FeaturesOpinionsOutsourcingData managementStrategy

In this second part of the interview with Asia Cloud Forum, Asia-based Attorney at Law and CloudRisk Asia's CEO Thomas Shaw (pictured) moves on to the role of in-house legal counsels in the process of cloud service contract negotiations. While it is nonetheless IT's or the business unit's decision in any cloud service subscription, lawyers should bear in mind the potential legal liabilities for certain situations.

Thomas Shaw: Absolutely and the earlier the better. Depending on the size of the organization and the experience of the procurement, IT, or business division leading the outsourcing, the lawyer's role in evaluating legal, compliance, and information security and privacy risk is essential to ensuring that the organization adequately addresses the risks of obtaining cloud computing services.

There are too many risk factors that require expertise to address that would be outside the experiences of most organizational units. For example, if an organization is involved in litigation, or in a governmental investigation and the plaintiff or government makes a request or demand upon the cloud service provider (CSP) for the organization's data, what should the CSP do? And when and how should the organization be notified? 

For applications under a Software-as-a-Service (SaaS) model, can compliance with records retention requirements still be maintained? Do the tools in a Platform-as-a-Service (PaaS) offering require proprietary APIs (application programming interfaces) to access data files? Do virtual machines spun up under an IaaS offering not contain any security information? This means that encryption keys or any authentication data, for example, is never retained inside a VM image.

On technology architecture, systems outsourced to the cloud may still need to interface with legacy systems but have the data passing APIs changed during the migration. Organizationally, what happens to the expertise in the IT team when a function is outsourced to the cloud? These are just a few of the many, many risks to evaluate in assessing a CSP. 

Shaw: If organizations follow a few of the points mentioned above, to have the technology-knowledgeable lawyer involved from the beginning and to understand their negotiating leverage, this will lead them to centralizing this role, even if the business unit or IT is the cloud project driver. This will allow for negotiating leverage and knowledge to ensure that agreements are more balanced between the parties. 

Shaw: Data breaches are something that I believe organizations must plan for. The recent spate of visible breach announcements (e.g., Google, RSA, Sony, Nintendo, Honda America, Lockheed, etc.) should lead organizations to believe it is likely that their data could be breached. So is the organization's data encrypted and who has access to the encryption keys?

The answer depends somewhat on which cloud deployment model (SaaS, PaaS, IaaS) that is being used but must be on the top of the most critical control issues to resolve before migrating data to any CSP.

Encryption should be utilized across the whole data lifecycle, including storage, use, transmission, and backup, which is likely much more than it is inside most organizations now... Access to encryption keys should be limited to a small number of people and all access to them logged.

Organizations should always assume that data breach will occur. So beyond encrypting their data, there are a series of data breach laws that require notification to the data owners. The organization and the CSP need to work out in advance who is going to take responsibility for those notifications and the organization needs to make it clear who needs to be notified.

If the data that is breached belongs to the customer of the organization, then that customer may also need to be notified. There may be contractual commitments the organization has made to its customers on notification as well, plus certain statutes or industry regulations may require that regulators or law enforcement are also notified.