risks and benefits of cloud computing

Download Risks and Benefits of Cloud Computing

Post on 08-May-2015




1 download

Embed Size (px)


  • 1.Looking at Clouds from both Sides Risks and Benefits of Cloud ComputingEmployment and Labour Law Conference May 24, 2012Tamara Hunter

2. What is Cloud Computing? 3. What is cloud computing? technologies that provide computation, software,data access and storage services that do not requireend-user knowledge of the physical location andconfiguration of the system that delivers the services(Wikipedia) delivered over a network (typically, the Internet) 4. Categories Infrastructure as a Service (IaaS) and Storage Delivers computer infrastructure, along with storage andnetworking Software as a Service (Saas) Delivers software without the need to install and run applications Platform as a Service (PaaS) Allows the development and deployment of applications without the need to purchase specific hardware or software 5. Benefits Cost Scalability User mobility Customizability Reliability? Performance? Security? 6. Cloud Computing:General Issues and Risks 7. General Issues and Risks Location and jurisdiction Data ownership Business interruption (service provider) Loss of access (customer) 8. General Issues and Risks Source code and escrow Migration Who can access? Backup and archiving 9. General Issues and Risks Security Destruction of data IP infringement 10. Cloud Computing:Litigation (E-Discovery) 11. Key Obligations Disclosure must disclose every relevant document in possession,control or power document is broadly defined Preservation must preserve all relevant documents Serious consequences for breach 12. E-Discovery Electronic documents increase scope, complexity andcost of discovery process Courts aware of importance of electronic documents 13. Cloud Computing and Discovery Disclosure and preservation obligations still apply Court does not care if you store data in your building orin the cloud only cares whether you have possessionor control 14. Cloud Computing and Discovery Consider risks: lost data non-compliant data preservation practices platform not easily searched sub-outsourcing 15. Cloud Computing and Discovery Cloud computing contract is key Maintain legal control over data Due diligence on cloud provider Ability to retrieve data in any circumstance 16. Cloud Computing:Privacy Law Compliance 17. When you think about Cloud Computing, consider itas mega-outsourcing 18. Regular outsourcing is when you store your data onyour own servers, but you send certain data to anoutside service provider or a service, so they canperform a function with the data and provide a product(e.g. send personalized cheques to your customers orprocess your payroll and arrange for direct deposits foryour employees). 19. Cloud computing means you dont have your ownservers anymore youve out-sourced that wholeinfrastructure 20. The key privacy law compliance issue is security ofpersonal information 21. Geographic location of personal information is asignificant privacy law issue, especially for publicbodies in British Columbia (and service providers topublic bodies) but the concern with geographicallocation of data really boils down to a security issue 22. Public Bodies in B.C.: Section 30.1 of FOIPPA A public body must ensure that personal information inits custody or under its control is stored only in Canadaand accessed only in Canada, [unless a specificexception applies] Breach of s. 30.1 of FOIPPA is an offence Some cloud service providers are aware of thisrequirement and offer cloud services that meet thisrequirement 23. Qubec Private Sector Privacy Legislation If using service provider outside Qubec to store orprocess personal information, must take all reasonablesteps to ensure that the personal information will not beused for purposes not relevant to the object of the file orcommunicated to third persons without consent If cannot be satisfied that the personal information willbe properly protected, must not communicate theinformation outside Qubec (s. 17) 24. What about professionals (e.g., doctors, lawyers,accountants, etc.) and businesses handling highlysensitive personal information (e.g. banks, credit unions,insurance companies)? Ethical and contractual obligations around confidentialitymay also require specialized cloud computing solutions Community Cloud or Private Cloud may work (e.g. LawSociety Cloud for lawyers is being considered) 25. Private Sector - still have obligation under PIPEDA,PIPA, the Qubec Private Sector Privacy Legislation(and, possibly, contractual obligations) to makereasonable security arrangements to protect personalinformation from risks such as unauthorized access,disclosure, destruction, etc. Standard Cloud Computing contracts may not sufficientlyprotect customer/employee personal information Requirement for transparency/notification(customers/employees have a right to know) 26. Security issues: What geographic locations could be involved? Rulesome out or stipulate acceptable jurisdictions Reputation/history of cloud provider What other data will be mingled with your organizationsdata? Concern re: concentration of high-risk data Will your organization be able to access audit logs? 27. How quickly could you be required to produce a copy ofyour organizations records? will your organization beable to meet that timeframe? What obligations does the cloud provider have in theevent of an information security breach? Immediate notification to your organization? Indemnity for any damages and professional fees? 28. What happens if the cloud provider goes bankrupt?backup/escrow might not be sufficient without access tothe application software necessary to decode the storeddata Does the contract provide for a method for yourorganization to audit the cloud providers compliancewith its contractual security obligations? 29. Insurance does your organizations insurancecoverage for information security breaches or data lossapply if your data is in the clouds? 30. Thank You Tamara Hunter Associate Counsel,Head of Privacy Law Group, Vancouvertamara_hunter@davis.ca604.643.2952


View more >