their own standard terms of service unless the prospective customer has relatively strong bargaining power. Interestingly, customers may sometimes be able to obtain better terms from cloud integrators than individual suppliers, this on the basis that integrators have more financial leverage. Typical standard terms put forward by cloud providers include:
- An obligation to bring claims within a shorter period of time than would normally be the case eg Apple requires claims are brought within 1 year. In English law, claimants would normally have 6 years in which to bring a claim.
- Many envisage a right for the supplier to unilaterally alter their terms of service by simply posting updates on their web sites ie without even notifying their customers.
- Many provide that the ultimate responsibility for preserving confidentiality and integrity of customer data lies with the customer and disclaim liability for loss, even in some cases where the advertised purpose of the service is provision of data back-up. A common approach is to require the customer to encrypt or back up all data.
- Some suppliers provide for release of data to law enforcement or other third parties on relatively flimsy grounds eg if the supplier may be exposed to legal liability or if it is necessary to protect the interests of the supplier or a third party.
- Almost every supplier’s Ts and Cs seeks to disclaim warranties as to performance, but US based suppliers tend to do so on a more comprehensive basis. Many also seek to disclaim any liability for damage or inability to access data or services.
- A number of suppliers disclaim any availability targets. Where there are SLAs offered, service credits are not usually available. Where they are, there may be restrictive conditions attached eg service credits to be awarded at the discretion of the supplier or only after an outage has crossed a particular SLA threshold.
- Many US based suppliers insist on the exclusive application of the law and jurisdiction of a US state. Courts in the United Kingdom are unlikely to enforce or exercise jurisdiction where the parties have agreed such a provision; the consequence is that a UK based entity will have to instruct US attorneys and commence litigation in the relevant US statein the event of dispute.
- Many look to incorporate their acceptable use policies into their contracts. These typically cover a prohibition against use of services for spam, hosting of defamatory or obscene content, gambling etc. Most of these are unlikely to be controversial, but customers need to be aware that any employee breaching these provisions could result in instant termination of their service.
- Some suppliers provide that data will be deleted immediately on termination for any reason. A more enlightened approach is to provide that data will be available for a period (IBM offer 6 months) for download by the customer. Customers will need to check these provisions and review any charges applicable to post termination assistance.
- Caps on the supplier’s liability can be low, particularly in the case of US based suppliers. ElasticHosts limits its liability to 1 month’s fees. Others offer a flat liability figure eg UK Fast, a host for SMEs, offers £5,000. Others appear to envisage no liability at all. In the UK context, a cap of twelve months’ fees were held unlawful by the judge in Overy v PayPal.
- Many suppliers seek indemnification from the customer for any claim against the supplier arising from the customer’s usage.