Your SlideShare is downloading. ×
Cloud Computing Conference 2011 - Anthony Wong, ACS
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Cloud Computing Conference 2011 - Anthony Wong, ACS


Published on

Published in: Education

1 Like
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. Anthony Wong MACS CPPresident, Australian Computer Society Chief Executive, AGW Consulting 1
  • 2. Cloud Computing Potential to transform the way we live, work and interact Shapes the ICT sector and the way enterprises provide and use IT services Helps to level the playing field by minimising up-front investment in technology Changes business agility through “pay-as-you-use” for access to bandwidth and technology functionality 2
  • 3. Examples of Cloud Computing Source: NBN Co 3
  • 4. Reasons for adopting cloud computing  Outsource services to cloud suppliers  Ability to up and down scale when required  Reduction of internal technical support constraints  Outsource technical management  Provide more options and flexibility  Deployment and adoption of new technologies  Access to special expertise  Desire to reduce costs 4
  • 5. Legal framework of Cloud Computing Cloud computing as a new sourcing and delivery model, shares many common legal issues with existing delivery models, but poses new legal challenges: • Legal compliance issues • Service levels and performance • Cross-border issues • Data protection, rights and usage • Privacy and security • Termination and transition 5
  • 6. Legal compliance issuesThere is no ‘Law of Cyberspace’ for the Internet, however,in Australia, there are a number of specific laws that apply:  Electronic Transactions Acts  Archives Act, FOI Act  Copyright Amendment (Digital Agenda) Act 2000 (Cth) - intellectual property  Privacy Act 1988 & Privacy Amendment (Private Sector) Act 2000 (Cth)  Cybercrime Act 2001 (Cth)  Spam Act 2003  Telecommunications (Interception) Act 1979 (Cth) 6
  • 7. Legal compliance issuesLegal requirements for organisations to consider:  Have you reviewed your corporate governance and industry regulation requirements?  Are you able to comply with mandatory disclosures and financial reporting?  Are there special standards and compliance for your industry?  Can you comply with data retention requirements and eDiscovery request during litigation? Burden is on you to understand your compliance obligations 7
  • 8. Legal compliance issues Example of regulated industry  Financial services companies must first notify Australian Prudential Regulatory Authority (APRA) of data offshore transfer  Financial services companies to demonstrate appropriate risk management and governance procedures where potential to compromise:  a financial institution’s ability to continue operations and meet core obligations, following a loss of cloud computing services  confidentiality and integrity of sensitive (e.g. customer) data/information  compliance with legislative and prudential requirements 8
  • 9. Legal compliance issues Data and Records Preservation & Retention  Ensure supplier’s data retention and destruction policies comply with your requirements  Your requirements depend upon nature of the activities and regulatory environment in which your organisation operates  And kinds of documents that your organisation has  No single record retention requirements will be the same for each organisation  It has been asserted there are over 450 separate Acts of Parliament in Australia contain provisions dealing with retention of records  Courts are not likely to be understanding because your data is in the Cloud 9
  • 10. Legal compliance issues What is the process in Search and seizure at response to a legal Data Centre request/search for information?  FBI agents seized multi-tenant server from data centre to gather evidence in an ongoing investigation  Unintended consequence of disrupting the continuity of other businesses whose data and information are hosted on the same server  *"Since the FBI seized its computer equipment earlier today, Liquid Motors has been unable to operate its business.” *Networkworld April 22, 2009 10
  • 11. Service levels and performance Some considerations for SLAs  Cloud computing is dependent on the Internet – any disruption will interrupt services  Validate cloud services against your objectives and understand how the services are provided  Many traditional software licensing and outsourcing contractual considerations come to play  Cloud models often rely on multiple third party providers or subcontractors  How important are locations of servers? Can the provider change server locations without any notice? 11
  • 12. Service levels and performanceFactors to consider as a customer:  Review the agreement (including standard form) and provider’s terms of service  Consider the range of services provided/required against service levels critical to your business  Be prepare to drive SLAs up (or down) to meet your needs  Ask for performance guarantees (if critical)  Include the right to audit provider’s operational and financial viability  Check the responsibilities of any sub-providers  Ensure that your provider remains legally responsible for obligations, notwithstanding sub-providers 12
  • 13. Service levels and performance Most standard agreements trigger a ‘force majeure’ clause that relieves the affected party of its obligations when disaster occurs:  Is that acceptable for your requirements?  Who is responsible for continuity of service when there are multiple players and integrated transactional systems based in different geographical regions?  How long can you function without the contracted cloud services? Develop a detailed Business Continuity Plan: a) Consider the events most likely to occur in your business b) Know which disasters your supplier can cope with c) Depending on (b), you might consider a ‘Plan B’ 13
  • 14. Cross-border issuesIn a dispute or a conflict situation, which country’s courtsystem will settle the dispute?  Location of servers could trigger local laws even in the non- presence of cloud provider or customer in the locality  Local laws may override contractual agreements between cloud provider’s and customers  Location of servers may not be apparent from the provider’s terms of service  Consider the situation where Data may be stored in multiple locations (countries) at the same time  When do conflicts of laws occur? 14
  • 15. Cross-border issues Data stored in the U.S. is subject to U.S. law, for example:  US Patriot Act – US government’s authority extends to compel disclosure of records held by cloud providers  Mutual Assistance Treaty between US and Australia allows respective law enforcement agencies to gain access to data in the other jurisdiction in certain circumstances 15
  • 16. Cross-border issues Jurisdiction is dependent on the sovereignty of a government  Concept of jurisdiction evolved in relation to geographical boundaries or territories  Premise that each state or country has absolute power to control persons and things located within its boundaries or territories Internet challenges these territorially based principles The law in regards to jurisdiction in cyberspace is unsettled 16
