Under a cloud of suspicion?

In previous issues I have looked at the legal issues surrounding cloud computing. In this final article I look at concerns, debunk myths and suggest issues that lawyers thinking of implementing cloud computing might wish to consider. (See all articles in the series.)

Is cloud computing secure?

Arguably no solution is ever 100 per cent secure, but what we really mean is whether the use of a cloud computing solution is any less secure than a traditional data storage solution. If that is the question, I would venture to suggest that the answer would be in the affirmative – at least, in a qualified way. A private cloud (one where the data controller has a real and verifiable control over the processor) is inherently more secure than a public cloud can ever be; if the security considerations are dealt with properly and the data controller ensures that the cloud processor complies with (at the lowest standard) the Data Protection Principles, cloud computing need be no less secure than an internally hosted solution; indeed, unless the enterprise has a very significant IT department it is likely that the cloud provider will have greater security expertise and capability as it will be offering the same or similar solutions to other customers and therefore can spread the cost, and other resources, over a wider range of systems.

On the other hand, a badly conceived public cloud could lead to potential dataset contamination and cross-system access; nothing can get away from the necessity to perform robust due diligence with anyone to whom you are considering entrusting your data.

If the data is not secure (ie encrypted with a strong encryption model) before it leaves the control of the enterprise, you are failing to take reasonable precautions to protect the data. If the data is subjected to what has been described as “pre-internet encryption” (“PIE”), all that the cloud provider will see is a “blob” of random data; even if the security of the cloud provider is compromised, the encrypted user data will be unaffected. However, this security has a consequence for usability, which may be fatal in a law firm context; if the data is encrypted before it leaves the enterprise, the cloud provider cannot assist in recovering the data if the encryption password is lost; possibly the mobile accessibility of the data is diminished. These are the considerations that the data controller needs to weigh up before signing on to a cloud solution.

Where is it ”¦ (right now)?

The cloud means that data is everywhere and nowhere simultaneously. What the security law rights in relation to the data are will depend strongly on the physical location of the data. Yes, contractual provisions requiring certain standards to be met are helpful, but it does not obviate the necessity of due diligence to ascertain where your data is; remember that this might be a moving target as data is moved around the world dependant on data storage costs and data centre storage a availability. Additionally, it makes good sense from a data protection sense (not in the sense of the Data Protection Act, but in the sense of securing data) that data is dispersed and / or replicated throughout the world. Not only does it mean that it is faster to access, it also means that the risk from disaster, natural or otherwise, is lessened.

On the other hand, the access of third parties to the data will depend on the local law of where the data is stored. That is another risk. Perhaps a system which has clear and determinable legal rules will provide you with the security you crave; however, that very system may lead to a greater likelihood that third parties might have legal access to the data. On the other hand, a less open society will always run the risk that your remedies for data breach will be very restricted. The choice is yours or your client’s.

Of course, if you had chosen a secure PIE model, the physical location of the data may be less relevant as the data cannot realistically be decrypted and access taken; if the cloud provider never has the data passwords necessary for decryption, it cannot compromise security by storing passwords on Post-IT® notes stuck to the underside of the keyboard.

Patriots and the hidden agencies

Much has been made of the US Patriot Act and the supposed ability for the US security forces to utilise it to gain access to the data of parties; indeed it has even been suggested that industrial espionage (or state support thereof) might be the reason for data access. Even if the data centre were outside the normal jurisdictional reach of the United States, it has been suggested that the US authorities could compel a US company to disclose data which it was holding outside the United States. The wide jurisdiction of the US authorities would seem to support that analysis and indeed comments attributed to major US corporations seem to agree.

However, from a US perspective, the Patriot Act is but one of a myriad of laws allowing the authorities to seize and examine data – it is merely one of the more high-profile ones. Others would include the Foreign Intelligence Surveillance Act (FISA) and its amendments; Title 50 USC, Section 188a; The Electronic Communications Privacy Act (“ECPA”) and the Stored Communications Act (“SCA”). Suffice it to say that even without the Patriot Act, the authorities were not seriously impacted. Whilst the Fourth Amendment gives US citizens certain protections against invasion of privacy, the US legal system is significantly less concerned with the interests of foreigners and therefore the legal safeguards available to people and businesses in the UK is somewhat less.

Similar laws exist in other jurisdictions (including the UK) allowing the security (and other) entities to access data with or without a warrant. In the UK the Regulation of Investigatory Powers Act (and its Scottish equivalent) were designed to provide some oversight to the activities of those engaged in surveillance; the mere fact that parliament considered it necessary to provide some legal oversight indicates that the surveillance must have been happening; and, of course, it is possible that in certain areas of national security, of whatever country, the appropriate authorities engage in data access outwith the overt legal avenues.

How to sleep at night

Given the issues (actual, potential or perceived) of data security and cloud computing, how best can a business protect itself and its data as it moves to the cloud? Of course most businesses and indeed most users already have exposure to the cloud even if it be limited to use of one of the webmail systems.

Nothing beats proper due diligence of your cloud computing provider; whether for email or storage or a more extensive IAAS or SAAS solution; if you don’t ask the questions and obtain detailed coherent and satisfactory responses perhaps you can only have yourself to blame if the cloud provider fails to protect your data.

Use a robust system of data encryption before the data leaves your control; once you have hit send, or save, and the data has passed from your absolute control to the cloud and via an unknown number of hops to the cloud provider or back, you really have very little control over who sees the data and who has access to it. If you have used a PIE solution, that will not matter; if, on the other hand your data has been transmitted in the clear, you might as well have used postcards.

Ensure that you have a proper contract with the cloud supplier; a survey done by one of my Italian colleagues suggest that the standard conditions for many of the major cloud providers fail to meet the basic standards of security, oversight and control.

What liability does the cloud provider have for data breach; for confidentiality; for failure to carry out your instructions (timeously); for availability; for down time disruption? Will the cloud provider whom you have so carefully selected and audited (hopefully on a regular basis) itself store or backup the data in its possession (your data) with a provider who is less acceptable to you – remember in the data storage chain, your data security is that of the weakest link. Where will the data be stored? – can you be certain that it will not be mirrored elsewhere in the cloud provider’s group or through third parties?

If the data you are storing is sensitive personal data or similar, perhaps a SAAS solution using the public cloud does not meet data protection requirements. Maybe the use of PIE will mitigate some of that risk but the risk does still exist as you cannot know absolutely where your data will be or who will be able to access it, despite any contractual assurances to the contrary.

Don’t worry!

This may seem a strange final comment after the foregoing! Much is said about how the cloud is less secure than storage of data on your own premises but is data in your possession (physical or digitally) really 100 per cent secure? Of course it’s not! It’s all about risk identification and risk mitigation, not about risk elimination.

The cloud is with us to stay; new impending developments in distributed storage may increase data security, but nothing will replace proper preparation, investigation and ongoing monitoring of one of your most important assets.

David Flint is a partner in and heads the Intellectual Property, Technology & Commercial Group at MacRoberts LLP, Glasgow, Edinburgh and shortly Dundee and, thanks to Cloud Computing a large number of other locations. He has been advising on computer law issues for over 30 years.

Email df@macroberts.com.