Into the ether we go!

“Cloud computing promises to increase velocity with which applications are deployed, increase innovation, and lower costs, all while increasing business agility.” (“Introduction to Cloud Computing Architecture”, Sun Microsystems Inc, white paper, June 2009)

What is cloud computing?

The phrase “cloud computing” has been used in IT circles for some three or four years, but just what is it and why is it seen as so important? Is it really such a radical change in information technology?

Simply put, cloud computing is essentially a move away from the storing of applications, operating systems and data on a PC or on a private server in the office, with these services instead being provided by third parties via the internet. Essentially they are remote services – everything gets held and done remotely. It is the provision of on-demand services without having your own huge server or a massive CPU box under your desk to store all your applications and data.

At its simplest level, many readers may be unaware that they are already utilising cloud computing. If you use Hotmail or Gmail or any other web-based mail account (or indeed any social networking site such as Facebook, MySpace or Twitter), you are already participating in cloud computing. Under such accounts your data is stored on a vast network of storage facilities provided by remote servers which you access via the web.

We can take this a step further. If you don’t have word processing software installed on your laptop or PC, you can access the application known as “Google Docs”. This gives you online word processing and document storage capabilities, all without the need to install word processing software. In addition, one of the most user friendly features of this application is the ability to file share, i.e. users can access and edit documents, thus allowing much easier access by multiple users and eliminating the need for numerous email attachments. And provided you stick within the file storage limits, the service is free.

We have moved on greatly since the introduction of web-based mail accounts, and with wholescale commercial application, cloud computing is a much greater being. It is a service where you can purchase what you want, when you want and as much as you want. It can provide users with the ability to:

rent a server or as many servers as they want;

run complex modelling applications on powerful systems that are not owned by your business;

increase capacity where workload demands it;

store vast quantities of data (known sometimes as “cloud storage”), allowing your business to purchase as and when it requires additional storage (keeping unused storage to a manageable minimum).

Benefits to business

The benefits of cloud computing are numerous and include:

Substantial cost savings to business – what you don’t use you don’t pay for. No need for IT support, with limited hardware costs and limited licensing issues.

No real restrictions on location – the servers can be based anywhere in the world, wherever it is cost effective.

Device flexibility – you can log on using a laptop, PC or even a mobile device. Even if you lose your laptop you can still access your documents, as everything is held remotely, not stored on the hard drive.

But cloud computing is not a straightforward form of outsourcing. With it come a number of challenges that have to be addressed by any business, whether a legal practice or a global widget manufacturer.

Risks and legal concerns

Complex regulatory issues. For example the storage of your data on servers in another jurisdiction.

Interoperability/unavailability of service provider. Any cloud computing device relies on the internet, therefore if this was not available for any reason, it couldn’t work.

Data protection legislation.

Data confidentiality and security risks.

Reliability.

Database rights.

It can be very energy intensive. Large data centres are being built to store data. Data centres can be energy intensive.

Space precludes detailed discussion of all these issues here, but we will look at a couple of them.

Jurisdiction

The very basis of cloud computing is that it allows the transfer of data to anywhere in the world. As with all matters web-based, this causes issues to any business regarding jurisdictional concerns and that hazy world of the “laws of the internet”.

One specific area of concern is that of “e-discovery” in litigation – each jurisdiction has different rules. For example in the USA, regulations are in place granting rights to certain of their investigative government agencies to demand that they have access to data stored on a computer, irrespective of whether that computer is being hosted on behalf of another state. As such, if our data is held on a server in say California, the likes of the FBI could have rights of access to it when carrying out their investigations. Whilst it might be easy to say “well, I have nothing to hide”, it still begs the question why should they have access to it in the first place.

Data protection and privacy issues

Since your data is stored on the servers of your selected computing service company, you are essentially placing it into the hands of a third party. You therefore increase your exposure to the risk of loss of data and/or unauthorised access. How great that risk will be will depend on how robust the security measures taken by your chosen company really are.

One of the most talked about areas of concern is whether cloud computing is or can be data protection compliant. One of the Data Protection Directive’s key principles is that of the security of personal data. Every data controller has an obligation to keep personal data it processes, secure and free from wrongful interference. As with the above US example, in certain circumstances ensuring such security could prove difficult.

In addition, when a data controller collects personal data from you, they are obliged to advise you of what it will be processed for, including where it will be processed (a fair processing notice). Such transparency is a crucial element in enabling the data subject to make a freely informed choice about whether to hand over their personal data or not. Cloud computing presents us with a problem in this regard – where does the processing take place? It is therefore important to put in place contractual obligations from the outset between you as data controller and the data processor, and make due and diligent enquiry of the data processor to assess their understanding of what will happen with your data.

Data controllers also have an obligation to ensure that where there are data transfers outwith the European Economic Area (EEA), the receiving country has adequate measures in place to protect such personal data. This too could prove difficult, as one of the perceived advantages of cloud computing is that data could be processed and accessed in numerous separate jurisdictions – all outwith the EEA. As such, data controllers may find it difficult to comply with data protection obligations.

Confidentiality and security risks

Social networking sites demonstrate the concerns cloud computing may raise. Here we upload personal photographs, interact with our friends and family, arrange to meet people, and in some cases due to time and/or distance only ever communicate with them via such sites. After the initial apprehension, we become comfortable with disclosing things about ourselves, uploading pictures of the family wedding we attended and so on. We log on and off, when and where we want. We are “in control”.

But is our feeling of control misguided? Remember that this is a service provided by a commercial third party – we are invited into their playground, but only on their terms and conditions (remember the tick box on signing up!), and if the third party doesn’t like us they can close the gates. For example, you try logging onto your social networking site only to be met by the message “your account has been suspended” or “your account has been disabled”. You immediately wonder why, and if a frequent user you then start to wonder how you will be able to make contact with some of your friends, how you can get your photos back and/or off the site, and of course what on earth you did to be summarily dismissed.

Apparently, users who have their accounts suspended or disabled have often been the victims of a hacker: someone has guessed your password (or it was not as secure as you thought), and gained entry to your part of the playground and started sending unsolicited emails to your friends. You have lost control of your virtual world and the third party provider has had to put a stop to it, or at least part of it, temporarily. But did you ever really have any control – perhaps only in deciding whether you were going to upload something or not?

There are also concerns that some social networking sites may be in breach of local privacy laws, by disseminating our information to third parties for commercial purposes. This is not a new concern, but as recently as 18 August 2009 a group of Facebook users filed a lawsuit alleging that the site is violating Californian consumer privacy laws. This follows comments in July by the Canadian Privacy Commissioner, who expressed her concern over the lack of clarity regarding the deletion of personal data from a deactivated account and therefore the potential for Facebook to retain data indefinitely. This would be a breach of Canadian privacy laws (as in the UK) were this indeed happening and without suitable justification.

Net gain?

We have to ask, as we are moving swiftly into another era of computer technology where we will have less control over our own data, will the benefits to business really outweigh the potential shortcomings? We are handing over our data to third parties, businesses we don’t know anything about. When we place our money in a bank we have an expectation that it will be looked after; that it will be safe. As we hand over business assets to the cloud, will these be as safe as our money? Time will certainly tell; however, in the interim where we are handing over control we need to put in place adequate contractual measures to safeguard personal data and ensure business continuity.