• 
• 
  • Staff and contributors
  • Writers' guidelines
  • Subscription info
• 
  • Rates
  • Specifications
  • Editorial calendar
  • Contacts
  • Production schedule
  • General info
  • Circulation
  • Ad index
• 
  • Homepage
  • News from the profession
• 
  • Print edition
  • Online news
  • Web features
• 

By Yves Giard + André Lessard
Illustration: Ryan Snook

Decisions about switching to cloud computing should be based on sound practices despite any limitations

Cloud computing — providing Web-based services to the public using networks, servers, data warehouses, software applications and Internet services managed by a third party — is an attractive option for companies that view investing capital in computing infrastructure as inefficient. These companies can move their computer processing to a virtual environment, ensuring that costs are more closely tied to the services offered and minimizing their fixed costs. Cloud computing has many advantages. It can be adapted to the size of the business and quickly implemented, and it is transparent in terms of costs and can deliver services that are not available internally. Nevertheless, an organization needs to consider a number of issues before switching to cloud computing.

Data monitoring
One of the distinctive features of cloud computing is that data can be localized, shared and stored in several countries, depending on what the service provider decides. When a company opts for cloud computing, it relinquishes control over its information channels. Accordingly, the different laws in countries where the data circulates can make it difficult for an organization to ensure adequate protection of information. For example, in the US laws such as the USA Patriot Act and the Stored Communications Act have an impact on data confidentiality.

A company can sign a contract with a provider to share data confidentiality risks, but a contract doesn’t change the fact that a law in one country does not necessarily apply in all countries involved. Another solution could be to protect information through encryption, a highly regulated practice. For example, it is prohibited in Libya unless the encryption software is provided to the government.

Transborder data flows can clearly lead to privacy risks. The European Parliament’s Directive 95/46/EC prohibiting the transmission of personal data beyond its borders except in specific circumstances could also create problems. Imagine the consequences if information stored in a European country suddenly becomes irretrievable. While this example doesn’t apply to Canada, it highlights the importance of understanding regional regulations before transferring data to other countries. It’s also important to ensure that governments cannot access cloud-computing data for investigative or surveillance purposes without obtaining the required rights and permissions.

In April 2009, the FBI, authorized by a court order, seized computer servers in an attempt to gather evidence on two men accused of fraud who were using the servers in their operations. However, after the seizure a dozen other businesses were unable to use their IT systems because they were part of a network sharing the seized servers. While such a situation is rare, it shows that in the event of a jurisdictional conflict over hosting infrastructures, an organization using cloud computing could find itself subject to an executive power over which it has no control.

Intellectual property
Similarly, how can we claim title to intellectual property when business information can be accessed by a third party (a service provider, an authority or any other Internet user)? Where intellectual property rights are concerned, there is some disclosure-related risk when using the Internet.

In September 2000, the World Intellectual Property Organization (WIPO) published a document providing an overview of existing laws and including a number of suggestions. Based on an April 1997 resolution of the International Association for the Protection of Intellectual Property (AIPPI), the WIPO document addresses Internet information accessibility criteria.

“AIPPI considers that the mere fact of transmitting information by means of a computerised network will not result in the information becoming available to the public, and in consequence being disclosed. Account should be taken of the level of accessibility to the network, which is determined by, inter alia:

• the technical characteristics of the network;
• the method of communication; and
• the access and security provisions.”

These criteria are reflected in current case law. In 2004 in the US, an author filed a lawsuit against Google (Field v. Google) because the search engine made some of his work available through Google Web Search, a good example of cloud computing. Because this technology allows website operators to exclude all or some of their website content from Google searches, the Nevada District Court ruled in Google’s favour, concluding that the Internet isn’t the legal jungle it’s perceived to be. A level of protection does exist if the necessary precautions are taken.

Risk management and compliance  
Under the Sarbanes-Oxley Act, the Basel Accords and the PCI Data Security Standard, the ability to demonstrate compliance is fundamental. When organizations outsource to cloud-computing services, it is often assumed the service provider is responsible for technical solutions. This issue should be addressed in the service contract. Two examples of relevant provider policies are set out in Google and Amazon customer agreements:

Google Apps: “Google and Partners do not warrant that (i) Google Services will meet your requirements, (ii) Google Services will be uninterrupted, timely, secure, or error-free, (iii) the results that may be obtained from the use of Google services will be accurate or reliable, (iv) the quality of any products, services, information, or other material purchased or obtained by you through Google services will meet your expectations, and (v) any errors in the software will be corrected.”

Amazon EC2: “You represent and warrant: (i) that you are solely responsible for the development, operation, and maintenance of your content, including without limitation, the accuracy, security, appropriateness and completeness of your content.”

Unless a company can rely on an excellent business relationship with the provider in question, the industry trend doesn’t seem to be to voluntarily offer guarantees that satisfy security, information monitoring and computerized processing requirements. Accountability and internal monitoring mechanisms are therefore key criteria when considering cloud computing. In other words, if monitoring issues are likely to interfere with compliance, cloud computing is not the right solution.

In addition to compliance risks, the cloud-computing environment must be compatible with other platforms. There is no need to measure the complexity of configurations or interfaces. Instead, the likelihood that the provider could cease operations or hand them over to another provider should be taken into account. The trick is to determine if the level of dependence on a provider is compatible with the organization’s objectives and to anticipate eventual problems and costs. Issues relating to potential back-up systems could also affect the relevance of the cloud-computing option. In short, supporting applications that are essential to a company’s everyday operations with cloud computing could pose a significant risk.

Distinctive features
Providers must recognize that standards applicable to a particular industry, such as the healthcare, transportation or financial services sectors, all have distinctive features in terms of monitoring, personal information management and inherent risks. Companies that offer cloud-computing services will have to adapt to each industry and introduce sector-specific mechanisms before cloud computing can be considered.

Moreover, key applications often need 24/7 technical support, which isn’t always possible in cloud-computing environments where minimum delays of one hour are frequent.

Other important issues relate to the implicit use of the Internet for communication purposes. Unless the user has put a secure link or encrypted line in place, communication on the Internet takes place in the open. What’s more, the user may also employ an old version of a browser that has security weaknesses. A company’s reputation for stringent security standards will extend to its cloud-computing environment, where standards might not be so strict. Unscrupulous individuals could take advantage of this situation. Since standards for cloud-computing sites are not perfectly clear, in some cases it could be difficult to determine who should take action when information security is breached. Recent experience also shows that service availability is an important issue to consider. Many reputable websites have experienced prolonged service interruptions.

Accordingly, cloud-computing decisions should be based on sound practices, despite the limitations they could impose. A company could simply decide to keep information in its own computing environment and to establish a secure link to an external site for data required for cloud computing. Using several service companies to limit risk is another option. Finally, a company’s key applications should be stored internally unless it has a specific analysis procedure and setup in place that will eliminate cloud-computing risks.

Independent report on the quality of internal controls
As specified in Section 5900 of the CICA Handbook — or in the manner of a WebTrust or SysTrust report — an independent report on the quality of internal controls may help minimize control and security concerns associated with cloud computing. This report presupposes that relevant accepted standards have been adopted in this area that allow for a comparison of services offered by a given provider. Cloud Security Alliance, created in 2008 to develop standards for cloud computing websites, is currently involved in consultations that could lead to the development of internal control standards similar to those in the credit card industry. Once these standards are well known and understood, it will be easier to establish an audit framework that will improve the use and monitoring of cloud computing. Because of the impact that a security breach could have on cloud-computing service providers, standards should be even more stringent than those currently regulating other types of environments.