.png)
By now, most organisations out there, regardless to the sector which they are associated with, are using some form of Cloud computing and the trend only grows.
With that, further responsibilities are ought to be considered, to include legal matters. Doing so, would ensure that we make an informed decision, especially in our choice of a Cloud Service Provider (CSP). Additionally, we can adequately protect ourselves from the adverse effects of these legal matters in cloud computing.
Protecting the Data
Data protection is one of the most critical legal issues we must consider when using the Cloud for production operations. It is especially important if the business includes handling personal data of individuals in any form. There are data protection regulations with strict provisions on how to handle the personal data of individuals.
Under most of these regulations, including the General Data Protection Regulation (GDPR), which deals with handling data of EU citizens, we can’t export personal data of any kind to the Cloud without going through the legal process and obtaining the necessary consent. We must also comply with the data protection standards as stipulated by these regulations (or as been advised by the Legal team). Failure to do so, would attract strict sanctions, fines, reputational impact, potential customers compensations and overall financials losses.
Ensure to identify and classify the data in scope, before being migrated or generated on the Cloud and continuously while in the Cloud. This will allow us to identify and embed the appropriate security controls to protect data initially and overtime.
Don’t forget, CSPs are responsible for the security of the Cloud and we are responsible for securing the data in the Cloud!
Privacy & Security
Another essential legal issue in Cloud computing that we should pay attention to, is data privacy and security. If a third party receives unauthorised access to private information about our customers, it can endanger the company’s reputation overall. The business risks are very much related to losing sensitive and corporate confidential information in the case of a security breach, or in the case of an (intentional/unintentional) data leakage. In the CSP selection process, we want to ensure we engage a CSP that would offer us the highest privacy and security standard possible.
Data Ownership
It is safe to assume that we, the organisation, own all the rights to data sent to the Cloud by our teams or partners. However, it is advisable that the Service Level Agreement (SLA) with the CSP expressly indicates that our organisation has full rights (Intellectual Property) to the data stored in the cloud and can retrieve it upon request. It is also essential to have these provisions in place, especially concerning data generated inside the Cloud. The CSP may wish to claim newly generated data because it was generated in the Cloud through a data analytics solution, or through any other similar mean. Though such extreme use-cases are fairly rare, do not leave anything in the hands of your presumptions of how willingly the CSP will cooperate when we would need them the most; contracts and SLAs are here for a reason – this is one of those reasons.
Jurisdiction
The issue of differences in laws applicable across different jurisdictions, is one of the legal issues in Cloud computing. For instance, a government can require from CSPs to disclose customers data in certain jurisdictions. However, in some other jurisdictions, there is express protection for data stored in the Cloud and in those jurisdictions, governments cannot access it without following due process. Therefore, we may want our SLA to contain express provisions that the CSP can only hold our data in specific jurisdictions.
In any solution or a change which we are being involved with as part of the Security team, we must be mindful and actively map out all data flows in scope of our products/solutions and their locations/jurisdictions (e.g. Data can be stored/flow in a EU country/Region at your choice, but the backup of it could be in a different EU country/Region, or even in a US or an ASIA Pacific region, etc.), ensuring flows are aligning to legal requirements and do not introduce further security issues.
Conclusion
While these legal concerns are not exhaustive, they are some of the most important ones we need to consider when we decide to use the Cloud for our business operations. As much as we want to use the Cloud for its many benefits, we must not ignore the legal considerations highlighted above.
As (Cloud) Security matter experts, we ought and it’s our duty to provide this guidance to the various teams which we are working with and act as the “glue” to other departments in the Business (e.g. Data Governance, Privacy, Legal), where those functions exists, ensuring they are at the very least aware of ongoing initiatives related to data migration/handling/protection in a Cloud platform.
We are not Legal or Privacy experts, far from it, but as this and more touches many of the security controls which we are expecting to be put in place for data, Cloud platforms and anything in between, then it is also in our best interest to have the legal procedures well embedded (shifted left) , within the SDLC and business processes.
**Sources:
- Cloud Security Alliance (CSA) Reference Architecture (Version 2.0)
- (ISC)² CCSP certification exam materials
- 'AWS Certified Security Speciality' certification exam materials
- 'Azure Security Technologies certification exam materials
- NCSC (National Cyber Security Centre); Cloud Security Principles
- Broad projects experience
- Online information