Cloud Computing: Legal and Regulatory Issues

Technological and security issues aside, there are also a host of other regulatory, compliance and legal issues to consider when moving to the cloud.

Vic (J.R.) Winkler

Adapted from “Securing the Cloud: Cloud Computer Security Techniques and Tactics” (Syngress, an imprint of Elsevier, 2011)

The legal and regulatory landscape around cloud computing is by no means static. There are new laws being proposed that could change the responsibilities of both cloud computing tenants and providers.

Cloud computing that employs a hybrid, community or public cloud model “creates new dynamics in the relationship between an organization and its information, involving the presence of a third party: the cloud provider. This creates new challenges in understanding how laws apply to a wide variety of information management scenarios,” according to Glen Brunette and Rich Mogull of Cloud Security Alliance, in their white paper, “Security Guidance for Critical Areas of Focus in Cloud Computing.”

This creates practical challenges in understanding how laws apply to the different parties under various scenarios. Regardless of which computing model you use, cloud or otherwise, you need to consider the legal issues, specifically those around any data you might collect, store and process. There will likely be state, national or international laws you (or, preferably, your lawyers) will need to consider to ensure you are in legal compliance.

If the tenant or cloud customer operates in the United States, Canada or the European Union, they’re subject to numerous regulatory requirements. These include Control Objectives for Information and related Technology and Safe Harbor. These laws might relate to where the data is stored or transferred, as well as how well this data is protected from a confidentiality aspect.

Some of these laws apply to specific markets, such as the Health Insurance Portability and Accountability Act (HIPAA) for the health-care industry. However, companies often store health-related information about individual employees, which means those companies might have to comply with HIPPA even if they’re not operating in that market.

Failure to adequately protect your data can have a number of consequences, including the potential for fines by one or more government or industry regulatory bodies. Such fines can be substantial and potentially crippling for a small or midsize business. For example, the Payment Card Industry (PCI) can impose fines of up to $100,000 per month for violations to its compliance. Although these fines will be levied onto the acquiring bank, they’re likely to impact the merchant as well.

Laws or regulations typically specify who within an enterprise should be held responsible and accountable for data accuracy and security. If you’re collecting and holding HIPAA data, then you must have a security position designated to ensure compliance. The Sarbanes–Oxley Act designates the CFO and CEO to have joint responsibility for the financial data. The Gramm–Leach–Bliley Act is broader, specifying the responsibility for security with the entire board of directors. Less specific is the Federal Trade Commission (FTC), which just requires a specific individual to be accountable for the information security program within a company.

Third-Party Involvement

If you use a cloud infrastructure sourced from a cloud services provider, you must impose all legal or regulatory requirements that apply to your enterprise on your supplier as well. This is your responsibility, not the provider’s. Taking the HIPAA regulations as an example, any subcontractors that you employ (for example, a cloud services provider) must have a clause in the contract stipulating that the provider will use reasonable security controls and also comply with any data privacy provisions.

In the United States, both federal and state government agencies such as the FTC and various attorneys general have made enterprises accountable for the actions of their subcontractors. This has been replicated elsewhere, such as in the EU with the data protection agencies. As the use of cloud infrastructure becomes more prevalent, the risks of a third party accessing data illegally are rising as well.

Even with encrypted data, the third party might have access to keys and therefore have access to the underlying data. Often the risks are magnified, as there could be a number of third parties involved: the cloud provider; cloud support; operations; and management teams; plus others who manage and support applications. Contractors who work for any of those organizations could further compound the dissipation in control.

Contractual Issues

These are some of the issues you must consider at all stages of the contractual process:

  • Initial due diligence
  • Contract negotiation
  • Implementation
  • Termination (end of term or abnormal)
  • Supplier transfer

Initial Due Diligence

Prior to entering into a contract with a cloud supplier, your enterprise should evaluate its specific needs and requirements. You should define the scope of the services you’re looking for, along with any restrictions, regulations or compliance issues that need to be satisfied. For instance, if you’re going to collect and store employee HIPAA data in the cloud, you must ensure that any supplier will meet the guidelines defined by the HIPAA regulations. Assessing the different laws and regulations your enterprise needs to abide by may well define what you can deploy in a cloud or which type of service you can use.

You should also rate any services you deploy to the cloud with respect to their criticality to your business. If you want to deploy a service that’s critical to the business or would cause a major disruption if it became unavailable, then you’ll need to factor this into your supplier evaluation.

As a number of suppliers are entering this market, it’s inevitable that some will fail or simply stop providing the service if they deem it isn’t profitable for them. Often, large companies will enter the market but leave it once the expected profit doesn’t materialize. If this is the core business of the cloud supplier, it might be willing to continue operating for longer with a smaller profit.

Questions that you should consider prior to evaluating cloud services providers include:

  • Is this cloud service a true core business of the provider?
  • How financially stable is the provider?
  • Is the company outsourcing any aspect of the service to a third party, and if so, does the third party have the appropriate arrangements with the provider?
  • Does the physical security of its datacenters meet your legal, regulatory and business needs?
  • Are its business continuity and disaster recovery plans consistent with your business needs?
  • What is its level of technical expertise within its operations team?
  • How long has the company been offering the service, and does it have a track record with verifiable customers?
  • Does the provider offer any indemnification?

Once your enterprise has performed such due diligence you can begin serious evaluation of providers. This will reduce the time you’ll spend overall in the negotiations and ensure that the correct level of security is in place for your particular needs.

You can’t expect your cloud supplier to know your business requirements in detail. It may well be unaware of the regulations to which it must adhere. If there’s a breach in regulations, it will be your enterprise that’s penalized and not your chosen cloud supplier. So choose well—but still do your homework.

Vic (J.R.) Winkler

Vic (J.R.) Winkler is a senior associate at Booz Allen Hamilton Inc., providing technical consultation to primarily U.S. government clients. He’s a published information security and cyber security researcher, as well as an expert in intrusion and anomaly detection.

©2011 Elsevier Inc. All rights reserved. Printed with permission from Syngress, an imprint of Elsevier. Copyright 2011. “Securing the Cloud” by Vic (J.R.) Winkler. For more information on this title and other similar books, please visit