|By Jason Bloomberg||
|July 6, 2011 08:15 AM EDT||
If you don’t realize by now that Cloud Computing has its risks, then, well, you must have your head in the clouds. But then again, without risk there is no reward. When you place a bet on the Cloud, you know you’re betting on an emerging set of capabilities. And in any case, there are risks everywhere in business. Why should the Cloud be any different?
Even if you are willing to take on the risks of the Cloud, you must still do whatever you can to mitigate those risks. And unfortunately, risk means liability, and that means lawyers. To help make sure you and your lawyer are up to speed on all the legal ramifications of Cloud Computing, we’ve assembled the following list of concerns. Ignore the items on this list at your own peril.
Liabilities related to the geographic location of your data in the cloud
Legal jurisdiction – Where your Cloud provider is physically located may impact the legal jurisdiction that applies to your contract with the provider. How will you know which laws apply to your data if you don’t know what country or state your data currently reside in?
Regulatory Compliance – There may be regulatory constraints that limit where you locate your data. There’s no guarantee your Cloud provider will locate your data in your country—unless, of course, you pay them for that guarantee.
Disputes – If you need to arbitrate with or sue your provider, where do you do that? The business location of the provider may not be the same as the physical location of the data, complicating this issue.
Moving data across borders – The European Union is very particular about this rule. You can be held liable for moving customer information across borders without their permission.
Third-party access to your data
Search warrants – If a law enforcement agency has a search warrant for the server or hard drive that hosts your data, then they can remove the hardware from the provider’s data center and put it into evidence. For a long time. If you’re up to do good that’s one thing, but they may be going after suspected criminal activity for another one of the provider’s customers that happens to share space with you on the same physical server or drive.
PATRIOT Act seizures – if the FBI or other US federal agency suspects terrorist activity, they don’t even need a search warrant. They’ll simply walk into the provider’s data center and take whatever equipment they want. Think you’ll see your data again? Not likely. Does this sort of thing only happen in the US? I wouldn’t count on it.
eDiscovery/subpoenas – Even if no one suspects criminal activity, if you or someone else on the same server is party to a lawsuit, the opposing counsel can subpoena the data on the server. And just as with a search warrant, it may be many months before they return the hardware to the provider. Another question for your provider: what is the nature of their response to a subpoena? Do they need to inform you when a subpoena affects your data? What are your responsibilities in the face of a subpoena? For example, it may be illegal for you to delete data, even if the subpoena doesn’t explicitly specify such a restriction.
Provider employee access – what access do employees of the Cloud provider have to your data or machine instances? They have some level of responsibility for administering your account, but does that mean they have access to your data?
Trade secret & attorney/client privilege protection – If you have privileged information in the Cloud, either trade secrets or attorney communications, then making that information available to a third party can remove the privilege—even if the third party in question is just an admin at the provider backing up a server.
Liability of rogue employee – Employees of your Cloud provider aren’t the only risk. What if one of your own employees uses your Cloud account for illegal purposes? How much liability does your company have, and how do you mitigate such risks?
Responsibility and how to allocate it
Insurance in case of disaster – Do you have the proper insurance? What sort of disasters would be covered under your provider’s insurance, and which ones to you need to insure against yourself?
Liability for breach of privacy – Somehow your confidential data are leaked to the Internet. Under what circumstances is your provider liable for such a breach?
Liability for commingling with illegal data – sharing hardware with criminals and other unsavory types can lead to those pesky search warrants and subpoenas, but you should also understand your liability for having your data in close proximity to illegal data. Innocence may be no excuse when the feds find child pornography on the same server as your machine instances.
Liability for hacking – Hackers compromise your data or your machine instances. The weakness they targeted may have been your provider’s fault, but then again, maybe your own people misconfigured your machine instances, allowing the bad guys in. How do you determine the liability? What if the hackers installed a botnet in your machine instance that they used to penetrate the security of another company, who now wants to sue. Can they sue you?
