Cloud legal issues I: 'Must-do' items in contract negotiations
By Carol Ko 11-Jul-2011
While info-security and data privacy issues still top the concerns list of most cloud-adopting organizations, they should look beyond the mere maintenance of appropriate controls. This is especially true for organizations with operations worldwide, when it is more about complying with the info-security and privacy laws in each country. According to Asia-based Attorney at Law Thomas Shaw, the use of cloud may also implicate statutes and regulations, where an organization's data is transparently moved ("data mobility") by cloud service providers (CSPs).
In an interview with Asia Cloud Forum, Attorney at Law Thomas Shaw (pictured) addresses a wide range of legal issues surrounding cloud computing. Shaw is the author of the recently published book Cloud Computing for Lawyers and Executives: A Global Approach. He is also CEO of CloudRisk Asia, an organization that specializes in helping cloud adopters assess the risks associated with cloud computing, including legal, information security and privacy and compliance. More recently, Shaw presented at the Cloud Technologies Forum co-organized by Computerworld Hong Kong and Asia Cloud Forum, and discussed the risks associated with cloud computing.
Asia Cloud Forum: IT/business units often negotiate cloud contracts directly with cloud service providers (CSPs) without involving the legal team. What are their common oversights from the legal perspective?
Thomas Shaw: A business unit or IT team is going to understand the needs from their perspective, be it a time or cost savings. But the enjoyment of these benefits is highly dependent on understanding and managing the risks.
"One common oversight is thinking of the cloud outsourcing process as simply throwing this service over the wall."
-- Thomas Shaw, Attorney at Law and CEO of CloudRisk Asia
A business unit in an organization is not going to understand in depth the legal, compliance, or audit requirements, while an IT team is not going to understand in depth the information security and privacy requirements coming from laws and contractual commitments.
One common oversight is thinking of the cloud outsourcing process as simply throwing this service over the wall. In addition to the technical integration that may be required between cloud systems and systems still run by the organizations, including appropriate APIs, many of the incident response, business continuity, and data breach processes must be tightly integrated to be effective.
Another oversight is not demanding a non-proprietary, standards-based approach. While the cloud standards are still emerging, the areas for those standards most needed in the cloud have been laid down.
In your new book you mentioned about the "data mobility principle," how can one apply it in the process of cloud contract negotiation?
Shaw: In my new book, the "data mobility" principle examines how it effects cloud service contractual provisions and legal compliance.
With data mobility, and given the elasticity and pooling of cloud resources, the organization's cloud-based data may move as needed to any location within the cloud that can provide the necessary resources -- including other CSPs and other countries.
It is essential to be able to control the location and processing of organization data, either through contractual provisions or through various location-monitoring tools the CSP may make available.
What are the 'must know' and 'must do' items in any cloud service contract negotiation process?
Shaw: Organizations must know the state of their own readiness to outsource to the cloud by performing a self-assessment. Without the ability to know what threats, controls, parameters, and metrics to look for, and the oversight capabilities to monitor contract performance, cloud outsourcing will not succeed.