The risky business of the cloud

Cloud is a game changer for business IT but the Prism scandal is a timely reminder of why understanding and managing the risks inherent in these services is critical for managers and boards.

Cloud computing has been one of the game changers of business IT, however no change comes without risks, as a University of New South Wales report on the trend revealed earlier this week.

The University of New South Wales’ Cyberspace Law and Policy Centre’s “Data Sovereignty and the Cloud” white paper released in Sydney on Tuesday is a guide for executives and company directors on the technical, legal and governance risks arising from adopting cloud computing services.

Critics of cloud computing have long pointed out the risk of foreign governments accessing business data, particularly US agencies using the country’s Patriot Act.  In the wake of Edward Snowden’s revelations on government internet spying, those claims have been largely vindicated.

The UNSW report recognises those risks and seeks to put them in perspective while identifying other traps such as the jurisdiction of foreign privacy laws, contractual requirements and even the limitations of insurance policies in a connected marketplace.

Launching the guide on Tuesday, Australian Media and Communications Authority head Chris Chapman described how almost three quarters of Australians use cloud services but have “a limited understanding of how the cloud works.”

That limited understanding extends to executives and even IT professionals. Identity management expert Steve Wilson of Lockstep consulting pointed out that “in 1990s network diagrams the cloud represented the unimportant, outside world of the internet.”

Now that cloud computing has become a basic business function, understanding and managing the risks inherent in these services has become critical for managers and boards.

“This topic has gone from nervous lawyer’s backroom stuff to mainstream business risk management topic in a couple of years,” states David Vaile of the UNSW Cyberspace and Law Centre.

One concern of the experts are the different national privacy regulations with Australia’s being more aligned with European principles than those of the United States. This may leave local businesses liable for breaches which are not illegal in the cloud service provider’s home country.

Not all cloud providers are created equal and there are distinct differences between different services in terms of the security and service they provide. Major players like Google, Microsoft and Amazon each have distinctly different approaches to how data is stored and the control customers have over it.

Ultimately the responsibility for compliance comes back onto the Australian company. “It doesn’t matter where or under whose law your data is hosted,” states Vaile. Regardless of where information is saved, Australian companies are still liable under Australian law.

A clear message from the panel at the Sydney launch was Australian law offers fewer protections than from government snooping than most other developed nations.

“There's no constitutional protections in Australia as there are in the US, EU, and UK,” said Vaile. “We don't have any constitutional protections on free speech, privacy, and rights against search and seizure.”

For boards hoping their insurance cover will foot the bill for any losses, they may be disappointed. “The problem is that conventional insurance programs typically do not provide the depth of cover that cyber risks of today are presenting businesses,” said Eric Lowenstein of insurers AON.

So the risks of cloud computing and big data are firmly on managements and boards, and executives have to understand the hazards so they can adequately manage them.

Edward Snowden and Bradley Manning’s leaking of information illustrate that computer security risks are not limited to cloud services or the private sector. “The NSA is a very timely reminder of the risks,” Craig Scroggie of data centre NextDC said. “If the largest spy agency can’t protect their information, then what chance do I?”

Lockstep’s Wilson summed up the security issues wisely, “There’s no such thing as perfect security, but equally there’s no such thing as no security.”

Understanding we’re not in a perfect, secure world is an important step to effectively managing risks and the Data Sovereignty and the Cloud report is a useful guide for executives looking to identify the hazards in data systems.

Paul Wallbank is one of Australia's leading business and technology bloggers, his business Netsmarts helps organisations adapt to the new ways of doing business online.