Investor in people Investor in people STEP Accredited Recruitment Partner REC member AP Group Global
Home Candidate Services Client Services Additional Services Work for Us Contact Us

Cloud Computing Considerations

AP Legal works in tandem with leading lawyers to identify the legal implications of developments in all areas. Here Elaine Gray, a partner in AO Hall, looks at the new IT concept of cloud computing.

AP Legal is a specialist division of AP Group, with a dedicated team of experienced recruitment consultants who place candidates in the field of law in London, regional centres of the UK and worldwide. We work with clients and candidates who specialise in Private Client law, Corporate law, Commercial law, Finance law, Real Estate law, IP, TMT, Family law and Dispute Resolution.

Cool those clouds

"In the beginning computers were human. Then they took the shape of metal boxes, filling entire rooms, before becoming ever smaller and more widespread. Now they are evaporating altogether and becoming accessible from anywhere." (Report on corporate IT, The Economist, 25 October 2008.)

We can safely say that ’cloud computing’ is very much in vogue. So what is it, why is it important and what are the risks? Can you get burnt by a cloud?

What is cloud computing? In simple terms, cloud computing is just a way of providing services over and using the internet.  Another term often used in this area is software as a service, or ’SaaS’.  Facebook and Hotmail are perhaps two of the best known media which use cloud computing. For Facebook, users log on to the Facebook site, check messages, interact with friends and upload photographs and applications. However, the material uploaded by the user is stored on the servers used by Facebook, rather than on the user’s home PC. Facebook generates a huge amount of such material, which it stores on huge servers. Increased server size and improving bandwidths allow concurrent users to access the servers.

The server solution. It is in this area that the huge attraction of cloud computing becomes obvious. Large-scale cloud providers such as Sun Microsystems, IBM and Cisco have huge buying power and can achieve significant cost savings for server facilities. At present, most of us sitting in our offices will have a server situated somewhere in the building. We will have paid a hefty sum for that server and may well be frustrated to find (on a fairly regular basis) that its capacity lets us down.

Imagine a future where the server is the solution rather than the problem! Someone else has the capital outlay of buying and siting the server, maintains it with a team of experts and generally does all the necessary.

Is this all just pie in the sky thinking? Well, the component parts of cloud computing are out there already and technological innovations are already being combined in such a way that cloud computing seems here to stay. 

Those clouds look ominous.  There is very little regulation of cloud computing at present and yet there are obvious business risks which need to be considered, before you launch yourself into the clouds. 

The Open Cloud Manifesto was published in the spring of 2009 and sets out certain key, high level principles which cloud providers should comply with. The Manifesto was set up by a number of leading providers such as IBM, Cisco and EMC. Although the document doesn’t have the status of formal guidance, it is a starting point in measuring your cloud provider’s commitment to good cloud control. You can find the Manifesto at http://www.opencloudmanifesto.org/.

Escrow protection.   One of the first risks businesses should think about is when they are having a cloud set up for them. As an example, many financial services firms are buying SaaS products which involve the business using a particular software product from a provider, through a cloud or server facility.   What happens if the SaaS provider goes bust or stops supporting the service? 

The traditional ways of protecting businesses - escrow arrangements - are equally vital in the clouds. If your SaaS supplier goes under, having the source code in escrow can help minimise the impact on critical business functions.

Data protection and cloud control.  Perhaps the biggest risk presented by the clouds is in the area of data protection. Most cloud configurations involve data transfers across the world, often through several jurisdictions.

Certain jurisdictions are recognised as having established solid data protection regimes and, in broad terms, transfers of data to those jurisdictions will be in order. The UK and other European Union countries will fall into this category, for example. Outside the ’safe’ list, businesses should ensure that data is only transferred under a carefully constructed agreement which regulates the transfer of data.  Even for ’safe’ jurisdictions, businesses should ensure that they have proper agreements in place dealing with the specific risks associated with their business. 

Prevention is better than cure.  When negotiating for cloud computing services, businesses should:

·         carry out a hazard or risk analysis of critical control points and take measures to address risks identified

·         gain as much information as possible about the cloud computing provider and be satisfied that proper procedures are in place to safeguard data

·         pay particular attention to the server facility – is adequate security and maintenance available?

·         identify with the supplier which jurisdictions the data will cross

·         identify which third parties could (potentially) access the data

·         get guarantees from the providers and third parties about the way data will be processed by them

·         make a satisfactory security audit a condition of entering into a contract and ensure there is a right to carry out further audits on a regular basis

·         consider any sector-specific legislation which the provider must comply with e.g. in relation to banking confidentiality and make sure that the contract specifically requires the provider to adhere to amended legislative requirements

·         consider implementing ’onion cloud computing’, whereby layers of security coding are wrapped round the data to protect it as it is transferred across jurisdictions.

Internally, businesses can also help themselves by getting their customers to give specific consent to data transfers outside the recognised ’safe’ jurisdictions. We are now used to seeing ’click through’ contracts to access and use cloud services and it may be that this is an obvious and straightforward way for you to obtain and record your customers’ consent. 

Even lawyers – traditionally very conservative creatures - are embracing the clouds, as ’work on the move’ gadgets such as the iPhone and the Blackberry make it possible to work anytime, anywhere. Now why did they have to make that possible...?

This article is adapted from the work of Elaine Gray, a Partner at AO Hall, Guernsey. The full version appeared in the firm’s electronic newsletter, Red Letter.
To contact Elaine call +44 (0) 1481 723723 or email elaine.gray@aohall.com