Some say cloud computing is changing everything when it comes to the IT business. That’s true to an extent, but I believe it's to a much smaller degree than the cloud computing providers (and others who stand to make money off of the hype) are portraying it.
Interestingly, I’m seeing lawyers take an interest in cloud computing -- and when lawyers take an interest in something like this, you know it must be a valid market. From a general “How do we get from here to there?” perspective to service-level agreements to intellectual property and data breach cases I’ve seen as an expert witness, there’s a lot to say about cloud computing legal issues. It’s an interesting evolution and convergence that I thought we’d never see, and it's making IT, corporate governance and legal fields infinitely more complex.
So, where are we headed? First, let’s look at what exactly compliance is. Generally speaking, compliance is the process (and pain) of adhering to a set of rules that an industry body or government agency thinks you need to adhere to. In many cases, there’s little gray area or room for flexibility. Your business has to comply with X, Y and Z requirements -- or else. The actual enforcement and sanctioning is an entirely different beast but, at least in theory, there are ramifications if your business doesn’t comply with the letter of the law.
But this is all about you and your business. It’s your deal. You know what’s expected and what the consequences of noncompliance are.
Now let’s talk about the cloud. Cloud computing is not just a technology -- it’s an entirely different way of doing business. You no longer have the constraint of four walls to keep personally identifiable information (PII) safe and secure. Instead, with many of the available cloud services, you’re essentially handing over the management of your data to a third party or even a third party’s third party. The list of people now involved in touching your data and being responsible for keeping things in check is endless. Put another way, complexity is rising while accountability is shrinking.
It can be argued that there’s a lot more spreading the blame around when something happens “in the cloud." Business lawyers love this concept. Simply getting more parties involved leads to downstream liability that can serve to lower the overall liability of any single party. Instead of your business taking the brunt of a lawsuit when a breach occurs, your business can pass along the liability to anyone and everyone with their hands in the cloud services you’ve bought into.
I believe many people in business -- particularly executives and their legal counsel -- have the longer-term goal of being hands off with PII altogether. That’s not necessarily a bad strategy but, obviously, it’s not so cut and dry. This aspect of cloud computing changes the game, especially with regards to cloud compliance. It lends itself to the following questions:
Cloud computing is not just a technology -- it’s an entirely different way of doing business.
1. Who is ultimately responsible for cloud compliance? Is it your organization?
2. Are all of your cloud-related contracts watertight? Is your business going to have a leg to stand on if, indeed, a cloud computing provider is to blame for a breach?
We’re going to see all of these things come to light in the next several years. There’s no definitive answer but one thing’s for sure: Cloud compliance is not something you can ignore. Ask the tough questions of your vendors and ensure that you’re doing everything you can to keep things in order both in-house and with your cloud computing providers. Things are only going to become more complex.
Kevin Beaver is an information security consultant and expert witness, as well as a seminar leader and keynote speaker at Atlanta-based Principle Logic LLC. Beaver has authored/co-authored eight books on information security, including The Practical Guide to HIPAA Privacy and Security Compliance and the newly updated Hacking For Dummies, 3rd edition. In addition, he’s the creator of the Security On Wheels information security audiobooks and blog.
This was first published in February 2011