Risk allocation – in those situations where perhaps you’re partly to blame for a disaster or a breach, how do you allocate the risk between your company and the Cloud provider? And will your insurance company pay a claim if you are partly to blame?
Logging and auditing requirements and risks
Supporting legal requirement for logging – Some regulations provide for specific logging and auditing requirements. For example, HIPAA requires you to maintain an audit log of everyone who accesses an electronic health record—even if it’s an admin at the Cloud provider. Make sure you communicate your specific logging and auditing requirements to your provider and include those requirements in your contract.
Privacy of logs – Sometimes the audit logs themselves contain confidential information. You must contract with your provider to properly encrypt that information, and you also need to mitigate the risk that such encryption is inadequate, allowing the logs to be compromised.
Other regulatory compliance issues
Regulations specific to your industry – The web of regulations is both extraordinarily complex and entirely arbitrary. It is your responsibility that you don’t run afoul of any regulations that pertain to storing, moving, or using data in the Cloud.
Risk of regulatory change – For the most part, today’s regulations that apply to the Cloud were around before the notion of Cloud Computing took off. Once regulators get a handle on the issues Cloud presents, however, you can expect new regulations to follow—and of course, it’s impossible to fully plan for them.
Requirement for provider audits and security certifications – You may also have regulatory priorities that require your Cloud provider to conduct its own internal audits or obtain security certifications. As regulations develop, expect such certifications to proliferate as well.
What if your Cloud provider declares bankruptcy?
Salvage rights to data – one day everything seems to be fine, but the next your provider is out of business, and they’re liquidating their assets. That means the servers that held your precious data are now on eBay, and they’ll soon belong to the highest bidder. To avoid this nightmare scenario, you’ll need to put in place some ironclad protections that will survive even a liquidation bankruptcy.
Escrow of provider data, code, and configurations – your own data aren’t the only things you might want to protect should your Cloud provider go belly up. Depending on how you’re using the Cloud, you may want to require your provider to escrow its own data, code, or configuration files, in the admittedly slender hope that if their servers go on the auction block, there’s some way to rebuild your Cloud application without starting from scratch.
The ZapThink Take
You probably picked up on the general assumption that this article is discussing Public Clouds in particular. That assumption is generally true, but it’s important to realize that Private Clouds have many of the same risks. You must still comply with regulations, deal with rogue employees, and potentially even respond to subpoenas or search warrants, after all. The list goes on.
Instead of focusing your efforts on insuring you’ve put together an ironclad agreement with a third-party Cloud provider, you must now serve as provider as well as customer if you’re building a Private Cloud. Yes, you have greater visibility and control, but you also have even greater responsibility and liability than if you are working with a Public Cloud provider. After all, having one throat to choke is no consolation when the only throat available is your own!
All major researchers estimate there will be tens of billions devices - computers, smartphones, tablets, and sensors - connected to the Internet by 2020. This number will continue to grow at a rapid pace for the next several decades. With major technology companies and startups seriously embracing IoT strategies, now is the perfect time to attend @ThingsExpo, June 9-11, 2015, at the Javits Center in New York City. Learn what is going on, contribute to the discussions, and ensure that your enter...
May. 25, 2015 01:15 PM EDT Reads: 2,389
In a recent research, analyst firm IDC found that the average cost of a critical application failure is $500,000 to $1 million per hour and the average total cost of unplanned application downtime is $1.25 billion to $2.5 billion per year for Fortune 1000 companies. In addition to the findings on the cost of the downtime, the research also highlighted best practices for development, testing, application support, infrastructure, and operations teams.
May. 25, 2015 01:00 PM EDT Reads: 1,414
The security devil is always in the details of the attack: the ones you've endured, the ones you prepare yourself to fend off, and the ones that, you fear, will catch you completely unaware and defenseless. The Internet of Things (IoT) is nothing if not an endless proliferation of details. It's the vision of a world in which continuous Internet connectivity and addressability is embedded into a growing range of human artifacts, into the natural world, and even into our smartphones, appliances, a...