  • 17. Cross Border Jurisdiction Issues Server breached & compromisedConsider Case Scenario:• Identifying the location of the offence/breach Customer and User• Identifying the location where the harmresulted (e.g. victim’s location or computer’slocation)• Deciding which sovereign nation and courtshould have jurisdiction over the dispute 17
  • 18. Cross-border issuesIn order for a court to adjudicate in a case, the courtmust have authority over:the subject matter in dispute (subject matterjurisdiction); andparties before the court (personal jurisdiction) 18
  • 19. Data protection, rights and usageIt is critical for organisations to understand how theirdata will be stored, used, managed and protected:  Consider issues of ownership of information and intellectual property created using cloud technology  Specify and define your “data” (including metadata) and your ownership rights  Consider what happens when your supplier “goes belly up”  Otherwise, consider making payments to your supplier for the return of data and materials which “you thought you owned” 19
  • 20. Data protection, rights and usage Monetisation of Data Assets – is this the new currency of the future?Customer participation and information/data arevaluable assets, for example:  Recent sale of Skype (400+ million users) for $8.5 billion  Doubling of LinkedIn’s (100+ million members) share price  Successful business models including Facebook and other social media companies 20
  • 21. Privacy and security Businesses are ultimately responsible for the protection of data/information that is stored and/or processed in the cloud Management must maintain assurance that the security of the cloud service provider is adequate for their purpose:  Privacy Act 1988 National Privacy Principle 4 (Data Security) provides that an organisation must "take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure” 21
  • 22. Privacy and securityRegulatory landscape in Australia:  Legislation e.g. the Privacy Act 1988 (Cth) and the Privacy Amendment (Private Sector) Act 2000 (Cth)  Equitable and common law duties regarding confidential information  State privacy legislation (State laws) and health privacy laws  Security and Information Management Standards and Practices  Other Codes of Conduct, Industry Standards and Guidelines 22
  • 23. Privacy and securityNot all types of cloud services raise the same privacy andconfidentiality risks:  Review your supplier’s security policies and procedures – do they meet your requirements? Evaluate the risks  Risks vary with the terms of service and privacy policy established by your provider  Can your cloud provider change the terms and policies at will?  Do you have to comply with privacy legislation restricting processing and transfer of data offshore?  Should your agreement restricts services and data storage to agreed locations?  What are the rights of the supplier to operate in other locations?  Define the scope of your confidential information – which will vary depending on the nature of your business 23
  • 24. Trans-Border Data Privacy Different levels of Data Privacy laws worldwide challenges trans- border dataflow across countries Lack of consistency in privacy laws worldwide makes monitoring compliance and assessing risk difficult and expensive Privacy Act 1988 National Privacy Principles(NPP) 9 (Transborder Data Flows) regulates transfers of personal information by an organisation to offshore location by permitting such transfers if:  the organisation reasonably believes that the recipient is subject to a law, scheme or contract which upholds similar principles  the individual consents to the transfer  the transfer is necessary for the performance of the contract between the individual and the organisation or for the benefit of the individual 24
  • 25. Privacy and securityThings to consider:  Whose privacy policy will apply at different stages of the data transfer?  What security mechanisms are in place to manage data transfers between parties?  What are the consequences of security and privacy breaches?  How will you know if there is a breach?  Is your cloud service provider required to provide assistance in the investigation of security breaches?  Is there an audit trail for data? 25
  • 26. Privacy and securityPrivacy Reform  Privacy Act 1988 is being modernised to strengthen Australia’s privacy protection  2008: ALRC report released, For Your Information: Australian Privacy Law and Practice  2009: Government’s released its position on 197 of the ALRC’s recommendations, including:  develop a single set of National Privacy Principles  strengthen and clarify the Privacy Commissioner’s powers and functions  2010: exposure draft of the new Privacy Act was released by the Government 26
  • 27. Termination and transition What assistance services do you need to change over to a new provider?  Consider the payment required for transition services Current architecture of cloud systems and lack of standards may hamper cloud interoperability and transition services  Make compatibility and interoperability an issue Seek clarity on limitations of liability in contracts  Including exclusions of indirect, special and consequential loss and direct losses  And disclaimers and warranties 27
  • 28. Conclusion There is no one size fits all for cloud computing - laws are unsettled Not all cloud services are created equal and not all cloud services should be subject to the same terms Few legal precedents regarding liability in the cloud Undertake due diligence as you need to fully understand the risks associated with cloud computing and adopt a risk-mitigation approach to cloud adoption Service agreements need to specify those areas the cloud provider is responsible for Read the fine print of the cloud computing agreement carefully Specify locations for data storage and processing - know the governing law of the cloud computing agreement 28
  • 29. Conclusion Ensure flexibility and additional rights, even if you have to pay for them, as your use of cloud services and sophistication are likely to grow You need to clarify with your cloud service provider on matters pertaining to ownership of data stored at your provider’s facilities and responsibilities in relation to security and service availability Cloud computing industry needs to adopt more transparent and clearer policies and practices, so users can better able gauge their risks comfort level For those risks that cannot be addressed by changes in policies and practices, changes in laws may be appropriate 29
  • 30. Thank You “A global approach is the only way to deal with the Internet” Francis Gurry, Head of the World Intellectual Property Organisation (WIPO) Source: "IPs new role in the knowledge economy“ Asia Today International April/May 2011 and so for Cloud Computing… This short presentation only covers the main legal issues. In no way does the author wish to imply that the areas presented are the only worthy of consideration. Since every cloud service is different, readers should seek their own legal advice on matters specific to their circumstances. The views on this presentation are that of the author and not of the ACS. 30