May. 25, 2015 01:00 PM EDT Reads: 6,402
There is no doubt that Big Data is here and getting bigger every day. Building a Big Data infrastructure today is no easy task. There are an enormous number of choices for database engines and technologies. To make things even more challenging, requirements are getting more sophisticated, and the standard paradigm of supporting historical analytics queries is often just one facet of what is needed. As Big Data growth continues, organizations are demanding real-time access to data, allowing immed...
May. 25, 2015 12:30 PM EDT Reads: 3,231
Container frameworks, such as Docker, provide a variety of benefits, including density of deployment across infrastructure, convenience for application developers to push updates with low operational hand-holding, and a fairly well-defined deployment workflow that can be orchestrated. Container frameworks also enable a DevOps approach to application development by cleanly separating concerns between operations and development teams. But running multi-container, multi-server apps with containers ...
May. 25, 2015 12:00 PM EDT Reads: 2,273
Software Development Solution category in The 2015 American Business Awards, and will ultimately be a Gold, Silver, or Bronze Stevie® Award winner in the program. More than 3,300 nominations from organizations of all sizes and in virtually every industry were submitted this year for consideration. "We are honored to be recognized as a leader in the software development industry by the Stevie Awards judges," said Steve Brodie, CEO of Electric Cloud. "We introduced ElectricFlow and our Deploy app...
May. 25, 2015 12:00 PM EDT Reads: 1,809
What do a firewall and a fortress have in common? They are no longer strong enough to protect the valuables housed inside. Like the walls of an old fortress, the cracks in the firewall are allowing the bad guys to slip in - unannounced and unnoticed. By the time these thieves get in, the damage is already done and the network is already compromised. Intellectual property is easily slipped out the back door leaving no trace of forced entry. If we want to reign in on these cybercriminals, it's hig...
May. 25, 2015 12:00 PM EDT Reads: 4,233
SYS-CON Events announced today that DragonGlass, an enterprise search platform, will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. After eleven years of designing and building custom applications, OpenCrowd has launched DragonGlass, a cloud-based platform that enables the development of search-based applications. These are a new breed of applications that utilize a search index as their backbone for data...
May. 25, 2015 12:00 PM EDT Reads: 2,085
T-Mobile has been transforming the wireless industry with its “Uncarrier” initiatives. Today as T-Mobile’s IT organization works to transform itself in a like manner, technical foundations built over the last couple of years are now key to their drive for more Agile delivery practices. In his session at DevOps Summit, Martin Krienke, Sr Development Manager at T-Mobile, will discuss where they started their Continuous Delivery journey, where they are today, and where they are going in an effort ...
May. 25, 2015 12:00 PM EDT Reads: 1,789
Enterprises are fast realizing the importance of integrating SaaS/Cloud applications, API and on-premises data and processes, to unleash hidden value. This webinar explores how managers can use a Microservice-centric approach to aggressively tackle the unexpected new integration challenges posed by proliferation of cloud, mobile, social and big data projects. Industry analyst and SOA expert Jason Bloomberg will strip away the hype from microservices, and clearly identify their advantages and d...
May. 25, 2015 12:00 PM EDT Reads: 2,165
Mobile commerce traffic is surpassing desktop, yet less than 20% of sales in the U.S. are mobile commerce sales. In his session at 15th Cloud Expo, Dan Franklin, Segment Manager, Commerce, at Verizon Digital Media Services, defined mobile devices and discussed how next generation means simplification. It means taking your digital content and turning it into instantly gratifying experiences.
May. 25, 2015 11:30 AM EDT Reads: 3,638
Gartner predicts that the bulk of new IT spending by 2016 will be for cloud platforms and applications and that nearly half of large enterprises will have cloud deployments by the end of 2017. The benefits of the cloud may be clear for applications that can tolerate brief periods of downtime, but for critical applications like SQL Server, Oracle and SAP, companies need a strategy for HA and DR protection. While traditional SAN-based clusters are not possible in these environments, SANless cluste...
May. 25, 2015 11:00 AM EDT Reads: 1,819
Software Defined Storage provides many benefits for customers including agility, flexibility, faster adoption of new technology and cost effectiveness. However, for IT organizations it can be challenging and complex to build your Enterprise Grade Storage from software. In his session at Cloud Expo, Paul Turner, CMO at Cloudian, looked at the new Original Design Manufacturer (ODM) market and how it is changing the storage world. Now Software Defined Storage companies can build Enterprise grade ...
May. 25, 2015 11:00 AM EDT Reads: 4,618
Discussions about cloud computing are evolving into discussions about enterprise IT in general. As enterprises increasingly migrate toward their own unique clouds, new issues such as the use of containers and microservices emerge to keep things interesting. In this Power Panel at 16th Cloud Expo, moderated by Conference Chair Roger Strukhoff, panelists will address the state of cloud computing today, and what enterprise IT professionals need to know about how the latest topics and trends affec...
May. 25, 2015 11:00 AM EDT Reads: 1,810
SYS-CON Events announced today that EnterpriseDB (EDB), the leading worldwide provider of enterprise-class Postgres products and database compatibility solutions, will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. EDB is the largest provider of Postgres software and services that provides enterprise-class performance and scalability and the open source freedom to divert budget from more costly traditiona...
May. 25, 2015 11:00 AM EDT Reads: 1,892
Fundamentally, SDN is still mostly about network plumbing. While plumbing may be useful to tinker with, what you can do with your plumbing is far more intriguing. A rigid interpretation of SDN confines it to Layers 2 and 3, and that's reasonable. But SDN opens opportunities for novel constructions in Layers 4 to 7 that solve real operational problems in data centers. "Data center," in fact, might become anachronistic - data is everywhere, constantly on the move, seemingly always overflowing. Net...
May. 25, 2015 11:00 AM EDT Reads: 4,895
To manage complex web services with lots of calls to the cloud, many businesses have invested in Application Performance Management (APM) and Network Performance Management (NPM) tools. Together APM and NPM tools are essential aids in improving a business's infrastructure required to support an effective web experience... but they are missing a critical component - Internet visibility. Internet connectivity has always played a role in customer access to web presence, but in the past few years u...
May. 25, 2015 10:00 AM EDT Reads: 5,745
There's Big Data, then there's really Big Data from the Internet of Things. IoT is evolving to include many data possibilities like new types of event, log and network data. The volumes are enormous, generating tens of billions of logs per day, which raise data challenges. Early IoT deployments are relying heavily on both the cloud and managed service providers to navigate these challenges. In her session at Big Data Expo®, Hannah Smalltree, Director at Treasure Data, discussed how IoT, Big D...
May. 25, 2015 10:00 AM EDT Reads: 4,250
Buzzword alert: Microservices and IoT at a DevOps conference? What could possibly go wrong? In this Power Panel at DevOps Summit, moderated by Jason Bloomberg, the leading expert on architecting agility for the enterprise and president of Intellyx, panelists will peel away the buzz and discuss the important architectural principles behind implementing IoT solutions for the enterprise. As remote IoT devices and sensors become increasingly intelligent, they become part of our distributed cloud en...
May. 25, 2015 10:00 AM EDT Reads: 2,080
SYS-CON Events announced today that MetraTech, now part of Ericsson, has been named “Silver Sponsor” of SYS-CON's 16th International Cloud Expo®, which will take place on June 9–11, 2015, at the Javits Center in New York, NY. Ericsson is the driving force behind the Networked Society- a world leader in communications infrastructure, software and services. Some 40% of the world’s mobile traffic runs through networks Ericsson has supplied, serving more than 2.5 billion subscribers.
May. 25, 2015 09:45 AM EDT Reads: 1,756